Text 12012, 139 rader
Skriven 2006-07-08 10:40:00 av Geo (1:379/45)
  Kommentar till text 12009 av Antti Kurenniemi (1:379/45)
Ärende: Re: Windows shortcut 'trick' is a feature: Microsoft
============================================================
From: "Geo" <georger@nls.net>

It just seems to me that it would be useful to a programmer or a hacker but not
to a user.

For example, if folks had a shortcut to say telnet or cmd.exe on their desktop
you could put a link on a web page to fire it up and perhaps telnet to an
address in the link.

Geo. (I wonder if it works with .bat files)

"Antti Kurenniemi" <NOantti@SPAManttikPLEASE.com> wrote in message
news:44af3daf@w3.nls.net...
> It's all part of the "the web is the computer" revolution! Now you can
just
> do everything through your browser - and who wouldn't want to open their
> browser and type in www.openmynotepadapplicationplease.com instead of just
> clicking on a dull icon? This is just sooooo great, I'm going to put
> shortcuts to all programs to my desktop and launch them via my browser,
> yeah!
>
>
> Antti Kurenniemi
> (not)
>
> "Geo" <georger@nls.net> wrote in message news:44af0856$5@w3.nls.net...
> >I don't understand how it can be useful to a user.
> >
> > Geo.
> >
> > "/m" <mike@barkto.com> wrote in message
> > news:gc2ra2te4dtp9uevg78v4vt5fk1fq46th1@4ax.com...
> >>
> >>
> >
http://www.zdnet.com.au/news/software/soa/Windows_shortcut_trick_is_a_feature_M
icrosoft/0,2000061733,39262246,00.htm
> >>
> >> ===
> >> Microsoft has denied that a 'trick', which could allow an executable
> >> file to be launched when a user types a Web address into Internet
> >> Explorer, is a security vulnerability.
> >>
> >> Using Windows XP and Internet Explorer, it is easy to create a scenario
> >> where a user types in a Web address -- such as www.microsoft.com --
into
> >> their browser and instead of the launching the Web site, the browser
> >> runs an executable file that is located on the user's computer.
> >>
> >> To test the 'trick' yourself, try the following:
> >>
> >>   Right click on the Desktop and create a new Shortcut
> >>
> >>   Point the shortcut to an executable -- such as
> >>      c:\windows\system32\calc.exe
> >>
> >>   Call the shortcut www.microsoft.com
> >>
> >>   Start Internet Explorer and type "www.microsoft.com" into
> >>   the address bar
> >>
> >> If the shortcut is then deleted -- or the characters "http://" are
added
> >> before the "www" in the browser address bar -- then IE will once again
> >> connect to the Internet as expected.
> >>
> >> In a statement to ZDNet Australia on Tuesday, Peter Watson, chief
> >> security advisor at Microsoft Australia, said this is not a security
> >> vulnerability but actually a feature that could be used by legitimate
> >> applications.
> >>
> >> "It's important to clarify the difference between security problems and
> >> legitimate features. A security hole helps an attacker do something
they
> >> shouldn't be able to do, which is not the case in this instance.
> >>
> >> "Software that the user legitimately has installed on the computer
might
> >> need exactly this sort of feature provided by IE," said Watson.
> >>
> >> According to Watson, the 'trick' could be used to help automation.
> >>
> >> "For example, imagine if you needed to run a dialup connection to
> >> connect to a certain site. The dial up connection might be called
> >> "connect to mysite.com". You can see in that case how important it is
> >> for Windows (or any operating system) to have flexibility for
legitimate
> >> software.
> >>
> >> "Organisations or individual users may require or desire to automate
> >> part of the process for application connectivity with IE. Microsoft
> >> views this as one of the advantages in using IE as a means of enabling
> >> user access in that it provides users a consistent and seamless
> >> experience," said Watson.
> >>
> >> However, security experts believe this particular 'trick' is
unnecessary
> >> and expect it to be exploited by malware writers.
> >>
> >> Michael Warrilow, director of Sydney-based analyst firm Hydrasight,
told
> >> ZDNet Australia that he tested the 'trick' using Windows XP SP2 and
> >> found that although it worked using IE, Firefox users were safe.
> >>
> >> "Microsoft's so-called useful features have been shown time and again
to
> >> result in security exposures that are ultimately exploited for
malicious
> >> purposes. This will be no exception," he said.
> >>
> >> Frost and Sullivan Australia's security analyst, James Turner agreed:
"I
> >> would imagine that malware writers could definitely exploit this --
> >> particularly with a little social engineering".
> >> ===
> >>
> >>
> >>
> >>
> >> I like this part:
> >>
> >> Microsoft views this as one of the advantages in using IE as a means of
> >> enabling user access in that it provides users a consistent and
seamless
> >> experience," said [Peter Watson, chief security advisor at Microsoft
> >> Australia].
> >>
> >>
> >> Simply precious.  What more can I add, except to ask if Microsoft is
> >> having an internal meltdown?
> >>
> >>  /m
> >
> >
>
>

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)