Out-of-band update viewed as the best choiceMicrosoft plans to deliver a fix for the critical LNK vulnerability, currently being exploited in the wild, on Monday. The software giant has decided to ship the fix as an out-of-band update in light of an increase in the number of attacks targeting the flaw.
“Today we're announcing plans to release a security update to address the vulnerability discussed in Security Advisory 2286198 on Monday, August 2, 2010 at or around 10 AM PDT,” the company announced via its MSRC blog. The patch has already undergone in-depth quality assurance testing to make sure that any unexpected impact on customers is kept to a minimum.
Microsoft normally ships fixes during the second Tuesday of each month, a day known in the industry as Patch Tuesday. The next cycle is scheduled for August 10, which means that the LNK vulnerability patch will be released as an out-of-band update.
The company explains that this decision was taken after a surge in the number of attacks targeting this vulnerability was detected. Even though this might be inconvenient for system administrators in corporate environments, where patch deployment is planned in advance, Microsoft notes that “We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”
The LNK vulnerability refers to a bug in the way Windows processes certain types of shortcuts, which can be leveraged by attackers in a variety of ways to execute malicious code. The flaw was reported as a zero-day earlier this month after a sophisticated piece of malware exploiting it was discovered in the wild.
Considered as one of the most serious vulnerabilities of 2010, antivirus companies and security researchers kept a close eye on new developments surrounding it. So far, several malware families including Stuxnet, Chymine, Vobfus, Zbot and Sality are known to have adopted the exploit.
You can follow the editor on Twitter @lconstantin