MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP)
High Nessus Plugin ID 47750
SynopsisIt may be possible to execute arbitrary code on the remote Windows host using a malicious shortcut file.
DescriptionWindows Shell does not properly validate the parameters of a shortcut file when loading its icon. Attempting to parse the icon of a specially crafted shortcut file can result in arbitrary code execution. A remote attacker could exploit this by tricking a user into viewing a malicious shortcut file via Windows Explorer, or any other application that parses the shortcut's icon. This can also be exploited by an attacker who tricks a user into inserting removable media containing a malicious shortcut (e.g. CD, USB drive), and AutoPlay is enabled.
EASYHOOKUP is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
SolutionEither apply the MS10-046 patch or disable the displaying of shortcut icons (refer to the Microsoft advisory).