Security Prompts for Internet Shortcuts (in Favorites Folder)

Pyprohly · 23 Sep 2016

UsernameIssues said:

LNK shortcuts do not cause a security prompt when double clicked on from the Favorites Bar folder... even after installing KB3185319.

They do, and always have. But if you’ve created the .lnk in another folder, outside the Favorites hierarchy, and moved it into Favorites Bar folder, you’ll never get the prompt because it won’t get the low integrity label. This is due to integrity levels being part of a file’s SACL, with the auditing information. The rules of inheritance are slightly different for SACL entries compared to those of the DACL. SACL ACEs update less often, and tend not to update at all when the item is moved around.

My guess is that, both times (before and after installing the hotfix), you’ve created a shortcut outside Favorites Bar, moved it into Favorites Bar, invoked it and observed no prompt. While when testing internet shortcuts you created them within the Favorites folder hierarchy.

This behaviour is no different before and after hotfix KB3185319. Nothing has changed for shortcuts, only internet shortcuts.

UsernameIssues said:

Much to my surprise, dragging a URL shortcut from Windows (file) Explorer and dropping it into a browser's window does not cause the security prompt.

I also have an explanation for this. And you might realise this isn’t so surprising.

The security prompt is strictly related to Windows Explorer and has nothing to do with Internet Explorer or any other browser. When a user invokes a low integrity item from Windows Explorer, Explorer knows, and may decide to intervene in the operation; issue any prompt it likes. The security prompt is precisely part of Windows Explorer.

Applications never receive any warning when it comes to accessing low integrity items (unless they are some how running lower than the Low integrity level, in which case they are denied access from them) because they will either be running at a higher integrity, in which case access is granted, or it will also be running at a low integrity, in which case access is still granted.

When you invoke a shortcut from Windows Explorer, it is able to be confident that you are trying to open the shortcut (seeming assuming it is exposing the user to a security risk).

When you drag-drop a shortcut into an application’s window, the application receives a string of the path to the dropped it. In the case of browsers they will read in the shortcut file directly and carry out suitable actions from there.

Explorer cannot know for sure if the shortcut is being opened, and thus I conclude there’s no chance for a security prompt to occur then.

UsernameIssues said:

This makes no sense to me. I thought that I understood a bit about Mandatory Labels at the folder level and the file level. As noted above, I've been working with these labels for a while now.

Yes, I’m learning quite a bit from this discussion as well, UNI. Much more so than that… previous talk we’ve had.

Anak · 23 Sep 2016

I'm learning quite a bit as well!

UsernameIssues said:

XLR8TX said:

UsernameIssues, Excellent Info.

After conversing with other users on several forums, I knew those prompts were not there before for most if not all users.

Do you know of any workaround for this?

Much to my surprise, dragging a URL shortcut from Windows (file) Explorer and dropping it into a browser's window does not cause the security prompt. Please test this and let us know if it is a good work around for you.

I only have IE11 and FF49.0.1 to work with UNI and I can drag and drop any URLs from windows file explorer: C:\Users\Anak\Favorites\Links\ and it acts like your experieance, I can drop the URL shortcut into any part of my two browsers and it goes to the URLs location with no warnings.

Something I'm having a hard time with though; I can't see how working with FIle Explorer Favorites is easier. Maybe XLR8TX can explain, To each his own, eh?

UsernameIssues · 24 Sep 2016

Pyprohly said:

UsernameIssues said:

LNK shortcuts do not cause a security prompt when double clicked on from the Favorites Bar folder... even after installing KB3185319.

They do, and always have.

The LNK files that I tested did not create the security prompt. Once the LNK shortcut is in the FAV folder, ICACLS shows the Mandatory Label (LOW) - no matter where the shortcut was created.

Create LNK on the desktop
ICACLS reports no label at all

Copy LNK to the FAV folder...
ICACLS reports "LOW"

Double click on the LNK while it is in the FAV folder...
...no security prompt.

The same is true if the LNK is cut from the desktop and pasted into the FAV folder.

Creating the LNK directly in the FAV folder changed nothing during my testing.

It took a while, but I think that I have figured out why we are not seeing the same thing. It depends on the what the LNK shortcut points to. Point the LNK to a TXT file and there should be no security warning. I was testing with real life LNK files that I keep in my FAV folder structure. Those LNK files point to AutoIt scripts that are not compiled (e.g. text files).

