| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Windows shortcut 'trick' is a feature | |
|
||
| Time: 00:47 EST/05:47 GMT | News Source: ZDNet | Posted By: Kenneth van Surksum | ||
|
Microsoft has denied that a 'trick', which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is a security vulnerability. Using Windows XP and Internet Explorer, it is easy to create a scenario where a user types in a Web address -- such as www.microsoft.com -- into their browser and instead of the launching the Web site, the browser runs an executable file that is located on the user's computer. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 306 Last | Next |
The time now is
8:43:20 AM
ET.
Any comment problems? E-mail us |
| #1 By 37047 (216.191.227.68) at 7/6/2006 9:05:03 AM |
|
So, according to MS, something is only a security hole if it was not meant to be in the product in the first place. Functionality put into the product on purpose is therefore not a security hole, but rather, a feature. Just like this vulnerability is a feature, not a security hole.
|
| #2 By 17996 (131.107.0.82) at 7/6/2006 4:48:09 PM |
|
Microsoft's right on this one.
If a user makes a shortcut on their desktop to some executable (e.g. notepad.exe) and for whatever reason decides to name the shortcut "www.microsoft.com", then it makes sense that typing "www.microsoft.com" in the address bar should run this shortcut. Remember, "www.microsoft.com" is NOT a valid URL; http:// is required to make it a valid URL. So, the address bar is saying it's better to run an existing file than it is to auto-fix an invalid URL. So, what if malware decides to create a shortcut to "maliciousfile.exe" and names the shortcut "www.microsoft.com"? Then typing www.microsoft.com will run maliciousfile.exe. But remember, the malware is already on your machine. It can already make itself run through other means (BHOs, Registry's Run key, etc). It's not gaining anything by this address bar situation. |
| #3 By 32132 (64.180.219.241) at 7/8/2006 8:46:29 PM |
|
I tried it with IE7. I got two warning dialogs before it would run the exe.
1) Do you want to open or save this file? 2) And then a security warning that this file is not trusted etc etc. So not only does some malware have to get the shortcut on the desktop, it has to get a shortcut to a dangerous executable created named something you might type into the IE address bar, and you have to agree to run it - twice. Damned unlikely. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 306 Last | Next |
The time now is
8:43:20 AM
ET.
Any comment problems? E-mail us |
