To the victim, the .lnk file looked like it opened a folder or launched a trusted application, but in reality, it could execute an arbitrary script, a dropper, or living-off-the land command.
0patch researchers confirm the issue to have been somewhat resolved after Microsoft quietly” bundled a fix into its November Windows Updates. “There was no mention of anything remotely akin to this issue among its 63 patched vulnerabilities,” the researchers said, adding the fix was likely applied under the guise of a functional bug rather than a security vulnerability.
“Now, the ‘Properties’ dialog of a .lnk file shows the entire Target command with arguments, no matter how long it is,” the researchers added. Microsoft did not immediately respond to CSO’s request for comments.
