Microsoft to release emergency patch for Windows shortcut bug

Microsoft is planning to release an out of band security update today to address the Windows shortcut vulnerability.

The vulnerability is caused by an error in Windows Shell when parsing shortcuts (.lnk). The flaw can be exploited automatically by executing a program via a specially crafted shortcut. Certain parameters of the .lnk are not properly validated on load, resulting in the vulnerability. Microsoft says it has "seen only limited, targeted attacks on this vulnerability."

For the exploit to be successful it requires that users insert removable media (when AutoPlay is enabled) or browse to the removable media (when AutoPlay is disabled). According to Microsoft's initial advisory, exploitation may also be possible via network shares and WebDAV shares. Microsoft stated that the exploit affects all Windows versions since Windows XP, including Windows 7.

Last week, the software giant issued a Fixit solution for customers, to help prevent attacks attempting to exploit this vulnerability. However, applying the fixit removed the graphical representation of icons on the Task bar and Start menu bar and replaced them with white icons without the graphical representation of the icon. This temporary fix wasn't ideal for most customers so Microsoft sped up testing to deliver an out of band fix.

"We are releasing the bulletin as we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers. Additionally, we're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers," said Christopher Budd, Microsoft Security Response Manager.

Microsoft will release the update later today, just over a week before its regular "Patch Tuesday".

Report a problem with article
Previous Story

Intel may be targeting iPhone, iPad

Next Story

Pre-orders open for "infinite" usb memory drive

26 Comments

Commenting is disabled on this article.

Installed and added an alert to my facebook profile and my facebook group. Not as if any of the people on my facebook profile give a ****.

warwagon said,
Installed and added an alert to my facebook profile and my facebook group. Not as if any of the people on my facebook profile give a ****.

Join the club. No one ever wants to take the time to update anymore.

ManMountain said,
Appeared on winupdate, applied and system icons fine here.

Was this on Windows XP? My XP had all the icons hosed, and returning the changes manually made them return after removing the fix from Add/Remove programs. Mine was downloaded from Microsoft itself, this morning at about 1020 PST.

Could you post the name of the executable(, because I downloaded the fix and it was named by the KB number ... WindowsXP-KB2286198-x86-ENU.exe is what I used - it hoses every icon not contained in explorer.exe)? It DID screw up all the icons, and its removal did not restore them. I have posted the steps I took on my blog here. <<http://www.lockergnome.com/the...-were-still-waiting/>>;

This is on an XP SP3 system, I will not bother trying the fix on my Windows 7 or Vista systems until I get good confirmation that the icons are not hosed by the install. If they do not, then it is just another little push from Microsoft to let XP users know that they need to upgrade.

Yup. The KB number refers to the knowledgebase number. The patch with that number addresses the problem cited in the corresponding knowledgebase. The first fix was just a workaround, this a full-fledged patch.

rseiler said,
And? This is actually different than the first fix despite having the same KB #?
Yes, the final patch doesn't screw up shortcut icons...

it's good that ms decided to get on the ball and issue a fix for this as the fixit solution they offered is not very appealing but the sophos solution to this exploit is the better but since ms is fixing the issue then i guess the sophos solution will no longer apply.

The update that shows up today in Windows Update is still KB2286198 (at least that's what shows up on SP1), however, so if this is any different than the first iteration of the fix, MS is not making that clear in the article for that fix.

I saw many companies come up with a (temporary) solution to this. I just hope this does not have any drawbacks.

@Odom: As Tuomas said, this is a proper solution for it, one that doesn't mess up icons etc. Even the article says that the icon breaking fix wasn't good for most of the customers so MS sped up the patching process to come out with a proper fix.

Before anyone goes screaming how great this particular patch is, better read up what your computer will look like afterwards. I don't see many enterprises and corporations pushing this out, but rather wait for a better and proper solution.

Odom said,
Before anyone goes screaming how great this particular patch is, better read up what your computer will look like afterwards. I don't see many enterprises and corporations pushing this out, but rather wait for a better and proper solution.

Eh as far as I know, this is the real proper solution that's coming out today. Not the fix-it solution but solution that doesn't disable anything like the fix-it did.

Odom said,
Before anyone goes screaming how great this particular patch is, better read up what your computer will look like afterwards. I don't see many enterprises and corporations pushing this out, but rather wait for a better and proper solution.

Rather than scaremongering how about getting your facts straight, as others have said this is the official fix, not the temporary workaround

Odom said,
Before anyone goes screaming how great this particular patch is, better read up what your computer will look like afterwards. I don't see many enterprises and corporations pushing this out, but rather wait for a better and proper solution.

Honestly, did you even bother reading the article before saying that? This ISN'T the quickfix, it's a real fix.

LiquidSolstice said,

Honestly, did you even bother reading the article before saying that? This ISN'T the quickfix, it's a real fix.

yeah, I did read the article, don't get all worked up about it. I also received the MSRC update this morning and I erroneously thought that was partly it. The info hadn't been updated yet on that site and I didn't realise that, only saw the older workaround fix on it. So mea culpa, shouldn't be assuming too much and read better into it.

Odom said,

yeah, I did read the article, don't get all worked up about it. I also received the MSRC update this morning and I erroneously thought that was partly it. The info hadn't been updated yet on that site and I didn't realise that, only saw the older workaround fix on it. So mea culpa, shouldn't be assuming too much and read better into it.

Very good, at least you have the guts to take responsibility on your comment.

Odom said,

yeah, I did read the article, don't get all worked up about it. I also received the MSRC update this morning and I erroneously thought that was partly it. The info hadn't been updated yet on that site and I didn't realise that, only saw the older workaround fix on it. So mea culpa, shouldn't be assuming too much and read better into it.

To be fair, I respect that you had the pride and dignity to admit you made a mistake. It's far more than other people can say.