[AStonesThrow]

I once encountered malware on my roommate’s Windows 98 system. It was a worm designed to rewrite every image file as a VBS script that would replicate and re-infect every possible file whenever it was clicked or executed. It hid the VBS extensions and masqueraded as the original images.

Creation of a shortcut on Windows is not necessarily innocuous. It was a common first vector to drop malware as users were accustomed to installing software that did the same thing. A Windows shortcut can hide an arbitrary pathname, arbitrary command-line arguments, a custom icon, and more; these can be modified at any time.

So whether it was a mistake for UAC to be overzealous or obstructionist, or Microsoft was already being mocked for poor security, perhaps they weren’t wrong to raise awareness about such maneuvers.

[GeekyBear]

A user creating a shortcut manually is not something that requires a permissions prompt.

If you want to teach users to ignore security prompts, then completely pointless nagging is how you do it.

[esseph]

Programs running during the user session are often running as that user.

The "correct answer" to this is probably that there isn't a good answer here.

Security is a damn minefield and it's getting worse every day.

[GeekyBear]

There is no universe in which it makes sense to ask the very user who just created a shortcut if they should have permission to create that shortcut.

This is why Microsoft was so widely mocked for just how bad their initial implementation of UAC was.

[esseph]

"iPhone Shortcuts always asks permission to access file"

https://discussions.apple.com/thread/254931245

iOS Shortcut danger

https://cyberpress.org/unveiling-risks-of-ios-shortcuts/

But anywho, cve.org lists 78 shortcut vulnerabilities across many platforms.

I know you'd like to believe the world we live in shouldn't require permissions for a user to create a shortcut and then access it, but that... Is actually the world we live in, and have been in for a very long time.

Security is hard and it's not getting any easier as system complexity increases.

If you don't believe me, ask your favorite LLM. I asked Gemini and got back what I expected to.

[GeekyBear]

If the user manually creating a shortcut is so dangerous, why did Microsoft remove that permissions prompt when they fixed their terrible initial UAC implementation?