Microsoft on Tuesday said that hackers could exploit the unpatched Windows shortcut vulnerability using drive-by download attacks that would trigger an infection when people simply surf to a malicious Web site.

A noted vulnerability researcher today confirmed that such attacks are possible.

In the revised security advisory published yesterday Microsoft acknowledged the new attack vector.

"An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."