Microsoft plugs Windows shortcut hole

Company issues emergency patch for Windows shortcut hole being exploited by fast-spreading virus.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Aug. 2, 2010 11:59 a.m. PT

2 min read

As planned, Microsoft released a fix on Monday for a critical Windows vulnerability that was being exploited by a fast-spreading virus and other malware.

The software patch fixes the way Windows Shell handles shortcut files, which are links to a file represented by an icon and implemented with the .lnk extension. Attackers exploiting the hole could take complete control of the computer, the security advisory said.

An attacker could disseminate a USB or other removable drive with a malicious shortcut file on it and when the target victim opens the drive in Windows Explorer or any other application that parses the icon of the shortcut, the malicious code would execute on the victim's computer. An attacker could also embed malware in a malicious Web site, a remote network share, or in a Microsoft Word document, Microsoft said.

Originally, the Windows flaw was used to spread the Stuxnet worm via USB drives and it was stealing information from systems running Siemens software used in critical infrastructure companies. Late last week, Microsoft issued a blog post that said there were copycat attacks exploiting the hole, including one involving the Sality.AT virus, which was spreading fast.

The situation was serious enough to prompt Microsoft to release an "out of band" patch instead of wait a week to fix the hole with its next scheduled Patch Tuesday security update, on August 10.

"Symantec is aware of multiple threats leveraging the vulnerability, and attempted exploitations have steadily increased since the security hole first came to light," said Ben Greenbaum, senior research manager for Symantec Security Response. "One such threat is a new variant of Changeup," a highly destructive threat.

The hole affects all versions of Windows including Windows 2000 and Windows XP service pack 2, which are not supported by Microsoft anymore. Customers using those versions need to upgrade to be protected from the attacks.

"So far, most of the exploits using this vulnerability have been targeting SCADA (supervisory control and data acquisition) systems, and these systems typically run on older operating system versions. These older systems are not being patched today," said Andrew Storms, director of security operations for nCircle. "Utility companies that know they cannot upgrade are fully aware their systems contain a public vulnerability that is being exploited. Utility companies and SCADA vendors are probably scrambling to find a resolution to this problem as quickly as possible."