Yep, this gaping hole in Windows is so bad that Microsoft couldn’t even wait until next week’s regularly scheduled Patch Tuesday to try and fix it.
Microsoft today rushed out an emergency patch for Windows Vista and Windows 7 PCs just eight days before its next Patch Tuesday.
The software giant issues security patches on the second Tuesday of each month, and only rarely issues so-called out-of-band patches. The company has never issued an emergency patch this close to Patch Tuesday, says Jason Miller, data and security team leader at patch management firm, Shavlik Technologies.
“Coming out with this patch this close to a Patch Tuesday is severe,” says Miller. “People should be paying attention to this one, and patch as soon as possible.”
Importantly, the emergency patch does nothing for hundreds of millions of PCs running Windows XP Service Pack 2 and Windows Server 2000, since Microsoft last month stopped issuing security updates for those older versions of its flagship operating system. The company continues to urge Windows XP SP2 users, in particular, to upgrade to Windows XP SP3, which will continue to get security updates, or to buy new Windows 7 PCs.
Update: To be clear, this patch will work on Windows XP SP3, Windows Server 2003 SP2; Windows Vista, Window Server 2008, Windows 7, Windows Server 2008 R2. It will not work on Windows XP SP2 or Windows Server 2000.
At the Black Hat and Def Con security conferences in Las Vegas last week, attendees referred to this Windows flaw as a $1 million vulnerability. Savvy hackers can tweak a basic component of all versions of Windows, called LNK. This is the simple coding that enables shortcut program icons to appear on your desktop.
No one in the legit world knew the LNK flaw existed until mid July, when security blogger Brian Krebs began reporting on a sophisticated worm spreading via USB thumb drives. That worm, known has Stuxnet, took advantage of the newly-discovered flaw to run a malicious program designed specifically to breach Siemens SCADA (supervisory control and data acquisition) software systems. Over a period of months the attackers had infected Siemens SCADA controls in power plants and factories in Iran, Indonesia, India and some Middle East nations, according to antivirus firm Symantec.
Microsoft Security Bulletin MS10-046 – Critical
Microsoft ships rush patch for Windows shortcut bug
Microsoft issues emergency patch for Windows shortcut link vulnerability
Microsoft Patches Windows Shell Vulnerability
Microsoft’s New Patch for Windows Shortcut Exploit
Emergency patch closes LNK hole in Windows
Microsoft sticks to plan, denies emergency patch for XP SP2
The new emergency patch is here, the new emergency patch is here!
/so, if your Windows didn’t automatically update, you’d better do it now
Filed under: Blog Entry | Tagged: Antivirus, Black Hat Security Conference, Brian Krebs, Computer Worm, Data And Security Team Leader, Def Con Security Conference, Desktop, Emergency, Emergency Patch, Flagship Operating System, Flaw, India, Indonesia, Iran, Jason Miller, Las Vegas, LNK, LNK Flaw, Malicious Program, Microsoft, Microsoft Windows, Middle East, Million Dollar Windows Flaw, Patch, Patch Management Firm, Patch Tuesday, SCADA, SCADA Controls, Security Patch, Security Updates, Shavlik Technologies, Shortcut Program Icons, Siemens, Software Systems, Stuxnet, Supervisory Control And Data Acquisition, Symantec, Thumb Drives, Urgent, USB, Vulnerability, Window Server 2008, Windows, Windows 7, Windows Flaw, Windows Server 2000, Windows Server 2003 SP2, Windows Server 2008 R2, Windows Vista, Windows XP SP2, Windows XP SP3 | Leave a comment »