Windows shortcuts are files set up in a predefined way that end with the filename extension ".LNK." As you may recall, icons for Windows shortcuts appear with a loopy arrow overlaying the icon for the program or file or folder itself. If you write a program that displays icons, when your program encounters a LNK file, it will most likely construct a loopy arrow and then ask Windows to provide the icon of the underlying program, file, folder, or whatever. There is a bug in the way Windows retrieves those underlying icons. It's a big bug, and it's been in Windows for a long, long time. The bug is so big that Windows can be forced to run any program at all. Instead of retrieving the icon of the underlying program or file or folder, Windows instead runs a program of the caller's choice.
Permit me to illustrate: Have you ever gone to a farmer's market and seen a caricature artist? People walk up to the artist and say, "Draw me a picture of Brad Pitt." Ten minutes and 20 bucks later, they get a picture of Brad Pitt.
Now let's say you discover that there's a zero-day shell vulnerability bug in the artist. When you tell the artist, "Draw me a picture of the Windows Time and Date icon, but really buy me an ice cream cone," the artist buys you an ice cream cone.
And who said computer security was complicated?
Say you're a clever cretin and you want to install rootkits. Here's what you do: You make a LNK file that takes advantage of this bug in Windows. When a program -- any program -- puts together an icon for your LNK file, it calls Windows and asks Windows to pass the program the icon of the underlying program, file, or folder. Bingo. This bug kicks in and, instead of retrieving the underlying icon, Windows gets tricked into buying ice cream, er, running some other program. Researchers have hinted that the LNK file (or files) has to specify the precise location of the infecting program, so the LNK file probably has to travel together with the infecting file.
As best as I can tell, that's the basic mechanism at work. If it turns out to be the case, there are all sorts of worrisome implications.
First, you don't have to run anything. It's a drive-by infection vector. The minute you do something that makes a program want to show you the icon for that bad LNK file, you're hosed. The examples found in the wild were on USB drives, but that's just a convenient way to deliver all the files in a group. As soon as you open the containing folder, Windows Explorer wants to generate icons for the LNK files, and your system bites the dust. Microsoft now advises that WebDAV can be used as an infection vector. Clearly, any network shares -- anyplace your users are likely to go looking for files -- are also susceptible.