On BNET: Ten ways to spot a dead-end job
BNET Business Network:
BNET
TechRepublic
ZDNet
TalkBack 4 of 38:
Next »
« Previous
That's always been possible
Keep in mind that an awful lot of users avoid using the menu system by keeping all of their commonly-used apps as desktop shortcuts.

And they call those shortcuts "www.microsoft.com"? No, of course not. The "interesting" thing about this flaw is that it is a social engineering trick because you think you are going to a website when, in fact, it is opening a program.

Also, this only seems to work if you actually type it into the address bar. If you create a link on a website, you get the standard "Do you want to run or save this file?" prompt. Only if you type it into the address bar does it run without "warning". So again, you can't trick someone into clicking on a link, you have to:
1. Convince someone to create a link called "www.microsoft.com" and point it to something malicious that is already on their computer.
2. Convince them to type "www.microsoft.com" on the address bar.

At worst, this could be used on a computer that was already infected but if the computer is already under control, you probably don't need the user to be typing things into the IE address bar.

Until someone can show that this is easier to take advantage of than the thousands of other, far, far simpler methods of social engineering, I will continue to believe this one is a non-starter.
Posted by: NonZealot   Posted on: 07/05/06 You are currently: a Guest | Members login | Terms of Use
Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

Um, yeah  ejhonda | 07/05/06
What a load...  NonZealot | 07/05/06
Is that all?  Yagotta B. Kidding | 07/05/06
That's always been possible  NonZealot | 07/05/06
Your Average User  phburks | 07/05/06
Read the article again.  3D0G | 07/06/06
Legitimate? maybe ... Dangerous ... you bet  A.Typical Zork | 07/05/06
I'll say it slowly  TonyMcS | 07/05/06
And, who says the user will create the shortcut?? This is just another tool  DonnieBoy | 07/06/06
Let's do a quick poll. Who has ever used this?  DonnieBoy | 07/06/06
Wrong  Dr.C | 07/06/06
This will be HUGE for hackers!  Reverend MacFellow | 07/05/06
Nothing new  ConstableBrew | 07/05/06
Do what the user expects  dragosani | 07/05/06
Agreed.  A_Pickle | 07/05/06
No Offense  Clocked | 07/05/06
Microsoft should implement "address bar checks" in IE 6.  Grayson Peddie | 07/05/06
No, they shuld throw out the hook altogether  CobraA1 | 07/05/06
How many times have we all heard this...  Anti_Zealot | 07/05/06
Here we go again  Clocked | 07/05/06
www.google.com www.amazon.com  mighetto | 07/05/06
Read the story next time  TonyMcS | 07/05/06
tips and tricks and more tips...  Arm A. Geddon | 07/05/06
read it again  not of this world | 07/05/06
This is a feature... WHY???  Mr. Roboto | 07/05/06
Executable file danger  TonyMcS | 07/05/06
I clicked IE and it turned on my coffee-maker!  An_Axe_to_Grind | 07/05/06
No surprises!  lovvvvie | 07/06/06
I'm sure the NK's are heavy into Microsoft!  Reverend MacFellow | 07/06/06
Danger Will Robinson !  jpr75_z | 07/06/06
Microsoft: Shortcut 'trick' is legitimate feature  Loverock Davidson | 07/06/06
Isn't security vulnerabilities....  Jay E Court | 07/06/06
Never used it  Dr_Zinj | 07/06/06
Very silly feature  webDevx | 07/06/06
I use this on our intranet.....  Dr.C | 07/06/06
user's expectations  raunchy | 07/07/06
*sigh*  kornesque | 07/07/06
much like the tendency of IE to display a file folder instead of a search  wessonjoe | 07/07/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
advertisement
  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More