According to the BBC, shortcut files (*.lnk), such as those used for desktop shortcuts, can be injected with malicious code which executes when the user clicks a link. Microsoft taking this seriously enough to release a patch ahead of the normal Windows update cycle. The report states that every Windows release is affected.
From the article:
The first exploits of the flaw were seeded via infected USB drives and network connections. While exploitation of the flaw was limited initially, the tempo of attacks via the bug has escalated since it was discovered and publicised.
Early attacks using the bug were aimed at the software control systems for critical infrastructure such as power stations.
The patch was scheduled to be released this morning, Pacific Time.