Optimised ITMicrosoft has issued a security bulletin for a critical flaw in Windows that can lead to exploitation when removable media is inserted into a PC, but aren’t planning an out-of-cycle patch.
A flaw is described on Neowin as affecting the way that Windows handles .lnk files, which are shortcuts to another file. If a removable storage device is connected to a system with AutoRun or AutoPlay enabled, or if the device is opened manually in Windows Explorer, the flaw is triggered and code is executed. The vulnerability is particularly concerning as it affects all current versions of Windows, and bypasses protections such as UAC designed to prevent exactly this kind of attack. It can also potentially be exploited over WebDAV or network shares, with no physical access to the machine required.
Despite this, Microsoft’s security bulletin regarding the issue is silent on when a fix is to be expected, despite the company acknowledging that the flaw is being actively exploited in what it claims are “limited, targeted attacks.” Without an out-of-cycle patch for the flaw, the earliest the issue could be resolved is on Tuesday the 10th of August. Microsoft has offered a work-around for the issue which is to disable icons for shortcuts.
