Jun 06 9

Windows shortcut 'trick' remains unexplained

Posted by Munir Kotadia @ 17:54 28 comments

This week I learned about a "trick" that you can do in Windows which, as far as I am concerned, is a serious security risk.

In an article written by Infoworld's Roger Grimes, he describes a "feature" in Windows that allowed me to run an executable file by simply typing a Web address into Internet Explorer.

Test it yourself:

Right click on the Desktop and create a new Shortcut
Point the shortcut to an executable -- such as c:\windows\system32\calc.exe
Call the shortcut www.microsoft.com
Start Internet Explorer and type "www.microsoft.com" into the address bar

For the past few years, banks have been advising their customers to type their online banking URL into the browser -- instead of clicking on a link that may be a phishing scam.

If a piece of malware created this kind of shortcut, called it your online bank's name and then pointed the shortcut to a malicious file, the next time someone used that computer and, using the banks advice, tried to log on to their online bank, they would execute the malicious file.

Surely there must be a reason for this functionality.

I happened to be speaking with Austin Wilson, director of product management for Windows Vista Security on Thursday about rootkits and other security issues, so asked him about the "trick".

His reply: "That is something I need to follow up with our security response centre and find out if this is something that is known and is there a reason for it because I don't know off the top of my head if that is expected functionality or not".

It is almost the end of play on Friday and no reply, so I assume Austin is still waiting for the security response people in Redmond to get back to him.

Can you think of a legitimate use for this feature? I can't.

Unfortunately I am unlikely to be able to update you on this until I get back from my vacation -- over the next three weeks my plan is to live on German time in Queensland and not miss a kick.

Talkback 28 comments

Yet another reason Modeski -- 13/06/06

to use a decent browser.
Why people still use IE when there are so many great alternatives is baffling. Check out Mozilla Firefox or Opera.
- Reply to comment
- Report offensive content
1. Firefox Anonymous -- 13/06/06
  
  Couldn't agree more. Firefox is great! I wish that I could uninstall IE from my XP system to reduce those attack vectors, however...
  - Reply to comment
  - Report offensive content
2. Ignorant response! JLambert -- 15/06/06
  
  The issue is not with IE but rather Windows shell integration here!
  - Reply to comment
  - Report offensive content
3. No it's not...... Julian Milano -- 19/07/06
  
  It is NOT an issue with Shell integration but a browser issue. The fact is that with Firefox this "trick" does not work.
  
  I agree with the original poster that people should be downing IE in favour for Firefox. I recently converted and am wondering why I didn't do it earlier. You can now show any web page using an IE engine in the Firefox browser.....so what's to wait for??
  - Reply to comment
  - Report offensive content
4. No it's not...... Julian Milano -- 19/07/06
  
  It is NOT an issue with Shell integration but a browser issue. The fact is that with Firefox this "trick" does not work.
  
  I agree with the original poster that people should be downing IE in favour for Firefox. I recently converted and am wondering why I didn't do it earlier. You can now show any web page using an IE engine in the Firefox browser.....so what's to wait for??
  - Reply to comment
  - Report offensive content
there's a solution to this Anonymous -- 14/06/06

buy a mac.
better yet, just install Linux.
Linux isn't easy to learn, but nothing worth having comes easy.
1. and its not linux... lol! Anonymous -- 15/06/06
  
  I think anyone who is ignorant enough to have "www.xxx.com" icons lying around on their desktop simply fail at being literate computer users... just like those who advise linux blindly to noobs...
  - Reply to comment
  - Report offensive content
2. Yes, you are right Anonymous -- 20/06/06
  
  Yes, Microsoft is the greatest. All Microsoft programs should be made to work this way. These problems are only caused by the users. If users didn't use these programs then there never would be a problem with Microsoft software!
  - Reply to comment
  - Report offensive content
This is an embedded explorer function Irwan Effendi -- 14/06/06

By default, when you open your windows explorer the first time, or when you turn off the option "restore previous folder", it will point to your desktop. Since Internet Explorer is integrated with windows explorer, this means whatever you typed in that address bar works the same way as if you open it from windows explorer, or run it from the start... run command. This feature was first introduced in windows 98, so it is not a bug, simply an oversighted "side effect"
1. It's a bug Anonymous -- 20/06/06
  
  This was done to beat the Netscape lawsuit, not strictly for technical reasons.
  As for stating that the Win9x operating system is the same as the NT operating systems? Sorry, it isn't. This means that saying "it came in with Windows 98" doesn't explain why we see it in Windows NT operating systems.
  Therefore it's a Win 98 feature and an NT/2000/XP/2003 bug.
  - Reply to comment
  - Report offensive content
legitimate reason Anonymous -- 15/06/06

to run the calculator of course!
HTTP:// Anonymous -- 15/06/06

Agree with above post.
To prevent phishing etc one should always include the http:// If the advice of just typing the www.xxx.com was given then this is just BAD advice. Always type http://www.xxx.com
Trick has been around since active desktop Max Riethmuller -- 15/06/06

this trick is actually part of active desktop. It was first introduced into Windows 95 with Internet Explorer 4, then included as part of the os with Windows 95C and on.

