[Infowarrior] - Wrestling with Windows' hidden "features"

[Richard Forno]

Wrestling with Windows' hidden "features"
Windows-IE desktop integration issues may not be huge security risks, but
they're still a bit scary

http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/19/
78413_21OPsecadvise_1.html

By Roger A. Grimes

May 19, 2006

One of the reasons Microsoft Windows frustrates so many people is its list
of unexpected desktop integration issues that can lead to security issues.
Is it a feature or a security bug?

When I was teaching in Brazil last week, Jose Antunes, a student of mine,
showed me a Windows trick he discovered accidentally. It may be something
that was discovered and reported years ago, but it was new to me --- and my
"Where Windows Malware Hides" document didn¹t discuss it.

The trick is that Internet Explorer 6 and 7 beta can be fooled into running
Windows desktop shortcuts instead of going to the Internet. For example,
right-click your desktop and choose Create a Shortcut. Tell the shortcut to
run Notepad.exe, but name the shortcut "www.aol.com." Now type www.aol.com
into IE (Internet Explorer) and see what happens. Instead of going to
www.aol.com, IE starts Windows notepad.

Huh?

On its face, this appears to be a simple desktop shortcut that can bypass
DNS resolution, but there are many ways this trick could be used maliciously
after another vulnerability is used to exploit a system. Over the years, I
and many others have documented similar behavior between IE and the Windows
desktop (Desktop.ini files and execution path issues, for instance): Type
"c:\" in IE and it will magically change to Windows Explorer instead.

After discussing this issue with some other Microsoft MVPs, we agreed that
although this behavior is unexpected to most of us, it probably was enabled
by Microsoft as some sort of alias shortcut. For example, make a desktop
shortcut called "g" and point it to www.google.com; then you can type "g"
into IE and get to Google, and so on.

Ken Schaefer recognized that this shortcut trick only happens if you don¹t
type in the http or https URI (Uniform Resource Identifier) protocol handler
first. It appears that when the URI handler isn¹t typed in, IE begins to
cycle through various searches and guesses before it eventually adds in
http://. For instance, type in microsoft.com or "Microsoft" and you¹ll see
IE trying a variety of different URLs before correctly guessing
http://www.microsoft.com.

Martin Zugec discovered with a little testing that IE appears to check the
following locations for shortcuts before connecting to the eventual Web site
when the URL handler is not typed in:

-- %UserProfile%\Desktop
-- %AllUsersProfile%\Desktop
-- %UserProfile%\Favorites

I suspect there are more locations checked than this.

So, is this a feature or a bug? About half of the MVP camp, me included,
didn¹t like this unexpected behavior. If it¹s documented or has been
previously discussed, it isn¹t well known (then again, that's true for
hundreds of Windows topics). From a security perspective, I guess I
shouldn¹t be too worried. It isn¹t as if this finding could be used by an
initial exploit; an attacker would have to execute another attack
successfully to be able to plant the desktop shortcut trick. And at that
point, there are hundreds of other things the attacker can do to accomplish
the same thing -- most of them less obvious.

So, why am I bothered? Ultimately, it¹s because of the fear of the unknown.
It isn¹t this trick that makes me question Windows so significantly, but the
question about what else is in there that I don¹t know about. The same fear
is valid in other operating systems, but there is a great sense of security
in an operating system where most behaviors can be readily examined. In
Linux and other open source OSes, you can manually inspect the kernel source
code or compile your own. And outside the kernel, I can inspect the files in
the configuration /etc folder and examine supporting libraries, and every
program comes with the source code.

Although I might not know about all of Linux's unexpected behaviors -- and
it does have them -- they occur less frequently, and often with
transparency. With Windows, I have to trust Microsoft. And let me say, I do
trust Microsoft the majority of the time. It¹s just that I have no way of
knowing what other surprises lurk for me, and how they affect my overall
security risk. And if I find a feature I don¹t want, can I easily turn it
off?