Microsoft will fix a flaw today

SOFTWARE FLOGGER Microsoft will release a security update today to address a critical vulnerability in the Windows Shell.

Last week the Vole announced in Security Advisory 2286198 that it was looking into reports of targeted attacks exploiting a vulnerability in Windows Shell.

In fact the vulnerability affects just about every operating system that the Vole has released in the past decade because "Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut."

Microsoft said that the vulnerability can be exploited locally through a malicious USB drive or remotely via network shares and WebDAV.

At the time we said that the whole security fiasco blew up in Microsoft's face when researchers showed off a proof-of-concept exploit. The Stuxnet Trojan used two digitally signed Realtek drivers to mask its payload. Microsoft has since been working with Verisign, which has revoked the certificate used to sign the drivers, something that Realtek also supported.

There was no actual patch for the Shell though and this will be released today at around 10am PDT.

A spokesvole said the company has completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers.

Part of the reason the Vole is rushing the patch out is that in the past few days it has seen an increase in attempts to exploit the vulnerability.

"We firmly believe that releasing the update out of band is the best thing to do to help protect our customers," Microsoft said. µ