Windows shortcut 'trick' is a feature: Microsoft

Windows shortcut 'trick' is a feature: Microsoft

Summary: Microsoft has denied that a 'trick', which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is a security vulnerability.Using Windows XP and Internet Explorer, it is easy to create a scenario where a user types in a Web address -- such as www.

SHARE:

Microsoft has denied that a 'trick', which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is a security vulnerability.

Using Windows XP and Internet Explorer, it is easy to create a scenario where a user types in a Web address -- such as www.microsoft.com -- into their browser and instead of the launching the Web site, the browser runs an executable file that is located on the user's computer.

To test the 'trick' yourself, try the following:

  • Right click on the Desktop and create a new Shortcut
  • Point the shortcut to an executable -- such as c:\windows\system32\calc.exe
  • Call the shortcut www.microsoft.com
  • Start Internet Explorer and type "www.microsoft.com" into the address bar
If the shortcut is then deleted -- or the characters "http://" are added before the "www" in the browser address bar -- then IE will once again connect to the Internet as expected.

In a statement to ZDNet Australia on Tuesday, Peter Watson, chief security advisor at Microsoft Australia, said this is not a security vulnerability but actually a feature that could be used by legitimate applications.

"It's important to clarify the difference between security problems and legitimate features. A security hole helps an attacker do something they shouldn't be able to do, which is not the case in this instance.

"Software that the user legitimately has installed on the computer might need exactly this sort of feature provided by IE," said Watson.

According to Watson, the 'trick' could be used to help automation.

"For example, imagine if you needed to run a dialup connection to connect to a certain site. The dial up connection might be called "connect to mysite.com". You can see in that case how important it is for Windows (or any operating system) to have flexibility for legitimate software.

"Organisations or individual users may require or desire to automate part of the process for application connectivity with IE. Microsoft views this as one of the advantages in using IE as a means of enabling user access in that it provides users a consistent and seamless experience," said Watson.

However, security experts believe this particular 'trick' is unnecessary and expect it to be exploited by malware writers.

Michael Warrilow, director of Sydney-based analyst firm Hydrasight, told ZDNet Australia that he tested the 'trick' using Windows XP SP2 and found that although it worked using IE, Firefox users were safe.

"Microsoft's so-called useful features have been shown time and again to result in security exposures that are ultimately exploited for malicious purposes. This will be no exception," he said.

Frost and Sullivan Australia's security analyst, James Turner agreed: "I would imagine that malware writers could definitely exploit this -- particularly with a little social engineering".

Topics: Windows, Browser, Microsoft, Operating Systems

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Well!

    Hey, i use that 'feature' all the time, because i have an address bar on my desktop, i use it to run all sorts of application shortcuts all the time! sure, it could be dangerous, but, it sure as hell is useful!

    regards,
    Benjamin
    anonymous
  • Of course it's not.

    Has you know, IE makes integrated part of windows, when you put a internet addresse in a windows explorer, it gives you the chance to open the site, the oposite is true. So it is a feature not a security problem. If you'd given the trouble to look something about this you could easily find out what i'm talking about. It seems everyone has the need to put down microsoft. Impressive...
    anonymous
  • The real bug is in non-IE Browsers

    If you type www.microsoft.com in those, it takes you to Microsoft's website....
    anonymous
  • As far as I know...

    ...you've always been able to do this. At least back to Win98.
    anonymous
  • Feature? Balderdash!

    There is no sane reason to use an application that is intended to provide access to web sites on the Internet as means to directly launch an application on your local machine. None. Nunca. Nil. Why, then, if this is truly a rational 'feature', is it that none of the other browser players don't have it? Or, in truth, is it really a sign as to how closely coupled to the Explorer IE really is (which is a bad thing)? You should bet your bottom dollar that someone has already cooked up a way to take advantage of this egregious security hole -- and within a few months from now MS will of course come up with a fix to yet again stop the bleeding. Feeble attempt, as it may be.
    anonymous
  • How the hell is this a "security vulnerability"?

