The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.
Advisory: SB2010071603 - Remote code execution in Microsoft Windows
Vulnerable component: Windows
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-20 - Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing icons to .lnk and .pif files within Windows Explorer. A remote attacker can create a specially crafted icon file, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Known APT campaigns:
Iranian Nuclear Facilities breach
The breach was identified in summer 2010 by VirusBlokada antivirus company from Belarus, who was called to investigate computers in Iranian nuclear facilities.
- Microsoft Windows - Automatic LNK Shortcut File Code Execution [Exploit-DB]
- Microsoft Windows - Shell LNK Code Execution (MS10-046) (Metasploit) [Exploit-DB]