The attacks, which incorporate signed drivers from RealTek and JMicron, are spreading locally via malicious USB drives or remotely via network shares and WebDAV.
Microsoft has posted a pre-patch advisory that spells out the problem:
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.
The flaw could also be exploited to launch drive-by downloads against users Windows running Internet Explorer:
An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).
In the absence of a patch, Microsoft is recommending that users run the automated "Fix-It" tool to disable the vulnerable .LNK and .PIF file functionality Windows machine.