[4651] in WWW Security List Archive
Re: IE3 .lnk & .url bug
daemon@ATHENA.MIT.EDU (David M. Chess)
Tue Mar 4 15:47:20 1997
Date: Tue, 4 Mar 97 13:14:20 EST
From: "David M. Chess" <CHESS@watson.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> Does anyone have more information on this?? I've already seen the articles
> at http://www.cybersnot.com/iebug.html and
> http://www.news.com/News/Item/0,4,8447,00.html but I'm looking for more
> technically related content.
I don't have any more pointers, but I think the basic technical
explanation is simple. Win95 keeps desktop shortcuts in files
with extension LNK; when you click on such a file, Win95 runs
the program (and the environment) that the LNK file decribes.
URL files are the same sort of thing, except the file has a
slightly different syntax and semantics, and they're passed
to Internet Explorer (or whatever else your installed URL.DLL
uses) rather than being run by the Win95 desktop directly. Of
course, since URL.DLL knows about URLs like "file://format.com",
they can be used to run local files, just as LNKs do.
The trouble is, Interner Explorer treats LNK and URL files
loaded off the Net just as it does local ones; therefore
by putting a link to a LNK or URL onto a Web page, you can
make any program on the machine, or any URL you like (including
"file:" ones) execute when the user clicks. (Note that this
is just my current impression of what's going on; there
could easily be an error or two in here, and I would
welcome corrections!)
In general, maintaining security as the desktop and the
network sort of squoosh together and their boundaries
dissolve, is going to be a challenge. It's starting a
little earlier than I expected! *8)
- -- -
David M. Chess | Each one
High Integrity Computing Lab | individually twisted!
IBM Watson Research |
