As expected, Microsoft has released a critical out-of-band patch for the LNK shortcut file vulnerability which received attention last month. As a critical patch, this update will be delivered through Windows’ Automatic Update service, as well as being directly available for download from Microsoft’s site without a Windows Genuine Advantage check. A reboot is required for the patch to take effect.
Windows users can download and install the patch themselves, or allow Microsoft to apply it to their computer overnight using the Automatic Update service. If you choose the latter, be sure to save any open work on your computer before leaving the computer for the evening. Otherwise, you may find a freshly booted system when go to your PC the following morning.
Information about the vulnerability, along with the patch, can be found in the following Microsoft Security Bulletin:
Here is a list of all articles we have written about CVE-2010-2568 (the Common Vulnerability and Exposure number assigned to the threat) in the blog, as well as malware using it as a vector, such as Win32/Stuxnet.
|
Date
|
Article
|
|
July 27
|
|
|
July 23
|
|
|
July 22
|
|
|
July 22
|
|
|
July 22
|
|
|
July 22
|
|
|
July 20
|
|
|
July 19
|
|
|
July 19
|
|
|
July 19
|
|
|
July 19
|
We recommend that people begin deploying the patch as soon as possible. While ESET’s software protects against the malware currently known to exploit this vulnerability, installing Microsoft’s patch closes the vulnerability on the operating system.
Regards,
Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher
