Microsoft rushes fix for Windows shortcut hole

Attackers exploiting a hole involving how Windows handles shortcut, or .lnk, files prompt Microsoft to rush out an emergency patch, well before its next scheduled Patch Tuesday.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
A fast-spreading virus that exploits a .lnk Windows hole prompted Microsoft to announce a patch for release next week.
A fast-spreading virus that exploits a .lnk Windows hole prompted Microsoft to announce a patch for release next week. Microsoft

Microsoft plans to release a patch on Monday for a flaw involving how Windows handles shortcut files, after seeing the hole being used to spread a particularly nasty and fast-spreading virus, the company said Friday.

Initially, the Windows flaw was used to spread the Stuxnet worm via USB drives. The vulnerability, which is in all versions of Windows, is in the code that processes shortcut files ending in ".lnk," according to the Microsoft advisory from two weeks ago that included information on a work-around.

Now there are copycat attacks in which the .lnk hole, or "shortcut hole," is being used in combination with a virus dubbed "Sality.AT," which has spread faster than the Stuxnet worm, Microsoft said in a Microsoft Malware Protection Center blog post.

"Although there have been multiple families that have picked up this vector, one in particular caught our attention this week--a family named Sality, and specifically Sality.AT," the post said. "Sality is a highly virulent strain. It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware. It is also a very large family--one of the most prevalent families this year."

The situation is dire enough for Microsoft to release what it calls an "out of band" patch instead of waiting a week to include the fix in its next scheduled Patch Tuesday, on August 10.

"In the past few days, we've seen an increase in attempts to exploit the vulnerability," Christopher Budd, senior security response communications manager at Microsoft, wrote in a post on the Microsoft Security Response Center blog. "We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.