In a security advisory, Microsoft confirmed : Hackers have been exploiting a bug in Windows "shortcut" files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.
According to Microsoft, Windows fails to correctly parse shortcut files, identified by the ".lnk" extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC when the user views the contents of the USB drive with a file manager like Windows Explorer.
The exploit works even when AutoRun and AutoPlay are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7.
The problem has been detected so far but Microsoft did not set a timeline for patching the vulnerability. It has been advised that users could block attacks by disabling the displaying of shortcuts, and turning off the WebClient service. Disabling shortcut files also will make it more difficult for users to launch programs or open documents.
Microsoft said that all still-supported versions of Windows, including Windows XP SP3, Vista, Server 2003, Windows 7, Server 2008 and Server 2008 R2, contain the bug. The betas of Windows 7 SP1 and Server 2008 R2 SP1, which the company released last week, are also at risk.
Windows XP SP2 users must upgrade to XP SP3 to receive a patch for the shortcut flaw when it eventually ships.