bit-tech.net

Microsoft releases .lnk bug fix

Microsoft releases .lnk bug fix

The .lnk bug in Windows has now been patched - but what took Microsoft so long?

Microsoft has announced plans to launch an emergency patch for the .lnk vulnerability in the Windows shell, after initially indicating it would wait for the next Patch Tuesday release.

Despite categorising the flaw - which can cause unauthorised code to execute simply by browsing to a network share or storage device containing a maliciously-crafted .lnk or .pif shortcut file - as critical, Microsoft chose to wait until its next patch release cycle date owing to a lack of in-the-wild attacks against the flaw.

Sadly, that has changed: with several strains of malware now taking advantage of the un-patched vulnerability, Microsoft has decided to release a fix for download later today - outside its normal release schedule. Microsoft Security Response Centre spokesman Christopher Budd confirmed that the patch comes as "in the past few days, we've seen an increase in attempts to exploit the vulnerability."

While system administrators will be thankful that a fix will soon appear - although the headache of an out-of-band patch installation can't be discounted - many are wondering just what took Microsoft so long. While it was clear at the start that this was a serious security flaw, Microsoft's decision to delay the release of a patch for almost a full month has left its customers at risk of attack - and, according to InformationWeek, directly contributed to the spread of the Sality worm.

Are you just pleased to see that a fix is now available for what is clearly a major security flaw in the Windows shell, or disappointed that it has taken Microsoft this long to provide a proper fix for the issue? Share your thoughts over in the forums.

13 Comments

Discuss in the forums Reply
perplekks45 2nd August 2010, 11:42 Quote
We'll roll this patch out tomorrow morning on 1900 clients. Let's see if this works...
mrbens 2nd August 2010, 12:47 Quote
What's the problem with releasing MS updates on a different day to Tuesday?
leexgx 2nd August 2010, 13:58 Quote
they norm have an patch day so company's can test it first before it auto roles out happens
sear 2nd August 2010, 14:25 Quote
I'm not seeing this on Windows Update. Does it have to be installed separately?
perplekks45 2nd August 2010, 15:38 Quote
It won't be released until 7pm tonight, GMT+1 or +2, as far as I know.

It's unusual because releasing an out-of-cycle patch means the exploit is pretty severe and you wouldn't want to have to admit that, would you?
SaNdCrAwLeR 2nd August 2010, 17:20 Quote
hey at least they patch it...
unlike Apple, they need to release a whole new OS version with "better features" that are mostly patches
and worst of it all... Apple makes you pay for those :P

EDIT: not talking about the iPhone btw :P
perplekks45 2nd August 2010, 17:55 Quote
And what exactly is Win7 if not Vista Re-Visited?
Come on, stop the Apple bashing, this is about a problem with Windows!
kzinti1 2nd August 2010, 19:25 Quote
I just installed it. It immediately downloaded and installed in just a few seconds during shutdown and restart just as a rather large MS fix should.
Available at 7pm tonight? Just go ahead and d/l the damned thing already!
Denis_iii 2nd August 2010, 19:30 Quote
Quote:
Originally Posted by SaNdCrAwLeR
hey at least they patch it...
unlike Apple, they need to release a whole new OS version with "better features" that are mostly patches
and worst of it all... Apple makes you pay for those :P

EDIT: not talking about the iPhone btw :P

I enjoyed the Apple bashing :) made my day lol but for serious flaws like this M$ should of pushed the patch out ASAP for sys admins to test and shortly after to the clients. Waiting an entire month! gave way to much time to crackers to develop malware to take advantage of said flaw. Issues like this should be publisied by M$ to teh client and have crit pop-ups occur advising user of issue and to install update to fix. (BUT NOT take focus away from full screen apps, that just pissed me off)
I truly worried about Apple owners when crackers decide to start hitting them as they already are especially the iphone and ipad.
thehippoz 2nd August 2010, 20:12 Quote
apple user.. holy **** I've been had!

windows user.. what a newbie.. I've had my account ridden like a dog in heat and don't even break a sweat anymore
RichCreedy 2nd August 2010, 22:02 Quote
its alright saying release the patch straight away, but they need to examine the bug, make sure they don't introduce another bug, and not break things in general.
PingCrosby 2nd August 2010, 22:40 Quote
I like patches, without them my jeans would fall down.
jamie_macdonald 4th August 2010, 09:36 Quote
Quote:
Originally Posted by RichCreedy
its alright saying release the patch straight away, but they need to examine the bug, make sure they don't introduce another bug, and not break things in general.

Perfectly stated, I tested alot for Trackmania (the game by NADEO) and one problem they had alot was when they fixed one thing it introduced another problem (they were trying to keep old versions intact and add new features)... the larger the code the more complicated it gets and "knock on effects" from fixes become apparent.

Good on them for doing things properly rather than rushing things out for moaners.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums