Windows shortcut 'trick' remains unexplained

Windows shortcut 'trick' remains unexplained

Summary: There's a nifty "feature" in Windows which looks like a serious security risk.

SHARE:
TOPICS: Windows, Microsoft
29

This week I learned about a "trick" that you can do in Windows which, as far as I am concerned, is a serious security risk.

In an article written by Infoworld's Roger Grimes, he describes a "feature" in Windows that allowed me to run an executable file by simply typing a Web address into Internet Explorer.

Test it yourself:

  • Right click on the Desktop and create a new Shortcut
  • Point the shortcut to an executable -- such as c:\windows\system32\calc.exe
  • Call the shortcut www.microsoft.com
  • Start Internet Explorer and type "www.microsoft.com" into the address bar

For the past few years, banks have been advising their customers to type their online banking URL into the browser -- instead of clicking on a link that may be a phishing scam.

If a piece of malware created this kind of shortcut, called it your online bank's name and then pointed the shortcut to a malicious file, the next time someone used that computer and, using the banks advice, tried to log on to their online bank, they would execute the malicious file.

Surely there must be a reason for this functionality.

I happened to be speaking with Austin Wilson, director of product management for Windows Vista Security on Thursday about rootkits and other security issues, so asked him about the "trick".

His reply: "That is something I need to follow up with our security response centre and find out if this is something that is known and is there a reason for it because I don't know off the top of my head if that is expected functionality or not".

It is almost the end of play on Friday and no reply, so I assume Austin is still waiting for the security response people in Redmond to get back to him.

Can you think of a legitimate use for this feature? I can't.

Unfortunately I am unlikely to be able to update you on this until I get back from my vacation -- over the next three weeks my plan is to live on German time in Queensland and not miss a kick.

Topics: Windows, Microsoft

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • Yet another reason

    to use a decent browser.
    Why people still use IE when there are so many great alternatives is baffling. Check out Mozilla Firefox or Opera.
    anonymous
  • Firefox

    Couldn't agree more. Firefox is great! I wish that I could uninstall IE from my XP system to reduce those attack vectors, however...
    anonymous
  • there's a solution to this

    buy a mac.
    better yet, just install Linux.
    Linux isn't easy to learn, but nothing worth having comes easy.
    anonymous
  • This is an embedded explorer function

    By default, when you open your windows explorer the first time, or when you turn off the option "restore previous folder", it will point to your desktop. Since Internet Explorer is integrated with windows explorer, this means whatever you typed in that address bar works the same way as if you open it from windows explorer, or run it from the start... run command. This feature was first introduced in windows 98, so it is not a bug, simply an oversighted "side effect"
    anonymous
  • legitimate reason

    to run the calculator of course!
    pseudogoulash
  • HTTP://

    Agree with above post.
    To prevent phishing etc one should always include the http:// If the advice of just typing the www.xxx.com was given then this is just BAD advice. Always type http://www.xxx.com
    anonymous
  • Trick has been around since active desktop

    this trick is actually part of active desktop. It was first introduced into Windows 95 with Internet Explorer 4, then included as part of the os with Windows 95C and on.

    From IE4 on Internet Explorer is integrated into the Windows Explorer shell. This means that whenever you type a url in a windows explorer address field, or if you type a path into Internet Explorer, the os will automatically know to use eitehr Explorer or IE depending on the format of the path or url that is typed.

    This is actually a very useful feature, which allows seamless web or hard drive access via either IE or Explorer. Likewise if you type a url in the Start/Run field, it will know to bring up IE, if you type a path it will know to display Explorer. Without Active Directory and IE integration, it would not be possible to launch a url via the run menu unless you type "iexplore www.whateveraddress.com"

    I actually see this as a useful feature. Especially since I don't click on links that "banks" email me.
    anonymous
  • Trick has been around since active desktop

    this trick is actually part of active desktop. It was first introduced into Windows 95 with Internet Explorer 4, then included as part of the os with Windows 95C and on.

    From IE4 on Internet Explorer is integrated into the Windows Explorer shell. This means that whenever you type a url in a windows explorer address field, or if you type a path into Internet Explorer, the os will automatically know to use eitehr Explorer or IE depending on the format of the path or url that is typed.

