[4666] in WWW Security List Archive
Re: IE3 .lnk & .url bug
daemon@ATHENA.MIT.EDU (Bill Joynt)
Wed Mar 5 13:43:14 1997
From: billj@i2020.net (Bill Joynt)
To: "David M. Chess" <CHESS@watson.ibm.com>, <www-security@ns2.rutgers.edu>
Date: Wed, 5 Mar 1997 10:25:56 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
Fix is available for 3.01
-----Original Message-----
Here is the news on our home page
(http://www.microsoft.com/ie/security/update.htm):
Security Breach Fixed for 3.01 Users
Fix Coming Soon for 3.0 Users
Internet Explorer 3.01 Users-Download the Code Fix Now or call
1-800-322-9997 to order it on a floppy disk.
Internet Explorer 3.0 Users-A Fix is On Its Way
If you are running Internet Explorer 3.0, you can either wait until
tomorrow when Microsoft posts the fix for that version, or you can upgrade
to Internet Explorer 3.01, and then download the code fix that's available
now.
Options for International Users
Depending on the language, International versions of the code fix will be
available in the next few weeks. Be sure to check this page for the latest
information!
----------
> From: David M. Chess <CHESS@watson.ibm.com>
> To: www-security@ns2.rutgers.edu
> Subject: Re: IE3 .lnk & .url bug
> Date: Tuesday, March 04, 1997 1:14 PM
>
> > Does anyone have more information on this?? I've already seen the
articles
> > at http://www.cybersnot.com/iebug.html and
> > http://www.news.com/News/Item/0,4,8447,00.html but I'm looking for more
> > technically related content.
>
> I don't have any more pointers, but I think the basic technical
> explanation is simple. Win95 keeps desktop shortcuts in files
> with extension LNK; when you click on such a file, Win95 runs
> the program (and the environment) that the LNK file decribes.
> URL files are the same sort of thing, except the file has a
> slightly different syntax and semantics, and they're passed
> to Internet Explorer (or whatever else your installed URL.DLL
> uses) rather than being run by the Win95 desktop directly. Of
> course, since URL.DLL knows about URLs like "file://format.com",
> they can be used to run local files, just as LNKs do.
>
> The trouble is, Interner Explorer treats LNK and URL files
> loaded off the Net just as it does local ones; therefore
> by putting a link to a LNK or URL onto a Web page, you can
> make any program on the machine, or any URL you like (including
> "file:" ones) execute when the user clicks. (Note that this
> is just my current impression of what's going on; there
> could easily be an error or two in here, and I would
> welcome corrections!)
>
> In general, maintaining security as the desktop and the
> network sort of squoosh together and their boundaries
> dissolve, is going to be a challenge. It's starting a
> little earlier than I expected! *8)
>
> - -- -
> David M. Chess | Each one
> High Integrity Computing Lab | individually twisted!
> IBM Watson Research |
