Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 7 Users Warned Over Filename Security Risk

Posted by timothy on from the death's-too-good-for-some-people dept.

nandemoari writes "Would-be Windows 7 users have been warned to change a default setting which could leave them vulnerable to attack via bogus files. As a result, Microsoft is taking flak for failing to correct a problem found in previous editions of Windows. The issue involves the way Windows Explorer displays filenames. In all editions of Windows after Windows 98, the default setting hides the filename extension (which identifies what type of file it is). This means that a Word file titled 'partyinvite.doc' will show up in Windows Explorer as simply 'partyinvite'. The only exception to this rule is if Windows does not recognize the file type. The reason for this setting is that it makes for a less cluttered look and avoids filling the screen with redundant detail. However, a flaw in the way it works leaves it liable to exploitation by hackers. They can take an executable file (which can do much more damage to a computer when opened) and disguise it by calling it 'partyinvite.doc.exe.'"

6 of 613 comments (clear)

  1. Re:Isn't this a dupe? by tepples · · Score: 3, Interesting

    Now, I'll go make a quick patch and submit the .diff

    I wonder if ReactOS, the project to make a free Windows XP clone, might take it.

  2. How to rename files by tepples · · Score: 3, Interesting

    Users have a tendency to accidentally remove extensions when they're renaming if you don't hide them.

    That's why a good file manager, like the version of Nautilus that comes with Ubuntu Hardy, selects everything before the extension when the user chooses "Rename".

  3. How can this be? sufixication by goombah99 · · Score: 4, Interesting

    How can this possibly be?

    Your question actually has a face value in excess of it's sarcasm content. How did we get here?

    I'm stating common knowledge but it's worth reflection since it paints a large picture. In the begining there was the file and the file was just a marked off stretch of physically contiguous bytes on a tape or drum. it had no internal structure. Have a directory that associated names with files regions was something you had to implement yourself. The filesystems formalized this to having names, hierarchies, and even non-contiguous allocation tables for blocks.

    Since that time every new file system has tried to codify the notion of metadata. And in this land of babble, the only common durable hiding place for meta data has turned out to be the filename itself.

    Look at HFS for example as a valiant effort in defining meta data like "kind" and "creator", and defining different kinds of forks some of which had uniform storage protocols for resource, so that programs other than the creator could inspect and edit them. And boy what a snarl that has perpertually been. While these still exist, apple has punted and gone to just using file structures and a specially named file (plists) to hold meta data in a quasi XML format.

    And so here we are 30 years later and were still putting suffixes on our files just like back in the days of DEC and Prime and even before.

    And think about perhaps the biggest failure of the Longhorn Debacle. The promise of a revolutionary new filesystem that put meta data and it's inspection first. An entirely relational storage system underneath that only mimmiced the hierachical system for legacy purposes.

    Deleted from Longhorn, promised again for vista, and then gone. Promised for windows 7 then gone.

    It's bizzare. Everyone knows what the problem is. HFS was much maligned precisely because it was more complex than suffixes but it's what we really needed back in 1984. and all the others all made so much sense too.

    Why are suffixes so enduring? How can this be?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:How can this be? sufixication by coolsnowmen · · Score: 3, Interesting

      my "file" command seems to do a pretty good job. So there are some standards even if they are just because of common practices of using a so-called "magic number" in the file data itself.

  4. Re:How can this be? by cayenne8 · · Score: 4, Interesting
    I do the same thing.

    For the life of me, I've never understood why they turn off the extensions by default, and not only that,why do they keep burying the windows explorer further and further away? Don't people use that to find files? Start applications?

    Does no one still get into the tree structure to create their own folders to organize things?

    Or...do most people just put everything in My Documents?

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  5. Re:How can this be? by dave562 · · Score: 4, Interesting

    Windows Explorer is always in the same place no matter what version of Windows you are using. WindowsKey+E.

    Standard best practice is to put everything in My Documents. My Documents can be redirected to a network file share. The network file share can be backed up. As long as data is stored in My Documents, it is safe. That approach presents a problem when users want to store gigs of music or photos in there, but for a typical work place environment, it works great. It sure beats the old method of having to manually adjust file storage locations for each individual program.