Update: August 2, 2010. Microsoft has released an update to fix this vulnerability and recommends applying it immediately via Windows Update.
July 2010. A new and dangerous vulnerability has been discovered in Microsoft’s Windows operating systems.
It is called the Windows Shell LNK Icon shortcut rendering zero day flaw. It affects all versions of Windows.
This exploit is particularly dangerous because it can run malicious code merely by displaying a tainted shortcut icon (.lnk or .pif). No user interaction required. This makes it a worm. The tainted shortcut file can be on a web site, USB drive, network share, WebDAV or in a document. It has been seen in the wild as of July 2010.
The malicious code that is run may include backdoors and rootkits.
Microsoft will quickly release a patch for this problem, likely as soon as they make it, out of cycle. In the mean time, Microsoft and Sophos have released workarounds:
Microsoft workaround Fix It The Microsoft workaround renders some shortcut icons as white boxes.
Install the Microsoft update as soon as it is released!
Antivirus makers report that their products detect and remove the payloads.
Payloads may include drivers signed with valid certificates – surprising and dangerous.
Windows XP SP2 is no longer supported by Microsoft and may not receive a fix – dangerous because there are a lot of XP SP2 computers out there.
Windows 2000 is not affected? NT?