[Mimedefang] .URL vulnerabilities?

[Kelson Vibber]

First of all, thanks to those who replied to my earlier questions.

After placing MIMEdefang on our users' mail server (with SpamAssassin and 
File::Scan), I've gotten mostly positive comments.  There've been a few 
negative comments, mainly dealing with defanging.  My thought is that no 
signature-based virus scanner is ever going to be 100% effective, so our 
customers are better off with any remaining executables being defanged.

One of the comments was about .URL files, and I can kind of see the point.  
Internet Shortcuts are convenient, and while I could recall hearing of a 
related vulnerability, I could not actually find anything specific when I 
proceeded to search for it, other than one involving Windows Media Player 
creating insecure temporary .URL files.

>From what I can tell, .URL is mainly on the bad_filename list because it is 
still hidden even after you tell Windows to show file extensions, making it 
possible for something that looks like whatever.txt to really be 
whatever.txt.url.  OK, you can disguise a URL as another kind of attachment.  
But what can that actually do?  It can open a website, FTP location, 
newsgroup, etc.  No problem there - it's annoying at worst.  Unless there are 
risks with handling of file: URLs or ways to subvert it into doing something 
else entirely (buffer overruns, or renaming an .exe as a .url and having it 
run, or something), it seems to me that it's no more dangerous than a link in 
a web page.

To get to the point, does anyone know of any real vulnerabilities involving 
.URL files, or might it be safe to pass them through (perhaps with 
verification)?

-- 
Kelson Vibber
SpeedGate Communications, Technical Staff
kelson at speed.net          Phone: (949) 341-0800
http://www.speed.net/     FAX:   (949) 341-0900