Patch Monday: Windows shortcut hole gets plugged today

The rush to patch the nefarious zero-day shortcut flaw shows that Microsoft knew the seriousness of the situation from the start

Remember the Windows shortcut zero-day security hole? The one that could trick Windows into running malware-- and forced Microsoft to rush out a crude patch that turned your shortcut icons into blank boxes? On Friday, Microsoft announced it would offer an "out-of-band" patch for the flaw today at around 10 a.m. PST.

There's a spin about the patch, and a few comments by industry observers, that have me seeing red.

[ Also on InfoWorld: Gregg Keizer's Security Central post has all the details about this patch. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter. ]

The spin goes like this: Microsoft was prompted to rush this patch out the door after seeing a huge increase in the number and virulence of infections being propagated by jiggered shortcut LNK files. Poppycock.

Microsoft has been working furiously, since day one, to get the patch out the door. The upswing in infections -- particularly Sality.AT infections, but also others -- happened in the background, while the teams were calling on every Windows expert with direct knowledge of LNK file processing and melting down huge banks of regression testing machines. It isn't like somebody at the MS Security Response Center woke up one morning and said, "Oh my gosh, there's another Sality infection, we'd better get our act together and fix this thing."

I doubt that anybody in Redmond ever thought, even for a moment, that the company would let the regular Patch Tuesday schedule determine the release date of a patch for so serious a flaw. That would leave the primitive Fixit patch as the only line of defense until Aug. 10.

Right now the big question is whether Microsoft will officially relase a fix for Windows XP SP2 and/or Windows 2000, both of which went off life support on July 13 (see Galen Gruman's Tech Watch analysis for details).

I'm betting Microsoft will release official patches for Windows XP SP 2 and 2000. If they do, all of that blustering about end-of-life for SP2 -- both the chicken-little cries from the press warning the skeptical to upgrade, and the admonishments from a certain company in Redmond with a vested interest in jumpstarting Windows 7 upgrades -- will seem a bit silly, eh?

This article, "Patch Monday: Windows shortcut hole gets plugged today," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies