Last week Microsoft released security advisory 2286198, which advises of a vulnerability in Windows Shell that incorrectly parses shortcuts (LNK files). An attacker can take advantage of this in a variety of ways – via a USB drive, over network shares using WebDAV, or by embedding shortcuts in a document.
This appears to be a particularly nasty vulnerability and one for which the exploit code is now out there. It’s said to be able to circumvent UAC and Windows 7 security mechanisms, and the workarounds (disabling icon display for shortcuts and disabling the WebClient service) are not a very pleasant ones as they impact usability. Many sources are predicting an “out of band” patch to address this problem. Meanwhile, it’s something network administrators need to be aware of. And of course, Windows XP SP2 is no longer in extended support so there will be no patch for it.