July 5, 2006 12:51 PM PDT

Microsoft: Shortcut 'trick' is legitimate feature

A Windows shortcut "trick," which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is not a security vulnerability, Microsoft said.

Using Windows XP and Internet Explorer, a user could type in a Web address--such as www.microsoft.com--into a browser, and instead of launching the Web site the browser would run an executable file located on the user's computer.

To test the so-called trick, try the following:

• Right click on the Desktop and create a new Shortcut

• Point the shortcut to an executable--such as c:\windows\system32\calc.exe

• Call the shortcut www.microsoft.com

• Start Internet Explorer and type "www.microsoft.com" into the address bar

If the shortcut is then deleted--or the characters "http://" are added before the "www" in the browser address bar--then IE will once again connect to the Internet as expected.

In a statement to ZDNet Australia on Tuesday, Peter Watson, chief security adviser at Microsoft Australia, said this is not a security vulnerability but actually a feature that could be used by legitimate applications.

"It's important to clarify the difference between security problems and legitimate features. A security hole helps an attacker do something they shouldn't be able to do, which is not the case in this instance," said Watson. "Software that the user legitimately has installed on the computer might need exactly this sort of feature provided by IE."

According to Watson, the shortcut trick could be used to help automation.

"For example, imagine if you needed to run a dial-up connection to connect to a certain site. The dial-up connection might be called 'connect to mysite.com.' You can see in that case how important it is for Windows (or any operating system) to have flexibility for legitimate software.

"Organizations or individual users may require or desire to automate part of the process for application connectivity with IE. Microsoft views this as one of the advantages in using IE as a means of enabling user access in that it provides users a consistent and seamless experience," said Watson.

However, some security analysts believe this particular feature is unnecessary and expect it to be exploited by malicious-software writers.

Michael Warrilow, director of Sydney-based analyst firm Hydrasight, told ZDNet Australia that he tested the trick using Windows XP SP2 and found that although it worked using IE, Firefox users were safe.

"Microsoft's so-called useful features have been shown time and again to result in security exposures that are ultimately exploited for malicious purposes. This will be no exception," he said.

Frost and Sullivan Australia's security analyst, James Turner, agreed: "I would imagine that malware writers could definitely exploit this--particularly with a little social engineering."

Munir Kotadia of ZDNet Australia reported from Sydney.

See more CNET content tagged:
Sydney, Microsoft Internet Explorer, security, Microsoft Corp., Web browser

22 comments

Join the conversation!
Add your comment
Yet another half-baked idea
Here we go again: Microsoft cuts corners on security to add another dubious feature and creates a mess for us system administrators to clean up (or maybe I should say "future mess" because no exploits exist for it - yet). Thanks, Bill Gates and company, your half-baked ideas are a real PITA....
Posted by Get_Bent (534 comments )
Reply Link Flag
Cut corners on security?
How is this a security threat?
Tell me a single risk this generates, a single scenario where this can be exploited, please.
You might claim that the fact that there is no exploit yet doesn't mean there is none. But that's just nonsense, because this doesn't open new avenues for exploit, it doesn't change anything on a system.
Besides, I've been using this feature dozens of times a day for years. Just try it: right click on the bottom bar and select Toolbars/Address. There you have, a URL launcher, program launcher and command line all in one. Handy.
But now people like you want it removed because they can't find nothing actually bad with it, but it must be baaaad just because someone said so.
Or it is bad just because it is something the Evil Microsoft did?
Posted by herby67 (144 comments )
Link Flag
Yet another half-baked idea
Here we go again: Microsoft cuts corners on security to add another dubious feature and creates a mess for us system administrators to clean up (or maybe I should say "future mess" because no exploits exist for it - yet). Thanks, Bill Gates and company, your half-baked ideas are a real PITA....
Posted by Get_Bent (534 comments )
Reply Link Flag
Cut corners on security?
How is this a security threat?
Tell me a single risk this generates, a single scenario where this can be exploited, please.
You might claim that the fact that there is no exploit yet doesn't mean there is none. But that's just nonsense, because this doesn't open new avenues for exploit, it doesn't change anything on a system.
Besides, I've been using this feature dozens of times a day for years. Just try it: right click on the bottom bar and select Toolbars/Address. There you have, a URL launcher, program launcher and command line all in one. Handy.
But now people like you want it removed because they can't find nothing actually bad with it, but it must be baaaad just because someone said so.
Or it is bad just because it is something the Evil Microsoft did?
Posted by herby67 (144 comments )
Link Flag
Old news
This is just now making the news. Geez this has been around for awhile now.
Posted by itworker--2008 (130 comments )
Reply Link Flag
Old news
This is just now making the news. Geez this has been around for awhile now.
Posted by itworker--2008 (130 comments )
Reply Link Flag
is there a tip of the week for windows section?
This makes a great menu system for keyboard in windows. Win+R, url, enter; three keystrokes plus url for your top ten favourite programs. Just pick a url outside of the regular domains like www.domain.com. I think it makes windows even more usable.
Posted by jabbotts (492 comments )
Reply Link Flag
wow
i didnt even know you could do that. this makes working on a laptop that much easier. thanks man
Posted by emehrkay (13 comments )
Link Flag
is there a tip of the week for windows section?
This makes a great menu system for keyboard in windows. Win+R, url, enter; three keystrokes plus url for your top ten favourite programs. Just pick a url outside of the regular domains like www.domain.com. I think it makes windows even more usable.
Posted by jabbotts (492 comments )
Reply Link Flag
wow
i didnt even know you could do that. this makes working on a laptop that much easier. thanks man
Posted by emehrkay (13 comments )
Link Flag
Um, No No No NO!
I've known about and used this feature for four years. I think it's an extremely useful feature and I cannot see at all how malware could take advantage of this. In fact, I've always thought of this as the only reason to have shortcuts on your desktop. For instance, say you have a web link like:
<a class="jive-link-external" href="http://www.stupidlylongsitename/with/lots/of/subfolders/andalongpagename.php?and=lots&#38;of=parameters" target="_newWindow">http://www.stupidlylongsitename/with/lots/of/subfolders/andalongpagename.php?and=lots&#38;of=parameters</a>
You could create a shortcut to this url on your desktop, name it something like 'shortname'. Then all you need to do to go to the site is type in 'shortname'. Of course if you get bored of browsing the net you could always type 'counter-strike' in instead...
Posted by TheOddMan (2 comments )
Reply Link Flag
A little silly.
While it might be somewhat convenient, it is
useful for a limited number of things before the
desktop is simply too crowded to make it useful.
Firefoxes keywords (or similar for other
browsers) gives you the same functionality
without having the icon on your desktop.