    This is actually a very useful feature, which allows seamless web or hard drive access via either IE or Explorer. Likewise if you type a url in the Start/Run field, it will know to bring up IE, if you type a path it will know to display Explorer. Without Active Directory and IE integration, it would not be possible to launch a url via the run menu unless you type "iexplore www.whateveraddress.com"

    I actually see this as a useful feature. Especially since I don't click on links that "banks" email me.
    anonymous
  • Trick has been around since active desktop

    this trick is actually part of active desktop. It was first introduced into Windows 95 with Internet Explorer 4, then included as part of the os with Windows 95C and on.

    From IE4 on Internet Explorer is integrated into the Windows Explorer shell. This means that whenever you type a url in a windows explorer address field, or if you type a path into Internet Explorer, the os will automatically know to use eitehr Explorer or IE depending on the format of the path or url that is typed.

    This is actually a very useful feature, which allows seamless web or hard drive access via either IE or Explorer. Likewise if you type a url in the Start/Run field, it will know to bring up IE, if you type a path it will know to display Explorer. Without Active Directory and IE integration, it would not be possible to launch a url via the run menu unless you type "iexplore www.whateveraddress.com"

    I actually see this as a useful feature. Especially since I don't click on links that "banks" email me.
    anonymous
  • Ignorant response!

    The issue is not with IE but rather Windows shell integration here!
    anonymous
  • and its not linux... lol!

    I think anyone who is ignorant enough to have "www.xxx.com" icons lying around on their desktop simply fail at being literate computer users... just like those who advise linux blindly to noobs...
    anonymous
  • Too late at that point - What is malicious code already doing on the system?

    >> If a piece of malware created this kind of shortcut, called it your online bank's name and then pointed the shortcut to a malicious file, the next time someone used that computer and, using the banks advice, tried to log on to their online bank, they would execute the malicious file. <<

    That may indeed be what happens, but how did the malware get on the system to create the shortcut and drop the malicious "file" in the first place? At that point, all bets are off. It wouldn't _need_ to "trick" the user into running an evil shortcut - it can probably do whatever it wants on it's own.
    anonymous
  • HTTPS.COM.AU - Dont Fear The Black Hat

    Good article but nothing to fear, most of not all people will type in the bank url ad if you follow a email url your not very bright your just plain irresponsible unfortunately for those who do will infect most cafe pc's or network cafe pc's which inturn gets transferred to dvd or cd or memory stick when the end user saves their work before leaving the internet cafe. If a computer is infected with a Backdoor Trojan, Type capture program forged by a remote computer somewhere in the world most if not all virus & Trojans will be detected by today
    anonymous
  • www.microsoft.com.lnk

    I certainly agree. That is a feature you do not want. The more skilled users of Internet Explorer 6 on XP SP2 will notice IE equates the shortcut as you're typing it and suggest www.microsoft.com.lnk (ie. placing a .lnk on the end of the URL) if Windows Explorer is set to NOT hide known file extensions.
    AjNau
  • IE 7

    Go to the Windows Website and download IE 7. When i did this with that it brought up a security box asking whether i wanted to open or save the file. That should be a dead give away to anyone that something is up.
    anonymous
  • IE7 B2 correct

    IE7 B2 is absolutely stable and does display a Security Message - of Open, Save, Cancel - plus a SEVERE WARNING that the world will end if you choose OPEN.

    Get a modern browser!

    I use Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
    anonymous
  • Yes, you are right

    Yes, Microsoft is the greatest. All Microsoft programs should be made to work this way. These problems are only caused by the users. If users didn't use these programs then there never would be a problem with Microsoft software!
    anonymous
  • It's a bug

    This was done to beat the Netscape lawsuit, not strictly for technical reasons.
    As for stating that the Win9x operating system is the same as the NT operating systems? Sorry, it isn't. This means that saying "it came in with Windows 98" doesn't explain why we see it in Windows NT operating systems.
    Therefore it's a Win 98 feature and an NT/2000/XP/2003 bug.
    anonymous
  • Its how Favorites works

    Type your favorites name into the bar and it will navigate.
    anonymous
  • This is not a security risk

    If someone has the ability to drop a fille into your computer called www.microsoft.com, then they have the ability to do a whole lot more than that. Why use such an obtuse roundabout way of hacking/phishing a machine/user?
    anonymous