Thursday, July 22, 2010

Emergency Microsoft security patch

Criminals are exploiting a vulnerability in the Windows .lnk file linking function. This has enough buzz in the Financial community that Microsoft (unusually) created an emergency patch.

It's not known whether this is exploitable via a browser-based attack; it is known that malware is circulating on USB drives.

If you run Windows, my recommendation is to get the patch. You may notice some differences after applying it:
Microsoft security response communications lead Christopher Budd warned that the workaround disables icon icons from being displayed as usual and recommended admins carefully test the fix before deploying it widely. Specifically, the change will cause folder and file icons on the task bar and start menu to be stripped of their graphical representations, making them appear as generic, white boxes. The Fix It will also require machines to be rebooted.
I don't run Windows, but if I did, I'd get this. It's an interesting attack, and while I can't prove it, my gut tells me you could do something interesting with this via Web/Javascript.

In other security news, Mozilla has a security update for Firefox, to fix a nasty problem where malware could infiltrate via a picture (PNG file). Firefox will autoupdate and ask you if it can restart.

And Apple has an update for iTunes, with a vulnerability allowing malware to run. In iTunes, you may need to ask it to check for updates.

1 comment:

Anonymous said...

Thanks