Out-of-band Microsoft Security Patch Coming Monday

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft gave advance notice Friday that it plans to release an out-of-cycle security patch on Monday aimed at fixing a critical zero-day hole in all supported versions of Windows that is already being exploited.

The exploit takes advantage of a hole in the way a component called the Windows Shell processes some shortcut files. The bug first surfaced in the wild in mid-July, according to a Security Advisory issued by Microsoft (NASDAQ: MSFT) on July 16.

At that time, the attacks were "limited" and "targeted," Microsoft said in the advisory.

Now the company is nearly ready to release the patch just as attacks are escalating.

"We are releasing the [patch] as we've completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers. Additionally, we're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability," Christopher Budd, senior communications manager, said in a post to the Microsoft Security Response Center blog on Thursday.

The problem lies in how the Windows Shell processes some shortcuts -- particularly for icons that are used as shortcuts to files that the user can put on the desktop. The flaw arises from the shell not properly validating .lnk files, which are used as the extension for file shortcuts.

Microsoft has struggled in recent months as more and more researchers publicly revealed new zero-day exploits without giving Microsoft much advance warning -- a practice that some call "full disclosure." Microsoft officials, however, argue that disclosing security flaws without letting the software maker come up with a patch first puts users at risk.

The argument between the parties has become so rancorous, in fact, that a group of anonymous hackers started a Web site in early July where they plan to reveal more zero-day exploits.

In an effort to tone down the rhetoric from both sides, Microsoft proposed a new process it refers to as "coordinated vulnerability disclosure" on July 26.

Whether anyone adopts Microsoft's proposal, of course, remains to be seen.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.