A zero-day exploit in several versions of Windows has been found that includes the ability to execute malicious code spread through favicons. Because of this, site favicons have been temporarily disabled for news stories. This will be restored once there has been a patch.
Details here: http://secunia.com/advisories/22159/
Details here: http://secunia.com/advisories/22159/
Recently Spotted:
aspro (4m)
There shouldn't be any issue on our end for displaying them on the news as it's inline, but I'm taking the precautionary stance. The primary basis is to not be downloading them to the server for now.
From my perspective, the demonstrated possibility to exploit it through favicons was the most significant known concept thus far, but it's just a symptom. There's no real workaround as it's too integral to the entire operating system (the result would be disabling ALL icon displays). Though if you worked locally in DOS and browsed the web on Lynx you'd be safe.
EDIT: Actually, there is technically the ability to replace the Windows shell with a third-party program, but it's not a nice process. Just avoid the dark places of the net, don't let random people with USB sticks near your computer, and keep patched as updates come along.
I never click those things.
They aren't for clicking.
It's so funny. It's a vulnerability with .lnk files yeah? I think they waited to exploit it until MS turned off support for 2K and XP a couple of weeks ago. Not really, no one has that much patience, but still it was good timing.
But good catch on that. I didn't even think of the use of favicons on the site.