It’s Monday, And We’re Still Waiting…

Microsoft announced last week that an out-of-band update would be coming for the problem with the handling of LNK files on Windows, including the newest of the series, Windows 7, whose security had been extolled as the reason for the masses to upgrade immediately, if not sooner.

The people who have lost support, Windows 2000 users, Windows XP SP2 users, were told to upgrade to Windows 7 to get support, but it appears that the support will come no sooner for Windows 7 than when Microsoft is darn good and ready. As I write this, it is nine and a half hours into Monday, and no fix exists yet.

Are we awaiting the arrival of royalty? A rockstar? This is something that, since it was announced, should have been hitting the “streets” at 12:01 AM in this time zone (since Redmond is also on PST).

Maximum PC had something this morning, in anticipation –

In a recent blog post, Dave Forstrom of the Microsoft Security Response Center (MSRC) announced plans to release a security update later today to plug up a security hole discovered two weeks ago..

“We are releasing the bulletin as we’ve completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers,” Forstrom wrote. “Additionally, we’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”

The security hole, which Microsoft outlined in a recent advisory, involves Windows’ mishandling of shortcuts in such a way that an attacker could gain access to a person’s system when the user clicks a specially crafted shortcut. Security firm Sophos described the vulnerability as a “nasty” rootkit because of the way “it bypasses all Windows 7 security mechanisms, including UAC, and doesn’t require administrative privilege to run.”

With the increase in attempts to inject the problem, you might think Microsoft would release ASAP.


Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
Published: July 16, 2010 | Updated: July 20, 2010

Version: 1.2
General Information
Executive Summary

Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.

Microsoft is currently working to develop a security update for Windows to address this vulnerability.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Affected Software

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 1 and Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for Itanium-based Systems

That’s pretty much the entire catalog of supported operating systems, as far as I am aware.

From Sophos, we have the current threats, and their solution, which I posted before, but here it is again.


After going to the BBC website, I found that the update would be released at 10 AM PST.

It was.

I applied it only to find out that the “fix” does what the “temporary fix” did, only it is automated.

It hoses all the icons, makes it hard to get to things in the menu quickly, as the generic icon is substituted for all of the custom ones.

This is not an acceptable repair – this is the sort of garbage I’d expect of a bad shareware author, not Microsoft, on its operating systems.

Note – I can’t say what it does on Windows Vista or Windows 7, but on XP it does what I described above. I don’t know about you, and your system, but I’m going back to the Sophos solution, which was clearly doing the job invisibly, with no observed problems. It was a workaround, but it did not affect my system in the way the Microsoft “fix” does.

I won’t be trying any new fixes for this problem until I have evidence that the problem does not require registry snooping to revert the fixes. [The KB 2286198 patch for XP allows removal, but does not remove the changes made to the registry, which leaves the icons hosed. This is similar to Microsoft’s other unsatisfactory removal programs, which is why registry cleaners and 3rd party uninstall programs are have become a cottage industry.]

This is not to say that I am,  or anyone else for that matter is, incapable of editing the registry. It does say that the removal of a patch designed by the author of a program should return the program to the earlier state, automatically…

As far as I am concerned, we are still waiting for a fix, it is Monday, someone had better get on it…