Microsoft has denied that a 'trick', which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is a security vulnerability.
Using Windows XP and Internet Explorer, it is easy to create a scenario where a user types in a Web address -- such as www.microsoft.com -- into their browser and instead of the launching the Web site, the browser runs an executable file that is located on the user's computer.
To test the 'trick' yourself, try the following:
If the shortcut is then deleted -- or the characters "http://" are added before the "www" in the browser address bar -- then IE will once again connect to the Internet as expected.
- Right click on the Desktop and create a new Shortcut
- Point the shortcut to an executable -- such as c:\windows\system32\calc.exe
- Call the shortcut www.microsoft.com
- Start Internet Explorer and type "www.microsoft.com" into the address bar
In a statement to ZDNet Australia on Tuesday, Peter Watson, chief security advisor at Microsoft Australia, said this is not a security vulnerability but actually a feature that could be used by legitimate applications.
"It's important to clarify the difference between security problems and legitimate features. A security hole helps an attacker do something they shouldn't be able to do, which is not the case in this instance.
"Software that the user legitimately has installed on the computer might need exactly this sort of feature provided by IE," said Watson.
According to Watson, the 'trick' could be used to help automation.
"For example, imagine if you needed to run a dialup connection to connect to a certain site. The dial up connection might be called "connect to mysite.com". You can see in that case how important it is for Windows (or any operating system) to have flexibility for legitimate software.
"Organisations or individual users may require or desire to automate part of the process for application connectivity with IE. Microsoft views this as one of the advantages in using IE as a means of enabling user access in that it provides users a consistent and seamless experience," said Watson.
However, security experts believe this particular 'trick' is unnecessary and expect it to be exploited by malware writers.
Michael Warrilow, director of Sydney-based analyst firm Hydrasight, told ZDNet Australia that he tested the 'trick' using Windows XP SP2 and found that although it worked using IE, Firefox users were safe.
"Microsoft's so-called useful features have been shown time and again to result in security exposures that are ultimately exploited for malicious purposes. This will be no exception," he said.
Frost and Sullivan Australia's security analyst, James Turner agreed: "I would imagine that malware writers could definitely exploit this -- particularly with a little social engineering".