Microsoft Patch – MS10-046 – Critical
Microsoft released a Critical patch today for pretty much all versions of Windows, from XP on up. (This doesn’t mean it doesn’t also apply to earlier versions; just that earlier versions are no longer supported.)
The issue behind this patch lies in that when you create a shortcut for something, Windows actually reads part of the underlying file to pick up things like the icon to use for the shortcut. Well, they’ve found a problem in the way that this works, and that very process of displaying the icon can be exploited, enabling code of the attacker’s choosing to run, with the privileges of the locally logged-on user.
In other words, you don’t even have to run the program, in order to be attacked. All they have to do is make an icon appear on your desktop, and when Windows reads the file to display the icon for it, it will run the malicious code with your permissions. Since many people use Windows XP with Administrator permissions, this means they own your system. And since many people with Vista or Windows 7 routinely ignore (or even turn off) the UAC warnings, they’re going to to own them too.
If your system is set for automatic updates, you’ll have already applied this patch this morning. If not, do! It’s a Critical level security patch, and it will likely require a system reboot – it did for me.