MICROSOFT CLAIMED a hacker trick that allows an executable file to be launched when a user types a Web address into Internet Explorer is a feature rather than any security vulnerability. But security boffins have warned that this particular 'trick' is unnecessary and expect it to be exploited by malware writers. ZD Net Australia quotes Michael Warrilow, of Hydrasight as saying that Volish "useful features" have been shown to result in security exposures that are ultimately exploited for malicious purposes. This will be no exception.

Another security expert James Turner of Frost and Allen said that he could imagine that malware writers could definitely exploit this feature particularly with a little social engineering.

View: The full story
News source: The Inq


There are 19 additional comments
Advertisement
Quote this comment Reply to this comment #1 Posted by Stunna on 06 Jul 2006 - 11:27
"allows an executable file to be launched when a user types a Web address into Internet Explorer"

I've been doing that for years and I love it.
I heard they may take this out of windows vista oh well
Quote this comment Reply to this comment #2 Posted by lunamonkey on 06 Jul 2006 - 11:51
I use the address bar in my taskbar to launch all my programs (like a run command)

they better not remove this useful feature, just because some people visit dodgy sites that'll exploit it.
(2 replies) Quote this comment Reply to this comment #3 Posted by GreenMartian on 06 Jul 2006 - 12:18
A web browser should be just that. a WEB browser.
A FILE explorer/browser/manager should be the one handling files..

Yeah I believe in the separation of powers. That's one thing that the US of A got right.
Quote this comment #3.1 Posted by lol911 on 06 Jul 2006 - 13:26
Quote - GreenMartian said @ #3
Yeah I believe in the separation of powers. That's one thing that the US of A got right.


Def. not.
Quote this comment #3.2 Posted by GreenMartian on 06 Jul 2006 - 22:15
In theory it is. You have any idea what would happen if Bush had the judication power to make & pass laws etc?

About the same thing that will happen when a web browser starts running other executables...
Quote this comment Reply to this comment #4 Posted by Jugalator on 06 Jul 2006 - 12:33
I just do Windows+R, type it in, and press enter, and hopefully that'll still work. Don't even have to use the mouse.
Quote this comment Reply to this comment #5 Posted by icecaveman on 06 Jul 2006 - 13:43
I used this feature a lot and I made .bat files so I wouldn't need to type in the full names
Quote this comment Reply to this comment #6 Posted by dangel on 06 Jul 2006 - 13:53
Yup, this is a very useful feature... it'd be silly to take it out tbh.
(3 replies) Quote this comment Reply to this comment #7 Posted by Tim Wong on 06 Jul 2006 - 14:26
HA! at least make an option to turn it off

MS!
Quote this comment #7.1 Posted by nwBen on 06 Jul 2006 - 15:04
Why are you posting that retarded image in almost every news item's comments?
Quote this comment #7.2 Posted by underthebridge on 06 Jul 2006 - 17:51
Mods, please stop this spammer from posting this image in all the news comments
Quote this comment #7.3 Posted by lj300 on 16 Jul 2006 - 02:57
to turn it on
Quote this comment Reply to this comment #8 Posted by ThePitt on 06 Jul 2006 - 15:54
Windows itself is a vulnerability a feature
(1 reply) Quote this comment Reply to this comment #9 Posted by Brandon Live on 06 Jul 2006 - 16:05
How the hell is this a vulnerability?

Are they really saying that some "hacker" is going to use "social engineering" to get you to make a shortcut to a file ALREADY ON YOUR HARD DRIVE, name it "www.microsoft.com" and then go there and subsequently launch the app? I mean, you're requiring a huge amount of user action including DOWNLOAD A MALICIOUS FILE or creating a destructive shortcut. But if they can get you to make a shortcut to "format c: /q" or whatever (and then give it the name of a common web address!, they could just as well get you to type it in the Run box or command line.

Seriously, what the hell are these guys smoking?
Quote this comment #9.1 Posted by TRC on 06 Jul 2006 - 16:50
Uh, you realize if they can get the file on your machine they can have already named it whatever they want. Second what are you talking about shortcuts, if the file is in your path you don't have to make a shortcut to it. Go ahead and type calc in a run box, and calculator will open. You didn't have to make a shortcut did you?
(1 reply) Quote this comment Reply to this comment #10 Posted by lbmouse on 06 Jul 2006 - 16:32
Everyday I try to tell our end users, "It's not a bug, it’s a feature", but that never works for me. Where do I get a hold of the spin-doctors that work for MS? I need to uncover their secret formula.
Quote this comment #10.1 Posted by PCyr on 06 Jul 2006 - 20:44
There formula is logic.

If someone has managed to get an executable onto your computer and convince you to type in the file path and file name to run it, this vulnerability/feature is the least of your concerns.
Quote this comment Reply to this comment #11 Posted by aristotle-dude on 07 Jul 2006 - 02:31
Ah, yes. The old "it's not a bug, it's a feature" ploy. I try telling QA that all the time but it never works for me.
Quote this comment Reply to this comment #12 Posted by Sacha on 07 Jul 2006 - 12:33
Yes, I find it very annoying when I type "calc" into firefox and instead get redirected to openoffice.org. I wanted the calculator, damn you!
[1]

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.


Scroll to the Top
....
My Preferences
....
Communicating with server
Loading
Please Wait...
....
Loading
 X 
....