Fun with folders has the skinny on yet another Microsoft security hole. The problem seems to stem from folder.htt files, special HTML files that control how a folder looks if the "View as web page" function is turned on in Windows 98 or Windows 2000. Apparently any folder.htt file is always considered trusted, enabling someone to run malicious code on your machine if you so much as open a local or remote folder with a booby-trapped folder.htt.

I got a chuckle out of how Windows 2000 reacts to the exploit. According to one consultant, "It seems that at least in Windows 2000, Microsoft attempted to do the right thing. The user browsing the malicious folder is asked whether they wish to execute the script within the Folder.htt file, but regardless of the answer the script is executed." Well, their heart was in the right place.

The bug doesn't seem to be as widespread as the person who discovered it suggests, but it still offers someone the opportunity to run code bad enough to "take over a computer" (though the article doesn't really go into what exactly that phrase means in the context of the bug).

Apparently firewalls will stop the thing, so this mainly seems like one for the home user to be concerned about. The article also isn't too clear on exactly how the malicious code could get stuck into a local folder in the first place; I assume another security vulnerability would have to be exploited to put it there.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.