Microsoft has issued an emergency out-of-band update to patch a critical Windows security vulnerability that is being actively exploited by malware.
According to senior Sophos security researcher Graham Cluley, the “Shortcut Exploit” utilizes a specially crafted shortcut (.LNK) files which points to malicious code and tricks Windows into executing it without user interaction.
“Microsoft normally publishes its security patches on the second Tuesday of each month, but this one [was] released today,” explained Cluley.
“Whenever Microsoft releases an out-of-band patch it’s a big deal – they clearly think it’s an important enough issue to break their regular cycle and you should pay attention too [and] apply the patch as soon as possible.”
For its part, Microsoft confirmed it had observed an “increase in attempts” to exploit the critical vulnerability.
“[So], we are releasing the bulletin as we’ve completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers,” MS spokesperson Christopher Budd in an official blog post.
“We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”