Traditionally, Microsoft only patches its software on the second Tuesday of every month. However, as an emergency response to the so-called ‘shortcut hole', the company is getting ready to release an out-of-band update for the entire Windows family today.
The exploit, which was announced via a Security Advisory a few weeks ago, takes advantage of the way in which shortcuts (*.lnk files) are handled by the operating system. An error in the way that the Windows Shell loads the icon for the shortcut allows malicious code to be loaded onto a vulnerable system. The hole is mostly exploited through USB drives, although network shares and documents with embedded shortcuts can also be used to deliver the payload.
According to Microsoft's figures, several different viruses have popped up during the last few weeks, though one in particular has caused real concern in Redmond. The ‘Sality.AT' virus is a particularly nasty strain that disables security software before copying itself to other files and downloading a collection of malware onto the target PC. However, the company's engineers expect other ‘copy-cat' viruses to appear that will make use of the exploit in a similar way.
Given the potential to abuse this flaw and rapid rise in prevalence of malware taking advantage of it, Microsoft will make a fix for all affected operating systems available today. Unfortunately, the flaw is present in all copies of Windows, meaning that even server and 64-bit versions of the OS are at risk.
According to Senior Security Response Communications Manager Christopher Budd, "we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers...We firmly believe that releasing the update out of band is the best thing to do to help protect our customers."
The patch should be available at around 10am Pacific Time, or around 6pm in the UK.