Microsoft ships rush patch for Windows shortcut bug

Sticks to plan, no fix for users running out-of-support XP SP2 and Windows 2000

1 2 Page 2
Page 2 of 2

Microsoft patched the problem by "correctly validating the icon reference of a shortcut," according to MS10-046 bulletin.

The company also told users who had deployed a recommended workaround -- which involved disabling the displaying of all shortcuts -- to undo that workaround after applying the patch. Scattered reports on the Web, however, have noted problems unless the workaround is reversed before the patch is applied.

Because Microsoft's patch results in a new version of Shell32.dll being pushed to users, the quality of the update will be important: Shell32.dll is a crucial Windows library file that contains numerous Windows Shell API (application programming interface) functions. If it's flawed, or incorrectly updated on some machines, PCs will lock up with the notorious Blue Screen of Death.

Storms didn't think there was anything to worry about. "They patched a Windows kernel bug in 20 days back in January," Storms pointed out. "They probably understand the risks here by going out-of-band."

Jason Miller, data and security team manager for Shavlik Technologies, said he wasn't expecting a rush patch because of the proximity of August's regular security updates.

"It's not uncommon for Microsoft to release out-of-band," said Miller, "but Patch Tuesday is just a week away. I expected that they would just wait until then."

Microsoft's regularly-scheduled monthly updates are to ship Aug. 10, a week from tomorrow.

According to Miller, out-of-band updates are usually released in-between a pair of Patch Tuesdays, in other words, approximately two weeks before the next slated release.

"Microsoft must have seen something in this that prompted them to release now," said Miller, referring to last Friday's announcement that Sality had begun exploiting the shortcut bug. "I'd bet that they're probably expecting that we'll see an additional uptick in attacks as other viruses add this [exploit] to their payloads," Miller concluded.

The patch, which is available for all still-supported versions of Windows, including XP SP3, Vista, Windows 7, Server 2003, Server 2008 and Server 2008 R2, can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon