Microsoft issued a patch for the issue in its November Patch Tuesday security update, but the bug was already under active exploit at the time as a zero-day. Now, the PoC further heightens the need for organizations to address the bug, if they haven't done so already.
To exploit the flaw, an attacker would need to get a user to click on a maliciously crafted Internet shortcut (.URL) or a link pointing to such a file.
The script basically shows how an attacker could generate a seemingly legitimate looking but malicious .URL file and distribute it via a phishing email. "An attacker could deliver this crafted .URL file via phishing emails or through compromised websites."
[
add
]
[
|
|
...
]