A security flaw has been revealed in Microsoft's Internet Explorer (IE) 3.0 browser that allows devious Web page writers to use .LNK and .URL files to surreptitiously run programs on a remote computer, even when the browser is set to its highest security level.
The security lapse was discovered by a Worcester Polytechnic Institute student in Massachusetts who was posting documents on a Web page and created a shortcut to the folder rather than copying it. The student, Paul Greene, accessed the shortcut, and File Explorer popped up into the folder.
Greene then used Internet Explorer's version of the shortcut, .URL files, by changing the setting to file://filename. Although .LNK files only work in Windows 95, .URL files are compatible with both Windows 95 and Windows NT 4.0.
When run through Navigator or other non-Microsoft browser, the files merely display the written command. The shortcuts can be set to be minimised during execution, meaning users may not know that a program has been started, Greene said.
"The ramification for IE is that any anti-Microsoft jerk can set up their Web site to be destructive to anyone using Internet Explorer and safe for all others browsers," Greene said.
Microsoft has posted information about the security flaw, with a fix to follow soon, says Dave Fester, lead product manager for Explorer.
Fester points out that the security breach can be triggered only by someone who intentionally seeks to do so. And the malicious Web author must know what programs are on the remote computer in order to target them, he says.
"A Webmaster has to know what the specific programs are on (the target's) hard drive, as well as the path to use to activate through a link," said Fester.