As expected, Microsoft on Monday released an emergency update to fix a Windows flaw that attackers have been actively exploiting.
The software giant announced Friday that
"This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2," Christopher Budd, Microsoft senior security response communications manager, wrote in a blog post.
The company issued an advisory July 16 about the Windows Shell vulnerability, which allows attackers to exploit malicious code when a shortcut icon is displayed. According to Microsoft, an attack can be carried out via a USB drive, remotely through network shares and WebDav, or in specific document types that support embedded shortcuts.
On Friday, the Microsoft Malware Protection Center reported that a malware strain called Sality is exploiting the vulnerability on a widespread basis. Other threats exploiting the flaw include Stuxnet, a worm that uses the Windows vulnerability to target Siemens SCADA system software.
Budd said customers not using automatic updates should download, test and deploy Monday's update as soon as possible.
Jason Miller, data and security team leader at Minneapolis-based Shavlik Technologies LLC, said it's not uncommon for Microsoft to release out-of-band updates -- fixes outside of its usual monthly patching schedule -- but Monday's update is surprising in that it comes so close to next week's Patch Tuesday.
"If Microsoft is prompting an out-of-band on this, you should be patching this one pretty soon," he said in an interview. "I probably wouldn't wait until next the maintenance cycle, but a lot of organizations can't have downtime that's not on their maintenance window, so they could be waiting until the next Patch Tuesday."
Miller described the Sality malware as fairly nasty. "If it gets on your system, it's hard to clean up," he said. Researchers at Sophos Plc. recently posted an analysis of the Sality malware.