Text 12006, 99 rader
Skriven 2006-07-07 20:48:54 av Geo (1:379/45)
  Kommentar till text 12004 av /m (1:379/45)
Ärende: Re: Windows shortcut 'trick' is a feature: Microsoft
============================================================
From: "Geo" <georger@nls.net>

I don't understand how it can be useful to a user.

Geo.

"/m" <mike@barkto.com> wrote in message
news:gc2ra2te4dtp9uevg78v4vt5fk1fq46th1@4ax.com...
>
>
http://www.zdnet.com.au/news/software/soa/Windows_shortcut_trick_is_a_feature_M
icrosoft/0,2000061733,39262246,00.htm
>
> ===
> Microsoft has denied that a 'trick', which could allow an executable
> file to be launched when a user types a Web address into Internet
> Explorer, is a security vulnerability.
>
> Using Windows XP and Internet Explorer, it is easy to create a scenario
> where a user types in a Web address -- such as www.microsoft.com -- into
> their browser and instead of the launching the Web site, the browser
> runs an executable file that is located on the user's computer.
>
> To test the 'trick' yourself, try the following:
>
>   Right click on the Desktop and create a new Shortcut
>
>   Point the shortcut to an executable -- such as
>      c:\windows\system32\calc.exe
>
>   Call the shortcut www.microsoft.com
>
>   Start Internet Explorer and type "www.microsoft.com" into
>   the address bar
>
> If the shortcut is then deleted -- or the characters "http://" are added
> before the "www" in the browser address bar -- then IE will once again
> connect to the Internet as expected.
>
> In a statement to ZDNet Australia on Tuesday, Peter Watson, chief
> security advisor at Microsoft Australia, said this is not a security
> vulnerability but actually a feature that could be used by legitimate
> applications.
>
> "It's important to clarify the difference between security problems and
> legitimate features. A security hole helps an attacker do something they
> shouldn't be able to do, which is not the case in this instance.
>
> "Software that the user legitimately has installed on the computer might
> need exactly this sort of feature provided by IE," said Watson.
>
> According to Watson, the 'trick' could be used to help automation.
>
> "For example, imagine if you needed to run a dialup connection to
> connect to a certain site. The dial up connection might be called
> "connect to mysite.com". You can see in that case how important it is
> for Windows (or any operating system) to have flexibility for legitimate
> software.
>
> "Organisations or individual users may require or desire to automate
> part of the process for application connectivity with IE. Microsoft
> views this as one of the advantages in using IE as a means of enabling
> user access in that it provides users a consistent and seamless
> experience," said Watson.
>
> However, security experts believe this particular 'trick' is unnecessary
> and expect it to be exploited by malware writers.
>
> Michael Warrilow, director of Sydney-based analyst firm Hydrasight, told
> ZDNet Australia that he tested the 'trick' using Windows XP SP2 and
> found that although it worked using IE, Firefox users were safe.
>
> "Microsoft's so-called useful features have been shown time and again to
> result in security exposures that are ultimately exploited for malicious
> purposes. This will be no exception," he said.
>
> Frost and Sullivan Australia's security analyst, James Turner agreed: "I
> would imagine that malware writers could definitely exploit this --
> particularly with a little social engineering".
> ===
>
>
>
>
> I like this part:
>
> Microsoft views this as one of the advantages in using IE as a means of
> enabling user access in that it provides users a consistent and seamless
> experience," said [Peter Watson, chief security advisor at Microsoft
> Australia].
>
>
> Simply precious.  What more can I add, except to ask if Microsoft is
> having an internal meltdown?
>
>  /m

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)