From: "Antti Kurenniemi" 

It's all part of the "the web is the computer" revolution! Now
you can just do everything through your browser - and who wouldn't want to
open their browser and type in www.openmynotepadapplicationplease.com
instead of just clicking on a dull icon? This is just sooooo great, I'm
going to put shortcuts to all programs to my desktop and launch them via my
browser, yeah!


Antti Kurenniemi
(not)

"Geo"  wrote in message
news:44af0856$5{at}w3.nls.net...
>I don't understand how it can be useful to a user.
>
> Geo.
>
> "/m"  wrote in message
> news:gc2ra2te4dtp9uevg78v4vt5fk1fq46th1{at}4ax.com...
>>
>>
> http://www.zdnet.com.au/news/software/soa/Windows_shortcut_trick_is_a_feature
_Microsoft/0,2000061733,39262246,00.htm
>>
>> ===
>> Microsoft has denied that a 'trick', which could allow an executable
>> file to be launched when a user types a Web address into Internet
>> Explorer, is a security vulnerability.
>>
>> Using Windows XP and Internet Explorer, it is easy to create a scenario
>> where a user types in a Web address -- such as www.microsoft.com -- into
>> their browser and instead of the launching the Web site, the browser
>> runs an executable file that is located on the user's computer.
>>
>> To test the 'trick' yourself, try the following:
>>
>>   Right click on the Desktop and create a new Shortcut
>>
>>   Point the shortcut to an executable -- such as
>>      c:\windows\system32\calc.exe
>>
>>   Call the shortcut www.microsoft.com
>>
>>   Start Internet Explorer and type "www.microsoft.com" into
>>   the address bar
>>
>> If the shortcut is then deleted -- or the characters
"http://" are added
>> before the "www" in the browser address bar -- then IE
will once again
>> connect to the Internet as expected.
>>
>> In a statement to ZDNet Australia on Tuesday, Peter Watson, chief
>> security advisor at Microsoft Australia, said this is not a security
>> vulnerability but actually a feature that could be used by legitimate
>> applications.
>>
>> "It's important to clarify the difference between security problems and
>> legitimate features. A security hole helps an attacker do something they
>> shouldn't be able to do, which is not the case in this instance.
>>
>> "Software that the user legitimately has installed on the
computer might
>> need exactly this sort of feature provided by IE," said Watson.
>>
>> According to Watson, the 'trick' could be used to help automation.
>>
>> "For example, imagine if you needed to run a dialup connection to
>> connect to a certain site. The dial up connection might be called
>> "connect to mysite.com". You can see in that case how
important it is
>> for Windows (or any operating system) to have flexibility for legitimate
>> software.
>>
>> "Organisations or individual users may require or desire to automate
>> part of the process for application connectivity with IE. Microsoft
>> views this as one of the advantages in using IE as a means of enabling
>> user access in that it provides users a consistent and seamless
>> experience," said Watson.
>>
>> However, security experts believe this particular 'trick' is unnecessary
>> and expect it to be exploited by malware writers.
>>
>> Michael Warrilow, director of Sydney-based analyst firm Hydrasight, told
>> ZDNet Australia that he tested the 'trick' using Windows XP SP2 and
>> found that although it worked using IE, Firefox users were safe.
>>
>> "Microsoft's so-called useful features have been shown time
and again to
>> result in security exposures that are ultimately exploited for malicious
>> purposes. This will be no exception," he said.
>>
>> Frost and Sullivan Australia's security analyst, James Turner
agreed: "I
>> would imagine that malware writers could definitely exploit this --
>> particularly with a little social engineering".
>> ===
>>
>>
>>
>>
>> I like this part:
>>
>> Microsoft views this as one of the advantages in using IE as a means of
>> enabling user access in that it provides users a consistent and seamless
>> experience," said [Peter Watson, chief security advisor at Microsoft
>> Australia].
>>
>>
>> Simply precious.  What more can I add, except to ask if Microsoft is
>> having an internal meltdown?
>>
>>  /m
>
>

--- BBBS/NT v4.01 Flag-5