Main Area and Open Discussion > Living Room

Dangerous Windows shortcut 'trick'

(1/1)

app103:
http://www.zdnet.com.au/blogs/securifythis/soa/Windows_shortcut_trick_remains_unexplained/0,39033341,39259246,00.htm


This week I learned about a "trick" that you can do in Windows which, as far as I am concerned, is a serious security risk.

In an article written by Infoworld's Roger Grimes, he describes a "feature" in Windows that allowed me to run an executable file by simply typing a Web address into Internet Explorer.

Test it yourself:

* Right click on the Desktop and create a new Shortcut
* Point the shortcut to an executable -- such as c:windowssystem32calc.exe
* Call the shortcut www.microsoft.com
* Start Internet Explorer and type "www.microsoft.com" into the address bar

For the past few years, banks have been advising their customers to type their online banking URL into the browser -- instead of clicking on a link that may be a phishing scam.

If a piece of malware created this kind of shortcut, called it your online bank's name and then pointed the shortcut to a malicious file, the next time someone used that computer and, using the banks advice, tried to log on to their online bank, they would execute the malicious file.


--- End quote ---

I have noticed this behavior in IE before and even have been annoyed at the autocomplete trying to suggest applications for me to run or other files for me to open instead of a website I want to visit. This seems to be something specific to some Windows versions as this is not an issue in IE 6 on 9x.

I never thought of the security risks this could pose to a user. I just thought it was annoying. I have been very sensitive to the differences between XP and WinME, since I am a new XP user. And it seems the more I use XP, the more I have to be annoyed with...or even afraid of.

Be careful with this one.

f0dder:
Hmm, interesting.

Navigation

[0] Message Index