Microsoft will be releasing a Windows Update in a couple of hours to address a vulnerability that has been getting a growing amount of press and has also seen an increasing number of attempts to exploit the vulnerability. Announced late last Thursday evening, the Microsoft Security Response Center stated that the release would occur at 10 AM PDT today.
We are releasing the bulletin as we’ve completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers. Additionally, we’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.
The vulnerability is travelling by USB drive and network shares by means of a vulnerability in the way Windows displays shortcut icons.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.
You might find it interesting to visit the Microsoft Malware Protection Center to view their report on how malware is using the vulnerability and the geographic hotspots for the exploit attempts.
Because of the dangers of this vulnerability and the increased attempts to exploit it, it is recommended that you update your computers immediately.