The shortcut vulnerability I reported on in my blog last week “Vulnerability in Windows Shell could allow remote code execution” — namely by enabling malefactors to include malicious code as part of a Windows shortcut definition, so that said code executes whenever the shortcut is used — has apparently been judged serious and scary enough to warrant what Microsoft calls an “out-of-band update” that precedes the August Patch Tuesday update release (8/10/2010). I guess that means it really does pose a serious threat, as I had guessed that it might from its technical description.
According to InfoWorld “Microsoft … said it will isse an emergency patch for the critical Windows shortcut bug on Monday, August 2.” Upon seeing increased attempts to exploit this vulnerability in the field, MS decided to speed up release of the update to provide much-needed protection as soon as possible. According to the Infoworld report, the patch should become available at or around 1 PM EDT (GMT -05:00) today. Because you never know what kind of software users are likely to install on their PCs, this is one upate that should be pushed into deployment as soon as vetting and authorization processes allow. It probably also warrants an email to users exhort them to apply this patch to personal or home machines ASAP as well.