From IE4 on Internet Explorer is integrated into the Windows Explorer shell. This means that whenever you type a url in a windows explorer address field, or if you type a path into Internet Explorer, the os will automatically know to use eitehr Explorer or IE depending on the format of the path or url that is typed.

This is actually a very useful feature, which allows seamless web or hard drive access via either IE or Explorer. Likewise if you type a url in the Start/Run field, it will know to bring up IE, if you type a path it will know to display Explorer. Without Active Directory and IE integration, it would not be possible to launch a url via the run menu unless you type "iexplore www.whateveraddress.com"

I actually see this as a useful feature. Especially since I don't click on links that "banks" email me.
Trick has been around since active desktop Max Riethmuller -- 15/06/06

this trick is actually part of active desktop. It was first introduced into Windows 95 with Internet Explorer 4, then included as part of the os with Windows 95C and on.

From IE4 on Internet Explorer is integrated into the Windows Explorer shell. This means that whenever you type a url in a windows explorer address field, or if you type a path into Internet Explorer, the os will automatically know to use eitehr Explorer or IE depending on the format of the path or url that is typed.

This is actually a very useful feature, which allows seamless web or hard drive access via either IE or Explorer. Likewise if you type a url in the Start/Run field, it will know to bring up IE, if you type a path it will know to display Explorer. Without Active Directory and IE integration, it would not be possible to launch a url via the run menu unless you type "iexplore www.whateveraddress.com"

I actually see this as a useful feature. Especially since I don't click on links that "banks" email me.
Trick has been around since active desktop Max Riethmuller -- 15/06/06

this trick is actually part of active desktop. It was first introduced into Windows 95 with Internet Explorer 4, then included as part of the os with Windows 95C and on.

From IE4 on Internet Explorer is integrated into the Windows Explorer shell. This means that whenever you type a url in a windows explorer address field, or if you type a path into Internet Explorer, the os will automatically know to use eitehr Explorer or IE depending on the format of the path or url that is typed.

This is actually a very useful feature, which allows seamless web or hard drive access via either IE or Explorer. Likewise if you type a url in the Start/Run field, it will know to bring up IE, if you type a path it will know to display Explorer. Without Active Directory and IE integration, it would not be possible to launch a url via the run menu unless you type "iexplore www.whateveraddress.com"

I actually see this as a useful feature. Especially since I don't click on links that "banks" email me.
Too late at that point - What is malicious code already doing on the system? Anonymous -- 16/06/06

>> If a piece of malware created this kind of shortcut, called it your online bank's name and then pointed the shortcut to a malicious file, the next time someone used that computer and, using the banks advice, tried to log on to their online bank, they would execute the malicious file. <<

That may indeed be what happens, but how did the malware get on the system to create the shortcut and drop the malicious "file" in the first place? At that point, all bets are off. It wouldn't _need_ to "trick" the user into running an evil shortcut - it can probably do whatever it wants on it's own.
1. Which came first.... Julian Milano -- 19/07/06
  
  ...the chicken or the egg???
  
  You are 100% correct. Spyware should not have gotton onto the system in the first place.
  
  But in all fairness, with new spyware coming out everyday, it's so hard to keep it all down. Even the most secure systems are vulnerable to new Spyware. It's a matter of keeping your system as secure as possible.
  - Reply to comment
  - Report offensive content
HTTPS.COM.AU - Dont Fear The Black Hat Jon.A.L.Nicolosi -- 17/06/06

Good article but nothing to fear, most of not all people will type in the bank url ad if you follow a email url your not very bright your just plain irresponsible unfortunately for those who do will infect most cafe pc's or network cafe pc's which inturn gets transferred to dvd or cd or memory stick when the end user saves their work before leaving the internet cafe. If a computer is infected with a Backdoor Trojan, Type capture program forged by a remote computer somewhere in the world most if not all virus & Trojans will be detected by today’s best known virus programs. In fact doing such a magic trick should be left to people with the know how and not an invite for others to try it in fear that it works. So such an instruction is not advised to try out if he’s right or wrong. Hackers are always there that's what made the antivirus companies who they are today. We all know someone that can bring a network down or pass a Trojan through a email and guarantee trouble for the end user, but training them how to do it is not a good way to put fear into people to buy virus programs to protect their computers. Use your intuition and be smart.
www.microsoft.com.lnk Anonymous -- 17/06/06

I certainly agree. That is a feature you do not want. The more skilled users of Internet Explorer 6 on XP SP2 will notice IE equates the shortcut as you're typing it and suggest www.microsoft.com.lnk (ie. placing a .lnk on the end of the URL) if Windows Explorer is set to NOT hide known file extensions.
1. DO NOT HIDE EXTENTIONS... Julian Milano -- 19/07/06
  
  Yeah, good point. Why does Windows, by Default, hide file extentions. It bugs me totally! There is NO excuse for it. Why can't someone write a REAL trojan/spyware/virus which actually FIXES all the MS "features" like this one!!??
  - Reply to comment
  - Report offensive content
2. RE: DO NOT HIDE EXTENTIONS... anonymous -- 23/07/06
  
  What a file extension?
  
