Wrestling with Windows' hidden "features"

Windows-IE desktop integration issues may not be huge security risks, but they're still a bit scary

One of the reasons Microsoft Windows frustrates so many people is its list of unexpected desktop integration issues that can lead to security issues. Is it a feature or a security bug?

When I was teaching in Brazil last week, Jose Antunes, a student of mine, showed me a Windows trick he discovered accidentally. It may be something that was discovered and reported years ago, but it was new to me --- and my "Where Windows Malware Hides" document didn’t discuss it.

The trick is that Internet Explorer 6 and 7 beta can be fooled into running Windows desktop shortcuts instead of going to the Internet. For example, right-click your desktop and choose Create a Shortcut. Tell the shortcut to run Notepad.exe, but name the shortcut "www.aol.com." Now type www.aol.com into IE (Internet Explorer) and see what happens. Instead of going to www.aol.com, IE starts Windows notepad.


On its face, this appears to be a simple desktop shortcut that can bypass DNS resolution, but there are many ways this trick could be used maliciously after another vulnerability is used to exploit a system. Over the years, I and many others have documented similar behavior between IE and the Windows desktop (Desktop.ini files and execution path issues, for instance): Type "c:\" in IE and it will magically change to Windows Explorer instead.

After discussing this issue with some other Microsoft MVPs, we agreed that although this behavior is unexpected to most of us, it probably was enabled by Microsoft as some sort of alias shortcut. For example, make a desktop shortcut called "g" and point it to www.google.com; then you can type "g" into IE and get to Google, and so on.

Ken Schaefer recognized that this shortcut trick only happens if you don’t type in the http or https URI (Uniform Resource Identifier) protocol handler first. It appears that when the URI handler isn’t typed in, IE begins to cycle through various searches and guesses before it eventually adds in http://. For instance, type in microsoft.com or "Microsoft" and you’ll see IE trying a variety of different URLs before correctly guessing http://www.microsoft.com.

Martin Zugec discovered with a little testing that IE appears to check the following locations for shortcuts before connecting to the eventual Web site when the URL handler is not typed in:

-- %UserProfile%\Desktop

-- %AllUsersProfile%\Desktop

-- %UserProfile%\Favorites

I suspect there are more locations checked than this.

So, is this a feature or a bug? About half of the MVP camp, me included, didn’t like this unexpected behavior. If it’s documented or has been previously discussed, it isn’t well known (then again, that's true for hundreds of Windows topics). From a security perspective, I guess I shouldn’t be too worried. It isn’t as if this finding could be used by an initial exploit; an attacker would have to execute another attack successfully to be able to plant the desktop shortcut trick. And at that point, there are hundreds of other things the attacker can do to accomplish the same thing -- most of them less obvious.

So, why am I bothered? Ultimately, it’s because of the fear of the unknown. It isn’t this trick that makes me question Windows so significantly, but the question about what else is in there that I don’t know about. The same fear is valid in other operating systems, but there is a great sense of security in an operating system where most behaviors can be readily examined. In Linux and other open source OSes, you can manually inspect the kernel source code or compile your own. And outside the kernel, I can inspect the files in the configuration /etc folder and examine supporting libraries, and every program comes with the source code.

Although I might not know about all of Linux's unexpected behaviors -- and it does have them -- they occur less frequently, and often with transparency. With Windows, I have to trust Microsoft. And let me say, I do trust Microsoft the majority of the time. It’s just that I have no way of knowing what other surprises lurk for me, and how they affect my overall security risk. And if I find a feature I don’t want, can I easily turn it off?