X

Microsoft: Shortcut 'trick' is legitimate feature

Feature allowing executable file to be launched by typing Web address into IE is safe, says company. Others disagree.

Munir Kotadia Special to CNET News
See full bio
Munir Kotadia
2 min read
A Windows shortcut "trick," which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is not a security vulnerability, Microsoft said.

Using Windows XP and Internet Explorer, a user could type in a Web address--such as www.microsoft.com--into a browser, and instead of launching the Web site the browser would run an executable file located on the user's computer.

To test the so-called trick, try the following:

• Right click on the Desktop and create a new Shortcut

• Point the shortcut to an executable--such as c:\windows\system32\calc.exe

• Call the shortcut www.microsoft.com

• Start Internet Explorer and type "www.microsoft.com" into the address bar

If the shortcut is then deleted--or the characters "http://" are added before the "www" in the browser address bar--then IE will once again connect to the Internet as expected.

In a statement to ZDNet Australia on Tuesday, Peter Watson, chief security adviser at Microsoft Australia, said this is not a security vulnerability but actually a feature that could be used by legitimate applications.

"It's important to clarify the difference between security problems and legitimate features. A security hole helps an attacker do something they shouldn't be able to do, which is not the case in this instance," said Watson. "Software that the user legitimately has installed on the computer might need exactly this sort of feature provided by IE."

According to Watson, the shortcut trick could be used to help automation.

"For example, imagine if you needed to run a dial-up connection to connect to a certain site. The dial-up connection might be called 'connect to mysite.com.' You can see in that case how important it is for Windows (or any operating system) to have flexibility for legitimate software.

"Organizations or individual users may require or desire to automate part of the process for application connectivity with IE. Microsoft views this as one of the advantages in using IE as a means of enabling user access in that it provides users a consistent and seamless experience," said Watson.

However, some security analysts believe this particular feature is unnecessary and expect it to be exploited by malicious-software writers.

Michael Warrilow, director of Sydney-based analyst firm Hydrasight, told ZDNet Australia that he tested the trick using Windows XP SP2 and found that although it worked using IE, Firefox users were safe.

"Microsoft's so-called useful features have been shown time and again to result in security exposures that are ultimately exploited for malicious purposes. This will be no exception," he said.

Frost and Sullivan Australia's security analyst, James Turner, agreed: "I would imagine that malware writers could definitely exploit this--particularly with a little social engineering."

Munir Kotadia of ZDNet Australia reported from Sydney.