  It's a brain dead solution to a non-existant problem.
  - Reply to comment
  - Report offensive content
IE 7 Anonymous -- 18/06/06

Go to the Windows Website and download IE 7. When i did this with that it brought up a security box asking whether i wanted to open or save the file. That should be a dead give away to anyone that something is up.
1. IE7 B2 correct Grumpy Hollow -- 20/06/06
  
  IE7 B2 is absolutely stable and does display a Security Message - of Open, Save, Cancel - plus a SEVERE WARNING that the world will end if you choose OPEN.
  
  Get a modern browser!
  
  I use Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
  - Reply to comment
  - Report offensive content
Its how Favorites works Anonymous -- 08/07/06

Type your favorites name into the bar and it will navigate.
This is not a security risk Anonymous -- 08/07/06

If someone has the ability to drop a fille into your computer called www.microsoft.com, then they have the ability to do a whole lot more than that. Why use such an obtuse roundabout way of hacking/phishing a machine/user?
IE/Explorer fusion philip brands -- 11/07/06

What happens (in any browser) if you type for instance 'zdnet', is this:
- the browser cannot resolve the domain;
- so it sends the query 'zdnet' to the default search-engine
- the search-engine comes up with the top-match for the query [not 'zdnet.com.au' but 'www.zdnet.nl' in my case ;)].

With win2k (correct me if i'm wrong) Microsoft made Explorer capable of resolving URL's. The stupidest thing they ever did security-wise, because by definition this connects the local domain the remote ones through Explorer... I never understood why this 'feature' of Windows is still around. On top of that; ActiveX got introduced, which enabled IE to do virtually anything that Explorer can ("Was there a certificate? Yeah, I probably clicked 'trust'...")
I'd say we had enough trouble with IE already... why do we we bother anymore? I guess we should call ourselves lucky that IE can be uninstalled (...) heavily cripling Windows... what a drag!
Another trick Anonymous -- 11/07/06

Locked down Win98 desktop? Can't access C drive but someone kindly gave you a floppy disk icon? Just copy the FD icon onto a formatted floppy, right-click, select properties and change the target path from A:\ to C:\
Apply, and there you go: complete access to C:\ drive.
Surely after all these years it isn't too hard Anonymous -- 25/07/06

Just don't use Windows, or if you must, don't use IE.

They are just incapable of grasping the basic concepts of security. Its all still rooted at the mindset that had one user and one floppy disk and a program loader called DOS.

Munir Kotadia

Producer

Securify This! by Munir Kotadia

Windows shortcut 'trick' remains unexplained

Related stories

Alerts

Talkback 28 comments

Yet another reason Modeski -- 13/06/06

Firefox Anonymous -- 13/06/06

Ignorant response! JLambert -- 15/06/06

No it's not...... Julian Milano -- 19/07/06

No it's not...... Julian Milano -- 19/07/06

there's a solution to this Anonymous -- 14/06/06

and its not linux... lol! Anonymous -- 15/06/06

Yes, you are right Anonymous -- 20/06/06

This is an embedded explorer function Irwan Effendi -- 14/06/06

It's a bug Anonymous -- 20/06/06

legitimate reason Anonymous -- 15/06/06

HTTP:// Anonymous -- 15/06/06

Trick has been around since active desktop Max Riethmuller -- 15/06/06

Trick has been around since active desktop Max Riethmuller -- 15/06/06

Trick has been around since active desktop Max Riethmuller -- 15/06/06

Too late at that point - What is malicious code already doing on the system? Anonymous -- 16/06/06

Which came first.... Julian Milano -- 19/07/06

HTTPS.COM.AU - Dont Fear The Black Hat Jon.A.L.Nicolosi -- 17/06/06

www.microsoft.com.lnk Anonymous -- 17/06/06

DO NOT HIDE EXTENTIONS... Julian Milano -- 19/07/06

RE: DO NOT HIDE EXTENTIONS... anonymous -- 23/07/06

IE 7 Anonymous -- 18/06/06

IE7 B2 correct Grumpy Hollow -- 20/06/06

Its how Favorites works Anonymous -- 08/07/06

This is not a security risk Anonymous -- 08/07/06

IE/Explorer fusion philip brands -- 11/07/06

Another trick Anonymous -- 11/07/06

Surely after all these years it isn't too hard Anonymous -- 25/07/06

Munir Kotadia

Most Popular

Most Discussed

Latest Videos

ZDNet's CIO Vision Series

Department of Defence | Greg Farr, CIO (part two)

Power Centre - Content from our premier sponsors

Tags

Reader Services

Popular Topics

Essentials

Sponsored Links

Featured

Services

Around the Network

Around ZDNet Australia