For that matter, a "favorite" in IE is probably
nearly as convenient.

I can think of a bunch of malicious ways to
exploit this feature, but then again, as far as
"security" issues in Windows goes, this is
probably the least worrisome one I've ever heard
of.
Posted by Zymurgist (397 comments )
Link Flag
Um, No No No NO!
I've known about and used this feature for four years. I think it's an extremely useful feature and I cannot see at all how malware could take advantage of this. In fact, I've always thought of this as the only reason to have shortcuts on your desktop. For instance, say you have a web link like:
<a class="jive-link-external" href="http://www.stupidlylongsitename/with/lots/of/subfolders/andalongpagename.php?and=lots&#38;of=parameters" target="_newWindow">http://www.stupidlylongsitename/with/lots/of/subfolders/andalongpagename.php?and=lots&#38;of=parameters</a>
You could create a shortcut to this url on your desktop, name it something like 'shortname'. Then all you need to do to go to the site is type in 'shortname'. Of course if you get bored of browsing the net you could always type 'counter-strike' in instead...
Posted by TheOddMan (2 comments )
Reply Link Flag
A little silly.
While it might be somewhat convenient, it is
useful for a limited number of things before the
desktop is simply too crowded to make it useful.
Firefoxes keywords (or similar for other
browsers) gives you the same functionality
without having the icon on your desktop.

For that matter, a "favorite" in IE is probably
nearly as convenient.

I can think of a bunch of malicious ways to
exploit this feature, but then again, as far as
"security" issues in Windows goes, this is
probably the least worrisome one I've ever heard
of.
Posted by Zymurgist (397 comments )
Link Flag
I put a .bat file ...
Sigh ... I am sure this can be exploited, but so does any shell script. The key is, how does that shortcut get created! Put it this way, if someone has managed to create that shortcut on your desktop, your computer has already be exposed. There could be millions of tricks to exploit it. The shortcut will be the least problem you need to worry about at that point.
Posted by Pixelslave (101 comments )
Reply Link Flag
I put a .bat file ...
Sigh ... I am sure this can be exploited, but so does any shell script. The key is, how does that shortcut get created! Put it this way, if someone has managed to create that shortcut on your desktop, your computer has already be exposed. There could be millions of tricks to exploit it. The shortcut will be the least problem you need to worry about at that point.
Posted by Pixelslave (101 comments )
Reply Link Flag
More of the same...
All of Microsoft's vulnerabilities are features... not bugs... (* ROFLOL *)

Only problem is that very few actually believe Microsoft anymore!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
More of the same...
All of Microsoft's vulnerabilities are features... not bugs... (* ROFLOL *)

Only problem is that very few actually believe Microsoft anymore!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Slow day in the security world?
This is a feature, and it is not new. This would worked on most IE version. You could do similar things in DOS with BAT files. As a kid I used to for a laugh make BAT files with names like "Why.bat". That way I could enter "Why is it so?" and have the computer tell me "Because".

If this is an exploit then the delete key is one as well.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
Slow day in the security world?
This is a feature, and it is not new. This would worked on most IE version. You could do similar things in DOS with BAT files. As a kid I used to for a laugh make BAT files with names like "Why.bat". That way I could enter "Why is it so?" and have the computer tell me "Because".

If this is an exploit then the delete key is one as well.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.