July 5, 2006 12:51 PM PDT
Microsoft: Shortcut 'trick' is legitimate feature
- Related Stories
Browser bugs hit IEJune 29, 2006
Attack code out for Apple flawJune 29, 2006
Microsoft fixes Windows security patchJune 28, 2006
Attack code for Windows flaw heightens riskJune 26, 2006
Office hit by another security problemJune 22, 2006
French Microsoft Web site hackedJune 19, 2006
Online threats outpacing law crackdownsJune 15, 2006
Using Windows XP and Internet Explorer, a user could type in a Web address--such as www.microsoft.com--into a browser, and instead of launching the Web site the browser would run an executable file located on the user's computer.
To test the so-called trick, try the following:
Right click on the Desktop and create a new Shortcut
Point the shortcut to an executable--such as c:\windows\system32\calc.exe
Call the shortcut www.microsoft.com
Start Internet Explorer and type "www.microsoft.com" into the address bar
If the shortcut is then deleted--or the characters "http://" are added before the "www" in the browser address bar--then IE will once again connect to the Internet as expected.
In a statement to ZDNet Australia on Tuesday, Peter Watson, chief security adviser at Microsoft Australia, said this is not a security vulnerability but actually a feature that could be used by legitimate applications.
"It's important to clarify the difference between security problems and legitimate features. A security hole helps an attacker do something they shouldn't be able to do, which is not the case in this instance," said Watson. "Software that the user legitimately has installed on the computer might need exactly this sort of feature provided by IE."
According to Watson, the shortcut trick could be used to help automation.
"For example, imagine if you needed to run a dial-up connection to connect to a certain site. The dial-up connection might be called 'connect to mysite.com.' You can see in that case how important it is for Windows (or any operating system) to have flexibility for legitimate software.
"Organizations or individual users may require or desire to automate part of the process for application connectivity with IE. Microsoft views this as one of the advantages in using IE as a means of enabling user access in that it provides users a consistent and seamless experience," said Watson.
However, some security analysts believe this particular feature is unnecessary and expect it to be exploited by malicious-software writers.
Michael Warrilow, director of Sydney-based analyst firm Hydrasight, told ZDNet Australia that he tested the trick using Windows XP SP2 and found that although it worked using IE, Firefox users were safe.
"Microsoft's so-called useful features have been shown time and again to result in security exposures that are ultimately exploited for malicious purposes. This will be no exception," he said.
Frost and Sullivan Australia's security analyst, James Turner, agreed: "I would imagine that malware writers could definitely exploit this--particularly with a little social engineering."
Munir Kotadia of ZDNet Australia reported from Sydney.
22 commentsJoin the conversation! Add your comment