Slashdot Mirror
Windows 7 Users Warned Over Filename Security Risk
nandemoari writes "Would-be Windows 7 users have been warned to change a default setting which could leave them vulnerable to attack via bogus files. As a result, Microsoft is taking flak for failing to correct a problem found in previous editions of Windows.
The issue involves the way Windows Explorer displays filenames.
In all editions of Windows after Windows 98, the default setting hides the filename extension (which identifies what type of file it is). This means that a Word file titled 'partyinvite.doc' will show up in Windows Explorer as simply 'partyinvite'. The only exception to this rule is if Windows does not recognize the file type.
The reason for this setting is that it makes for a less cluttered look and avoids filling the screen with redundant detail. However, a flaw in the way it works leaves it liable to exploitation by hackers. They can take an executable file (which can do much more damage to a computer when opened) and disguise it by calling it 'partyinvite.doc.exe.'"
or any of the others that make you jump through hoops to get at something.
1. Partial menus (Office)
2. The Search Dog (Windows XP)
3. I don't what else but the way they have features turned off and on makes no sense at all.
The I'm done sig.
Most people wouldn't change their behaviour even if the did see the file extension.
Email programs such as Outlook block .exe attachments, and Executables downloaded using IE display a stern warning before execution.
Changing this wouldn't have helped anyone.
And associating this with Windows 7 is mostly FUD, jumping on the bandwagon just because you don't like it.
Welcome to Windows 95?!
Filename extensions have been hidden by default for many years now, in all shipping versions of Windows. And they've been making it easy for malware authors to fool users for just as long.
It was an insanely stupid policy on MS's part, and it borders on negligence that they're still doing it.
You can easily add the Word icon to your malware, and this will fool users easily.
I see your sarcasm, but honestly this isn't as much of a security flaw in the OS as it is a "feature" in the OS that makes stupid users even stupider. A maliciously named file does nothing on its own, only when a user double-clicks it does it turn bad. Stupid users will break things on any OS.
This space for rent, inquire within.
The filename should not contain any metadata. The date is not included in the filename, so why is the filetype in there?
ONE SHOULD NEVER SEE A FILE ENTITLED "partyinvite.doc",
That is true. However, an .exe can have it's own icon embedded in the file, so one could name it partyinvite.exe and give it the icon from a Word doc, and Joe Schmoe would have no clue. In fact, a lot of people would miss that.
Plus both have lower total cost of ownership.
[citation needed]
Seriously. It's not like I paid for my A/V software. It's not like I run scans when I'm using the system, so my work isn't being slowed.
Then, vs. just OSX, the hardware's cheaper, you can upgrade it and futureproof it, so you don't need to buy an entirely new $1.5k machine, and software's same price or cheaper, with more options. And as for security, may I point you to the Mac-only botnet that was recently discovered due to pirated copies of iLife, or iWork, or whatever it was? Stupid people will fuck up any system you give them, regardless of OS. Windows is not inherently superior or inferior, it's just the one that does what I need.
Canada: The US's more awesome sibling.
You want a solution? How about this: Windows should only hide file extensions for files that don't use custom icons
How about we never hide the extension for any reason? If you're worried about clutter, and redundant information on screen, ditch the icons. The extension is all of 3 bytes, and it's far, far easier to read 3 letters than it is to squint at the icon and guess what it's supposed to be.
Give me Classic Slashdot or give me death!
Then this is the time to make a big fuss about it: so that it will be fixed for Win7.
http://rocknerd.co.uk
Why are suffixes so enduring?
Because the human using the computer wants a quick way to determine what the file most likely contains.
My grandmother used anecdotal evidence all the time, and she lived to be 120 years old.
It doesn't seem to me that line-bundle was particularly blaming Bill Gates, Windows, or Microsoft. Using extensions in filename as the identifier of file-type is a common and long-standing practice, but it's also problematic.
Does no one still get into the tree structure to create their own folders to organize things?
Or...do most people just put everything in My Documents?
You forgot option 3: Whereever the default save path is.or option 4: I save my important files in (recycle bin|temp folder|ram drive)
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
Too bad users don't read dialog boxes
This has got to be one of the dumber anti-Windows trolls presented as news I've seen in a while. An evil hacker could also put a post-it note on an idiot's computer telling them to type "FORMAT C:" at a command prompt. People too dumb to recognize icons or use AV software just shouldn't be using computers.
That all said, I've always thought that extension hiding default was one of the more annoying things I have to kill every time I install Windoze. Seems like Redmond just keeps dumbing down the interface, forcing me to work harder at getting the details I need.
Ask me about my sig!
It isn't exactly a 'feature' it is a design flaw. Specially because of the whole "double clicking something runs strange program" deal.
By the way, the security problem is not that much with hiding the extensions (though it is certainly VERY annoying) The real issue comes with the fact that executable files can be anywhere and all that is needed to [a) display an icon determined by the executable and b) being executable by double click] is to just change the extension to .exe , that's rather bad for security.
A similar misguidance was present in Linux, at least gnome and KDE desktops' support of the .desktop extension, if Linux had more users you can be sure that thing was going to have social engineered the heck of all people into installing rootkits in their systems. That's right, just like windows' .exe non-sense, just the .desktop file extension allowed you to have an icon that [ a)Had a bogus extension/name. b) Had a custom icon, in fact it was easier to use the system's icon for folder or doc file. and c) launched a script with double click. ] I personally was happily surprised to see that after my Jaunty Jackalope update, these .desktop monstrousities finally need an executable permission to work.
For people noticing how lame these things are in both windows and Linux, I am tagging the story as "suddenoutbreakofcommonsense".
Copyright infringement is "piracy" in the same way DRM is "consumer rape"