    If someone is able to create a malicious shortcut on your desktop without your consent, you've _already_ been compromised.

    This (8(?) year old feature) is no vector for attack, unlike (remote) buffer overflows etc that we've previously experienced with OE and IE.

    If I had this kind of access to a system, I can think of FAR MORE malicious things to do instead of making a shortcut and hoping that the user won't notice it AND sooner or later will type that exact shortcut into the adress bar in IE.

    Oh well, I guess it's just fashionable nowadays for so-called "security experts" to bash MS whenever they get the chance.
    anonymous
  • What a ridiculous response

    What a ridiculous response from Microsoft. Sure, there might be many legitimate uses for this functionality, but that's how half the security flaws in Microsoft got there in the first place -- Microsoft being over-enthusiastic about automation etc without properly considering the security consequences. Perfect example: Outlook giving system-wide access to its address book. Many legitimate uses for the functionality, MANY viruses that took advantage of it to spam everyone in your contacts list until Microsoft controlled access.
    anonymous
  • Doesn't work

    Tried it on fully patched XP Pro SP2 PC using AM Browser (IE shell) and the only thing that happens is that I go directly to the MS website.
    Tried it using IE7 Beta 2. The www.microsoft.com changes to C:\Documents and Settings\winxp\Desktop\www.microsoft.com.lnk
    Then I get a file download security warning dialog box asking me what I want to do with a file called www.microsoft.com.lnk
    and if I open the file it opens in Notepad and shows L  ภ F› @๑7Jาuฦ ่_sT
    anonymous
  • Any desktop shortcut

    Typing the name of any desktop shortcut into the address bar and hitting Enter will launch it. It's a strange feature and it only works for shortcuts on the desktop. An attacker would have to put the shortcut on the desktop where the user could see it.

    IE helpfully offers autocompletion of the filename you're typing.

    IE7 Beta 3 asks if you want to open or save the file.
    anonymous
  • documentationalism . . .

    Converts a bug into a feature.
    anonymous
  • FYI: It IS a feature

    For those of you who don't know, it is a unique feature of IE and we've been using it in our company.

    Heard of .Net no touch deployment? This feature of IE gave us the ability of hosting our executalbe apps on server. No installation on clients, just open IE then type in the path to .exe.
    anonymous
  • Unneeded for most of us

    Why not offering it as an optional service?
    anonymous
  • To turn off this feature

    Internet Explorer Address bar search opens the file present in Desktop?:
    http://windowsxp.mvps.org/ie/shellparsing.htm
    anonymous
  • How the trick works

    The "trick" is known to anyone who's used Windows for any lenght of time, and it's expected. a .com file is a form of executable file. Rename any .exe file to .com and it still works fine. All the "trick" is doing, is renaming a .exe to www.microsoft.com (It can be any "url" ending as .com") then placing it on the path. Since the "address bar" is actualy a run bar, by typing in www.microsoft.com it first scans the path, sees the file, and runs it. Not only is that expected, but required for many people. Would be very hard to get control panel open for many administrators without it.

    Now then, ina nut shell, an attacker would have to be able to save a .exe file onto your desktop, then have you click on it, or put it into the run bar. And the SAVING of the exe file isn't part of the "attack". If they saved a .exe file to your desktop, and it had an icon of a trash can, would that be a security issue? Never mind that there is never any mention of how to save the file, or the fact that if they can, they could also overwrite many many other programs. This is only an issue in a compermised system, and compermised systems are already broken, hence, not a security risk. The only people who think it is a risk want attention or to bash MS, without understanding what a run bar is.
    anonymous
  • Yes.

    Robert. you are correct.

    this post makes me lol, It's posts like this that make people hate microsoft. shame.

    like robert said, this is a normal, expected, and safe funtion of explorer and the IE engine.
    anonymous