Microsoft has posted an out-of-band patch for the .lnk vulnerability (CVE-2010-2568) that was widely exploited after it was made public two weeks ago. The company announced Friday that the patch would be forthcoming, saying that the Sality malware family, and specifically Sality.AT was actively exploiting the weakness.
Microsoft Security Bulletin MS10-046 here.
“This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
“This security update is rated Critical for all supported editions of Microsoft Windows.”
Microsoft did not provide patches for Windows 2000 and Windows XP SP2, since support has ended for them.
Tom Kelchner