Microsoft emergency .LNK patch: go get it! (and Halo2600)

By Richi Jennings. August 3, 2010.

As promised, Microsoft has released the out-of-band emergency MS10-046 patch a the shortcut file vulnerability. The .LNK bug has been exploited by several malware variants, including some nasty SCADA-targeted infections. In IT Blogwatch, bloggers rush to patch their Windows PCs and servers.

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention Halo for Atari 2600...


Gregg Keizer rules (the roost):

The vulnerability addressed today was first described in mid-June. ... [One month] later, Microsoft admitted that attackers were already exploiting the flaw using the "Stuxnet" worm. ... The flaw was in how Windows parsed shortcut files. ... By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed ... a folder containing the malevolent shortcut. ... Microsoft and others have spotted several attack campaigns based on the bug ... [including] the virulent "Sality" malware family.
The patch ... is available for ... XP SP3, Vista, Windows 7, Server 2003, Server 2008 and Server 2008 R2 ... via the Microsoft Update and Windows Update services, as well as through [WSUS].

Danger! Dan Goodin adds a warning:

As promised Friday, Microsoft released the update outside of its normal patching schedule. ... When the flaw first came to public attention ... it was being used to attack SCADA ... systems that control sensitive equipment at power plants, gas refineries, and other other critical infrastructure.
Users who employed a stopgap FixIt published two weeks ago should roll back their machines using the “disable workaround” feature. ... [Or you] will find that icons fail to display properly, causing folders and files to appear white.

While Stuart J. Johnston notes a "nightmare gotcha":

There is one "gotcha" that could turn into a nightmare for support staff ... Microsoft ended support for Windows 2000 Service Pack 4 (SP4) and Windows XP SP2. ... There will be no supported .LNK vulnerability patch for XP SP2 -- only for SP3 -- and no ... patch at all for Windows 2000.
Microsoft strongly recommends that users quickly upgrade to XP SP3, which is still supported until April 2014, or to upgrade to Windows 7.

And Robert Mullins adds important triage advice:

[It] should be applied to both clients and servers, but ... if you’re short on time, apply the patch to the clients first.
Organizations running ...  Windows 2000 or Windows XPSP2 ... will need a custom support agreement with Microsoft to get a patch.

But Geoff Duncan notes grumbling in the ranks:

Microsoft has been struggling with the security community in recent months ... an increasingly number of serious vulnerabilities have been revealed without giving Microsoft much advance warning. ... Microsoft has since extended an olive branch, announcing last week a new “coordinated vulnerability disclosure” process it hopes will address dissatisfaction in the broader security community.

And Finally...
Halo for the Atari 2600 Released!
[scroll down for backstory and screenshots;
hat tip: Dean Takahashi]

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email:

You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon