Microsoft will be releasing a patch today to fix an inherent flaw in Windows on how it works with shortcut files, currently being used to spread the Stuxnet worm through USB drives.
The hole can be found in virtually all versions of Windows and works through the code that processes .Ink shortcut files. Microsoft recently warned users about the bug and posted an advisory, but it has taken two weeks for Redmond to get its act together and fix the bugger.
Since the original bout of Stuxnet USB attacks there have been similar efforts to compromise security through the .Ink flaw. There are copycat attacks doing the round now too. The loopholes means it’s a piece of cake for clued up dastardly folk to gain remote access to a user’s PC.
Christopher Budd, senior security response manager at Microsoft, told The Telegraph that over the last few days there’s been a significant increase in exploit attempts. That’s why Microsoft is going against the grain and patching early. Microsoft usually releases patches every second Tuesday of the month, but this fix is important enough to warrant an early update, apparently.
It’s a step in the right direction and perhaps Microsoft shouldn’t limit itself to just “emergency” out-of-band patches. If there’s something particularly nasty doing the rounds, isn’t it better to keep regularity with Patch Tuesday while also fixing exploits on the go? But the company is seen by some as notoriously slow to fix bugs anyway, so perhaps a month is needed for Redmond’s security staffers. It sure took its sweet time over this bug.