Microsoft has announced that it will release an emergency patch later today to fix a critical flaw in Windows that enables hackers to run code and take over PCs.
The patch is being released ‘out-of-band’ as a result of a significant uplift in the number of attacks, as noted by Microsoft’s Malware Protection Center, which tracks attacks on Microsoft anti-virus software such as Microsoft Security Essentials.
The malware affects every version of Windows. It makes use of Windows shortcut file icons, and launches itself when a USB stick is browsed via Windows Explorer, even without a user double clicking the shortcuts.
Microsoft released an advisory on 16 July stating, “The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV.” It then released details of a workaround, but hopefully today’s patch will finally solve the issue.
The patch has been designated as ‘critical’ by Microsoft, which the company defines as “A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.”
The plaudits for discovering the flaw go to an anti-virus company called VirusBlokAda, based in Belarus, which on 17 June, found two samples of malware that could attack a fully patch Windows 7 system.
The patch is scheduled to be released at around 6pm UK time and will require a system restart – so be prepared. A webcast providing more details is scheduled 1pm Pacific Time (10pm in the UK) if you want to know more. (Registration required).