Windows .LNK Flaw Exploit

July 20, 2010

I posted a note last week about a new Windows security vulnerability, related to its processing of shortcut (.LNK) files.  The Internet Storm Center  [ISC]at SANS is now reporting that  code to implement an attack on this vulnerability has been published within the Metasploit  framework.

The ISC has raised its assessment of the overall Internet threat level from Green to Yellow.  (Who decides these colors, anyway?)   I think this is a potentially serious thret, because it requires so little in the way of user action to succeed.

Microsoft has not yet issued a patch for this, but there are some mitigation steps listed in its Security Advisory.

I’d expect Microsoft to issue a patch for this in its regular update in August.  If I discover anything further, I’ll post a follow-up note.

%d bloggers like this: