Windows 7 Users Warned Over Filename Security Risk

nandemoari writes "Would-be Windows 7 users have been warned to change a default setting which could leave them vulnerable to attack via bogus files. As a result, Microsoft is taking flak for failing to correct a problem found in previous editions of Windows. The issue involves the way Windows Explorer displays filenames. In all editions of Windows after Windows 98, the default setting hides the filename extension (which identifies what type of file it is). This means that a Word file titled 'partyinvite.doc' will show up in Windows Explorer as simply 'partyinvite'. The only exception to this rule is if Windows does not recognize the file type. The reason for this setting is that it makes for a less cluttered look and avoids filling the screen with redundant detail. However, a flaw in the way it works leaves it liable to exploitation by hackers. They can take an executable file (which can do much more damage to a computer when opened) and disguise it by calling it 'partyinvite.doc.exe.'"

How can this be?

[Burkin]

How can this possibly be? I thought this was the most secure OS on the planet.

Re:How can this be?

[Kadagan+AU]

I see your sarcasm, but honestly this isn't as much of a security flaw in the OS as it is a "feature" in the OS that makes stupid users even stupider. A maliciously named file does nothing on its own, only when a user double-clicks it does it turn bad. Stupid users will break things on any OS.

Re:How can this be?

[David+Gerard]

Bah. Vista is far superior. Windows 7 is for Mac-wannabes who want to "do" things with their computer, not just admire its AWESOME MIGHT as your CPU fan starts lifting your house into the air.

Re:How can this be?

[commodore64_love]

VISTA is a monument to everything that makes us the country we are!

Fat, slow, and obsessed with superficialities like pretty shiny colors?

umask 224

[ArsonSmith]

it shouldn't be made executable by the default umask though, so when you go to click on it it'll just try to associate an application with the .exe extension.

Bah

[MyLongNickName]

This is a non-issue. With all of the vulnerabilities in applications that think they are a programming interface (like Acrobat), EXE's might actually be safer to open.

Re:Extensions

[lukas84]

You can easily add the Word icon to your malware, and this will fool users easily.

kill the filename.extension paradigm

[line-bundle]

The filename should not contain any metadata. The date is not included in the filename, so why is the filetype in there?

Re:Isn't this a dupe?

[Hatta]

You want a solution? How about this: Windows should only hide file extensions for files that don't use custom icons

How about we never hide the extension for any reason? If you're worried about clutter, and redundant information on screen, ditch the icons. The extension is all of 3 bytes, and it's far, far easier to read 3 letters than it is to squint at the icon and guess what it's supposed to be.

Re:How can this be? sufixication

[andi75]

> Metadata sufficient to render file extensions obsolete would leave us with http://example.com/file, with no way to tell what it contains.

That's where MIME types come in to save you. While it is true that from the URL you can't tell the contents, the moment you do a "GET /file" the server will tell you the mime type (e.g. application/msword), and you can save that information in the file's meta data on your local filesystem (e.g. save it as file.doc).