Windows shortcut 'trick' remains unexplained

Summary:There's a nifty "feature" in Windows which looks like a serious security risk.

This week I learned about a "trick" that you can do in Windows which, as far as I am concerned, is a serious security risk.

In an article written by Infoworld's Roger Grimes, he describes a "feature" in Windows that allowed me to run an executable file by simply typing a Web address into Internet Explorer.

Test it yourself:

  • Right click on the Desktop and create a new Shortcut
  • Point the shortcut to an executable -- such as c:\windows\system32\calc.exe
  • Call the shortcut www.microsoft.com
  • Start Internet Explorer and type "www.microsoft.com" into the address bar

For the past few years, banks have been advising their customers to type their online banking URL into the browser -- instead of clicking on a link that may be a phishing scam.

If a piece of malware created this kind of shortcut, called it your online bank's name and then pointed the shortcut to a malicious file, the next time someone used that computer and, using the banks advice, tried to log on to their online bank, they would execute the malicious file.

Surely there must be a reason for this functionality.

I happened to be speaking with Austin Wilson, director of product management for Windows Vista Security on Thursday about rootkits and other security issues, so asked him about the "trick".

His reply: "That is something I need to follow up with our security response centre and find out if this is something that is known and is there a reason for it because I don't know off the top of my head if that is expected functionality or not".

It is almost the end of play on Friday and no reply, so I assume Austin is still waiting for the security response people in Redmond to get back to him.

Can you think of a legitimate use for this feature? I can't.

Unfortunately I am unlikely to be able to update you on this until I get back from my vacation -- over the next three weeks my plan is to live on German time in Queensland and not miss a kick.

Topics: Windows, Microsoft

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.