News Stay informed about the latest enterprise technology news and product updates.

Microsoft schedules patch for Windows Shell flaw

Update planned for Monday to fix zero-day vulnerability in wake of increased attacks.

Microsoft on Friday said it plans to release an out-of-band security update on Monday to fix a serious zero-day vulnerability in Windows Shell that it said attackers are increasingly exploiting.

The software giant is releasing the bulletin after completing required testing, Christopher Budd, senior security response communications manager at Microsoft, wrote on the Microsoft Security Response Center blog.

"Additionally, we're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability," Budd said. "We firmly believe that releasing the update out of band is the best thing to do to help protect our customers."

Microsoft normally releases security updates the second Tuesday of each month.

The company issued an advisory July 16 about the Windows Shell vulnerability, which affects all versions of Windows and allows attackers to exploit malicious code when a shortcut icon is displayed. According to Microsoft, an attack can be carried out via a USB drive, remotely through network shares and WebDav or in specific document types that support embedded shortcuts.

Last week, Microsoft released a temporary fix for the vulnerability, which was discovered in June by Belarus-based antivirus vendor VirusBlokAda.

Multiple threats have been exploiting the flaw, including Stuxnet, a worm that uses the Windows vulnerability to target Siemens SCADA system software. But Microsoft researchers said on Friday that a malware strain called Sality, and specifically Sality.AT, is proving to be particularly virulent and widespread. It infects other files, copies itself to removable media, disables security mechanisms, and downloads other malware, Holly Stewart of the Microsoft Malware Protection Center wrote in a blog post.

"After the inclusion of the .LNK vector, the numbers of machines seeing attack attempts combining malicious .LNKs and Sality.AT soon surpassed the numbers we saw with Stuxnet," Stewart said.

Microsoft said it plans to release the security update around 10 a.m. Pacific Time Monday.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.