Microsoft has denied that a 'trick', which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is a security vulnerability. Anything that makes something easier for a user to do has the danger of become exploitable. This case shows how IE can be used to execute a Desktop shortcut instead of a URL but if you use the proper syntaxt for entering the URL (e.g. http://www.desktopshortcutname.com) then this "trick" will not work. Regarless of this "trick" you still need to get your malicious shortcut to the the user's machine (and reference EXE as well). When will people stop think of ways of "beating the system" to be annoying?
read more | digg story
No comments:
Post a Comment