Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 7 Users Warned Over Filename Security Risk

Posted by timothy on from the death's-too-good-for-some-people dept.

nandemoari writes "Would-be Windows 7 users have been warned to change a default setting which could leave them vulnerable to attack via bogus files. As a result, Microsoft is taking flak for failing to correct a problem found in previous editions of Windows. The issue involves the way Windows Explorer displays filenames. In all editions of Windows after Windows 98, the default setting hides the filename extension (which identifies what type of file it is). This means that a Word file titled 'partyinvite.doc' will show up in Windows Explorer as simply 'partyinvite'. The only exception to this rule is if Windows does not recognize the file type. The reason for this setting is that it makes for a less cluttered look and avoids filling the screen with redundant detail. However, a flaw in the way it works leaves it liable to exploitation by hackers. They can take an executable file (which can do much more damage to a computer when opened) and disguise it by calling it 'partyinvite.doc.exe.'"

8 of 613 comments (clear)

  1. Not really news, and a non-issue by lukas84 · · Score: 4, Insightful

    Most people wouldn't change their behaviour even if the did see the file extension.

    Email programs such as Outlook block .exe attachments, and Executables downloaded using IE display a stern warning before execution.

    Changing this wouldn't have helped anyone.

    And associating this with Windows 7 is mostly FUD, jumping on the bandwagon just because you don't like it.

  2. Um by Man+On+Pink+Corner · · Score: 4, Insightful

    Welcome to Windows 95?!

    Filename extensions have been hidden by default for many years now, in all shipping versions of Windows. And they've been making it easy for malware authors to fool users for just as long.

    It was an insanely stupid policy on MS's part, and it borders on negligence that they're still doing it.

  3. Re:Extensions by lukas84 · · Score: 5, Insightful

    You can easily add the Word icon to your malware, and this will fool users easily.

  4. Re:How can this be? by Kadagan+AU · · Score: 5, Insightful

    I see your sarcasm, but honestly this isn't as much of a security flaw in the OS as it is a "feature" in the OS that makes stupid users even stupider. A maliciously named file does nothing on its own, only when a user double-clicks it does it turn bad. Stupid users will break things on any OS.

    --
    This space for rent, inquire within.
  5. kill the filename.extension paradigm by line-bundle · · Score: 5, Insightful

    The filename should not contain any metadata. The date is not included in the filename, so why is the filetype in there?

  6. Re:Isn't this a dupe? by Hatta · · Score: 5, Insightful

    You want a solution? How about this: Windows should only hide file extensions for files that don't use custom icons

    How about we never hide the extension for any reason? If you're worried about clutter, and redundant information on screen, ditch the icons. The extension is all of 3 bytes, and it's far, far easier to read 3 letters than it is to squint at the icon and guess what it's supposed to be.

    --
    Give me Classic Slashdot or give me death!
  7. Re:How can this be? by snowraver1 · · Score: 4, Insightful

    Does no one still get into the tree structure to create their own folders to organize things?

    Or...do most people just put everything in My Documents?

    You forgot option 3: Whereever the default save path is.or option 4: I save my important files in (recycle bin|temp folder|ram drive)

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  8. Re:How can this be? by Vexorian · · Score: 4, Insightful

    It isn't exactly a 'feature' it is a design flaw. Specially because of the whole "double clicking something runs strange program" deal.

    By the way, the security problem is not that much with hiding the extensions (though it is certainly VERY annoying) The real issue comes with the fact that executable files can be anywhere and all that is needed to [a) display an icon determined by the executable and b) being executable by double click] is to just change the extension to .exe , that's rather bad for security.

    A similar misguidance was present in Linux, at least gnome and KDE desktops' support of the .desktop extension, if Linux had more users you can be sure that thing was going to have social engineered the heck of all people into installing rootkits in their systems. That's right, just like windows' .exe non-sense, just the .desktop file extension allowed you to have an icon that [ a)Had a bogus extension/name. b) Had a custom icon, in fact it was easier to use the system's icon for folder or doc file. and c) launched a script with double click. ] I personally was happily surprised to see that after my Jaunty Jackalope update, these .desktop monstrousities finally need an executable permission to work.

    For people noticing how lame these things are in both windows and Linux, I am tagging the story as "suddenoutbreakofcommonsense".

    --

    Copyright infringement is "piracy" in the same way DRM is "consumer rape"