Microsoft Releases FixIt Tool for LNK Flaw

Microsoft has released a FixIt tool for the unpatched LNK Windows shell vulnerability and also has updated its guidance on how to deal with the flaw. The company also said it is continuing to work on developing a patch for the vulnerability.

Microsoft has released a FixIt tool for the unpatched LNK Windows shell vulnerability and also has updated its guidance on how to deal with the flaw. The company also said it is continuing to work on developing a patch for the vulnerability.

The FixIt tool that Microsoft published Tuesday mitigates the vulnerability by disabling the display of icons in the task bar and the Windows menu. It doesn’t entirely patch the vulnerability, but it helps mitigate one of the attack vectors.

“The vulnerability exists because Windows incorrectly parses shortcuts
in such a way that malicious code may be executed when the icon of a
specially crafted shortcut is displayed. This vulnerability can be
exploited locally through a malicious USB drive, or remotely via network
shares and WebDAV. An exploit can also be included in specific document
types that support embedded shortcuts,” Microsoft said.

The first reports of the new vulnerability surfaced last week when malware researchers discovered a new Trojan called Stuxnet that uses the LNK vulnerability to infect machines via USB drives. There are are other vectors by which an attacker could exploit the vulnerability, including via a shared drive or WebDAV, Microsoft said.

The Microsoft advisory on the LNK flaw says that the company is working on a patch for the vulnerability, but does not specify a time frame for a patch release. The next scheduled Patch Tuesday release would be August 10, but Microsoft could release an out-of-band patch before then.

Suggested articles

New Bug in Internet Explorer Used in Targeted Attacks

There’s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.

Microsoft Releases Huge Patch Tuesday Update For 49 Bugs

Microsoft has released its largest-ever bundle of patches, pushing out 16 updates that fix a total of 49 individual vulnerabilities. The patches include updates for six critical vulnerabilities, most notably a huge fix for some remote code-execution bugs in various versions of Internet Explorer.

Microsoft Warns of Attacks Against ASP.NET Flaw

Microsoft is warning customers that it has seen ongoing attacks against the recently disclosed padding oracle vulnerability in ASP.NET and is encouraging them to implement a workaround that will help protect against the publicly disclosed exploit for the bug.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.