Windows Shortcut Exploit Finally Patched – Here’s What IT Pros Need to Know

This Week in IT

This Week in IT

LISTEN ON:

This Week in IT, a hidden Windows shortcut flaw exploited for years finally gets patched, but how did attackers sneak their malware past security teams? Microsoft 365 E3 and E5 customers are about to get powerful Intune tools like Remote Help and just‑in‑time admin rights, but there’s a price hike on the way. And by March 2026, frontline workers will lose access to Exchange Web Services.

Links and resources

Episode overview

This week in IT highlights:

  • Windows Shortcut Vulnerability Patched:
    • Microsoft has finally patched a long-standing vulnerability in Windows shortcut (link) files that allowed attackers to bypass security warnings and deploy malware.
    • The flaw was actively exploited, prompting Microsoft to release a silent patch ahead of Patch Tuesday.
    • Attackers could embed malicious commands in the shortcut’s target field, making it crucial for admins to deploy the patch and audit their environments for past misuse.
  • Intune Upgrades for Microsoft 365 E3/E5 Customers:
    • Enterprise subscribers (E3 and E5) will receive new Intune tools, such as Remote Help and Just-in-Time Access, previously available only as add-ons.
    • These upgrades aim to reduce reliance on third-party privilege management solutions, though feature parity with mature products like Beyond Trust is still evolving.
    • The rollout starts mid-2026, but comes with a price hike for commercial customers.
  • Exchange Web Services (EWS) Phase-Out:
    • By March 2026, frontline workers on F-subscription plans will lose access to Exchange Web Services (EWS), as Microsoft shifts focus to the more secure and modern Graph API.
    • Organizations relying on EWS for legacy applications should begin auditing and planning migrations before the October 2026 cutoff.