Wrestling with Windows' hidden "features"

One of the reasons Microsoft Windows frustrates so many people is its list of unexpected desktop integration issues that can lead to security issues. Is it a feature or a security bug?

When I was teaching in Brazil last week, Jose Antunes, a student of mine, showed me a Windows trick he discovered accidentally. It may be something that was discovered and reported years ago, but it was new to me --- and my "Where Windows Malware Hides" document didn’t discuss it.

The trick is that Internet Explorer 6 and 7 beta can be fooled into running Windows desktop shortcuts instead of going to the Internet. For example, right-click your desktop and choose Create a Shortcut. Tell the shortcut to run Notepad.exe, but name the shortcut "www.aol.com." Now type www.aol.com into IE (Internet Explorer) and see what happens. Instead of going to www.aol.com, IE starts Windows notepad.

Huh?

On its face, this appears to be a simple desktop shortcut that can bypass DNS resolution, but there are many ways this trick could be used maliciously after another vulnerability is used to exploit a system. Over the years, I and many others have documented similar behavior between IE and the Windows desktop (Desktop.ini files and execution path issues, for instance): Type "c:\" in IE and it will magically change to Windows Explorer instead.

After discussing this issue with some other Microsoft MVPs, we agreed that although this behavior is unexpected to most of us, it probably was enabled by Microsoft as some sort of alias shortcut. For example, make a desktop shortcut called "g" and point it to www.google.com; then you can type "g" into IE and get to Google, and so on.

Ken Schaefer recognized that this shortcut trick only happens if you don’t type in the http or https URI (Uniform Resource Identifier) protocol handler first. It appears that when the URI handler isn’t typed in, IE begins to cycle through various searches and guesses before it eventually adds in http://. For instance, type in microsoft.com or "Microsoft" and you’ll see IE trying a variety of different URLs before correctly guessing http://www.microsoft.com.

Martin Zugec discovered with a little testing that IE appears to check the following locations for shortcuts before connecting to the eventual Web site when the URL handler is not typed in:

-- %UserProfile%\Desktop
-- %AllUsersProfile%\Desktop
-- %UserProfile%\Favorites

I suspect there are more locations checked than this.

So, is this a feature or a bug? About half of the MVP camp, me included, didn’t like this unexpected behavior. If it’s documented or has been previously discussed, it isn’t well known (then again, that's true for hundreds of Windows topics). From a security perspective, I guess I shouldn’t be too worried. It isn’t as if this finding could be used by an initial exploit; an attacker would have to execute another attack successfully to be able to plant the desktop shortcut trick. And at that point, there are hundreds of other things the attacker can do to accomplish the same thing -- most of them less obvious.