If the LNK file points to the EXE for Notepad, then you get a security prompt if the LNK is in the FAV folder.

A URL file is a text file in the INI file format:

Code:

[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,11
[InternetShortcut]
URL=https://www.youtube-nocookie.com/v/
IDList=

Security Prompts for Internet Shortcuts (in Favorites Folder)-website.png

A WEBSITE file is a text file in the INI file format:

Code:

[{000214A0-0000-0000-C000-000000000046}]
Prop4=31,youtube-nocookie.com
Prop3=19,11
[{A7AF692E-098D-4C08-A225-D433CA835ED0}]
Prop5=3,0
Prop9=19,0
[InternetShortcut]
URL=https://www.youtube-nocookie.com/v/
IDList=
[{9F4C2855-9F79-4B39-A8D0-E1D42DE1D5F3}]
Prop5=8,Microsoft.Website.70569F39.3845F787

But these text files are dangerous?
And scripts aren't?

Pyprohly said:

UsernameIssues said:

Much to my surprise, dragging a URL shortcut from Windows (file) Explorer and dropping it into a browser's window does not cause the security prompt.

I also have an explanation for this. And you might realise this isn’t so surprising.

Okay - I can see what you are saying about what Explorer does not know. I'm not disagreeing with you, but here are my observations:

Explorer does not know if the URL text file is going to be dropped...
...onto an empty spot on the desktop (e.g. move file) - no warning
...onto a browser's window (e.g. open file) - no warning
...onto a LNK file for a browser - you get a warning

Security Prompts for Internet Shortcuts (in Favorites Folder)-drag-drop-warning.png

IE and Pale Moon went to the website.
Chrome showed the text inside the URL/INI file.

...onto a LNK file for notepad - same warning as shown above - but you can right click on the URL file and use Send to > Notepad. It opens without a warning.

Double click on an LNK file that points to Notepad's EXE and you'll get a warning. Double click on an LNK file that points to a TXT file and you can open Notepad without a warning. Explorer is the app that starts the EXE associated with TXT files. It knows what the default verb is for TXT files. It knows that the file is going to be opening Notepad.

Open the properties for a URL file via right click - no warning.
Select/highlight the URL file and...
...select Explorer's Organize menu, then Properties - warning
...turn on Explorer's detail pane - warning
...turn off Explorer's detail pane - warning

UsernameIssues · 24 Sep 2016

Anak said:

I can't see how working with FIle Explorer Favorites is easier. Maybe XLR8TX can explain, To each his own, eh?

IE has the ability to pin the (ctrl-h) favorites pane to one side of the browser. If your favorites use a heavily nested folder structure, then it is nice to not have to mouse your way to the same folder over and over. Think of an Explorer window as a pop out version of IE's favorites pane. At least with Explorer, you can alt-tab between the browser window and the Explorer window.

I don't use Explorer to get to my favorites very often. It usually happens when I want to see the same website in multiple browsers. I can copy the URL in IE's address bar and paste it into the other browser for some websites, but not for others. Some websites change the URL based on the browser that was used to get there. It is best to let each browser render the website independently.

You can put an LNK shortcut to the FAV folder (or a sub-folder) right on IE's Favorites Bar. That will open Explorer to the folder of interest. If I'm researching a purchase, everything related to that research goes into one folder: favorites, PDFs, pictures... As far as I know, no other browser lets you open LNK shortcuts like that.

Anak · 25 Sep 2016

Thank you for the explaination UNI!

Over the years I've shyed away from Internet Explorer and I don't ususally use IE unless required, but I keep up maintenance on it for the wife so I'm not as adepted at using it as some other folks might be.

I like that ctrl+h tip and will work on using all that you have explained.

pcunite · 15 Nov 2016

I have an issue with Windows 10 and IE 11 that maybe the result of his new patch.

When I double click on an URL file on my desktop, IE opens with a blank page.

Anak · 16 Nov 2016

Your issue might be associated with this solution found starting at post #8 of this different thread, it may be related like some solutions could span the OS's from vista to w8.1, but if you're using W10 you really should ask your question over at our sister forum: TenForums

At the very least, have you tried uninstalling the patch (windows update?) to see if your IE reverts to acceptable behaviour?

Related:
A search to look through for answers: IE opens with a blank page from a URL on my desktop

XLR8TX · 18 Nov 2016

I installed some new updates yesterday and the security prompts are now gone.

Anak · 18 Nov 2016

That's great news!

...