![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Blue Archive tier list [April 2025]](https://media.pocketgamer.com/artwork/na-33404-1636469504/blue-archive-screenshot-2.jpg?#)
.png?#)
-Baldur’s-Gate-3-The-Final-Patch---An-Animated-Short-00-03-43.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Alleged Pixel 10 series wallpapers leak with vibrant colors and a strange new theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/pixel-10-wallpaper-leak-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Apple's Foldable iPhone May Cost Between $2100 and $2300 [Rumor]](https://www.iclarified.com/images/news/97028/97028/97028-640.jpg)
![Apple Releases Public Betas of iOS 18.5, iPadOS 18.5, macOS Sequoia 15.5 [Download]](https://www.iclarified.com/images/news/97024/97024/97024-640.jpg)
![Apple to Launch In-Store Recycling Promotion Tomorrow, Up to $20 Off Accessories [Gurman]](https://www.iclarified.com/images/news/97023/97023/97023-640.jpg)
Dubious security vulnerability: Once I have tricked the user into running a malicious shortcut, I can install malware
Yes, that's sort of the point. The post Dubious security vulnerability: Once I have tricked the user into running a malicious shortcut, I can install malware appeared first on The Old New Thing.
A security vulnerability report arrived in the form of a ten-page PDF, formatted like a term paper, purporting to have found a way to leverage shortcut files to install malware. It begins with a 300-word abstract that opens “Computer security is of growing importance in today’s connected world,” followed by a 400-word introduction that similarly focuses on the importance of keeping your computer secure.
Now, I have experience with, and occasionally even enjoy, reading journal papers. But a security vulnerability report is not supposed to be a journal paper. Your goal is not to impress upon the reader the importance of computer security and therefore justify your avenue of research. By the time you get to the vulnerability report, it is already a given that computer security is important, and the research has already justified itself by the existence of the proof of concept. You don’t need to convince me that this is a worthwhile endeavor. You also don’t have to teach me what malware is, or pad your text with discussion of what sorts of bad things malware can do once it has become established.
Okay, finally I get to page five, when they finally lay out the attack. I’ll boil it down for you rather than making you suffer through five pages of text and screen shots.¹
- Create a shortcut file that runs a command line which installs malware.
- Convince the user to launch the shortcut.
- Malware is now installed!
In the various screen shots included in the paper, one of them is a warning dialog from the system.
| Open File – Security Warning | ||||||||||
| Do you want to open this file? | ||||||||||
|
||||||||||
|
|
||||||||||
| While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software. | ||||||||||
Windows displays this warning when you try to run a shortcut that was downloaded from the Internet, because shortcuts can execute any command line and therefore can perform any operation that you yourself have the power to do.
Which includes installing malware into your user profile.
The paper assumes that the user trusts the source from which the shortcut was downloaded and approved the dangerous operation.
So there is no technical security vulnerability here. It’s a social engineering attack: You have to convince the user to run the shortcut even though the system told them it’s not necessarily a great idea.
Maybe next time, they can cut to the chase and just say so, instead of wrapping it inside a ten-page term paper.
¹ Or the 250-word “conclusion.”
The post Dubious security vulnerability: Once I have tricked the user into running a malicious shortcut, I can install malware appeared first on The Old New Thing.
