COMMAND                                            SOURCE: 


  Windows '95, NT


    The following  information is  Cybersnot Industries  and is  their
    credit for this vulnerability to see light of day.  More info at:

    This text is part of their "advisory".

    Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug
    which allows web  page writers to  use ".LNK" and  ".URL" files to
    run  programs  on  a  remote  computer.   This bug is particularly
    damaging because it uses NO ActiveX, and works even when  Internet
    Explorer is set to its highest  security level.  It was tested  on
    Microsoft  Internet  Explorer  Version  3.0  (4.70.1155)   running
    Windows  95.  For demo check address above.

    .URL files are  WORSE than .LNK  files because .URLs  work in both
    Windows 95 and  Windows NT 4.0  (.LNK's only work  in Windows 95).
    .URL files present a possibly  greater danger because they can  be
    easily  created  by  server  side  scripts  to  meet  the specific
    settings of a  user's system.   Cybersnot industries will  provide
    .URL files for execution in the next day or so.

    The "shortcuts" can be set to be minimized during execution  which
    means that users  may not even  be aware that  a program has  been
    started.   Microsoft's  implementation  of  shortcuts  becomes   a
    serious  concern  if  a  webpage  can  tell  Internet  Explorer to
    refresh to an  executable.  Or  worse, client side  scripts (Java,
    JavaScript, or VBScript) can  use the Explorer object  to transfer
    a BATCH file to the target  machine and then META REFRESH to  that
    BATCH file to execute the rogue command in that file.

    The following table outlines  which areas and users  each shortcut
    type effects:

     | File | Win '95 | Win NT | Execute | Command Line | Searches |
     | Type |         |        |   Apps  | Args Allowed |   Path   |
     | .lnk |  Yes    |  No    |   Yes   |      Yes     |   No     |
     | .url |  Yes    |  Yes   |   Yes   |      No      |   Yes    |

    Naturally,  the  files  must  exist  on  the  remote machine to be
    properly  executed.   But,  Windows  95  comes  with  a variety of
    potentially damaging programs which can easily be executed.

    On the page above  you can see link  that will start the  standard
    calculator which comes with Windows 95 (as .url and as .lnk).

    This bug can be  used to wreak havoc  on a remote user's  machine.
    The following example (on page above) will show you how to  create
    and delete  some directories.   META REFRESH  tag can  be used  to
    execute multiple commands in sequence.

    David M.  Chess gave  some basic  technical about  it. Win95 keeps
    desktop shortcuts in files with  extension LNK; when you click  on
    such a  file, Win95  runs the  program (and  the environment) that
    the LNK  file decribes.   URL files  are the  same sort  of thing,
    except the  file has  a slightly  different syntax  and semantics,
    and they're  passed to  Internet Explorer  (or whatever  else your
    installed  URL.DLL  uses)  rather  than  being  run  by  the Win95
    desktop directly.  Of course, since URL.DLL knows about URLs  like
    "file://", they can be used to run local files, just  as
    LNKs do.

    The trouble is, Interner Explorer treats LNK and URL files  loaded
    off the Net  just as it  does local ones;  therefore by putting  a
    link to a LNK or URL onto a Web page, you can make any program  on
    the machine, or any URL you like (including "file:" ones)  execute
    when the  user clicks.   (Note that  this is  just Chess's current
    impression of what's going on).

    This bug was originally discovered by Paul Greene.




    Fix is available. See

    or more in depth