Network News

X My Profile
View More Activity

Windows 7 Security Fail: File Extensions Still Hidden

The release candidate for Windows 7 is now available for download, and techies everywhere are busy kicking the tires on the new operating system. But as the folks over at Finnish anti-virus firm F-Secure observe, Microsoft persists in misleading users on the true nature of file types, by hiding file extensions of known file types in Windows 7.

The default behavior of Windows Explorer in every version of Windows from Windows 2000 through Windows Vista is to represent files using icons, and to hide each file's extension type, such as ".txt" for text files, ".doc" for Microsoft Word files, and so on. But as Security Fix has noted before, this is a usability vs. security decision that Microsoft should have reversed long ago, and it's disheartening to see this behavior persist in Windows 7.

That means that our average Windows user -- when he or she opens up their "My Documents" folder -- doesn't see the ".doc" extensions that accompany Microsoft Word files, or the ".pdf". They just see a bunch of programs represented by tiny icons.

Why is this a big deal? Let's say I'm a virus writer, and the computer worm I want to spam out to the rest of the world is called nice.exe. If I rename that program to "nice.txt.exe," the file will appear to Windows recipients who haven't changed the default settings as "nice.txt."

While tinkering with a file type in Windows can change the appearance of the icon that represents the file in Windows Explorer, attackers also can change the icon inside the executable to look like the icon of a text file or an image, and everybody would be fooled, as F-Secure notes.

The following screen shot from F-Secure visually explains what's going on here:


This is one of those architectural design issues that Microsoft should have changed long ago, sort of like how Internet Explorer 6 allows Web sites to steal information stored on a visitor's "clipboard," the storage space that serves as a semi-temporary repository for any text the user has recently cut-and-pasted or copied in virtually any Windows program. Microsoft changed this behavior in IE7, making potential clipboard data theft optional, and I suppose it's possible this file types feature will finally be corrected in the final release of Windows 7, but I'm not holding my breath.

By Brian Krebs  |  May 6, 2009; 12:32 PM ET
Categories:  From the Bunker , Safety Tips  | Tags: deja vu, f-secure, file types, windows 7  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Safari, Opera Users Lag Behind in Security Updates
Next: ZeusTracker and the Nuclear Option


Man, do I hate this "usability" feature. From the perspective of a professional programmer, it renders Windows very much "unusable". Hidden extensions, files and folders is one of the first things I have to change on any new Windows box.

Posted by: MikeWyman | May 6, 2009 2:07 PM | Report abuse

File extensions are a poor way for an OS to indicate the difference between applications and data. They're fairly opaque 3-character strings, so users have to memorize either a list of safe extensions or a list of unsafe extensions. Filenames are usually left-aligned, so extensions aren't aligned, making it difficult to scan a list to verify all files are of the same kind.

The Type column ("Kind" on Mac) does a better job, but it's only visible in certain modes.

IMO, the real problem is that a single action, double-clicking an icon, both opens files and launches applications. Instead of indicating that performing the same action will have a different effect (and hoping users notice), it would be better to use a different action for launching applications. It could be something as simple as dragging it to the Applications folder before double-clicking, or dragging it to the Dock and then single-clicking.

Posted by: jesseruderman | May 6, 2009 2:40 PM | Report abuse

Does anybody want to comment on the file icons? That, to me, was one of the WORST ideas that MS had. I like to see filenames, extensions, and the date information without eating up most of the display with icons. You can get two icons where you can fit 5 or 6 file names.

Posted by: blasher | May 6, 2009 2:58 PM | Report abuse

This is not a "security fail". You shouldn't be using the filename to make security decisions.

Also note that the "Type" column shows that this file is an executable - so even though the name may be misleading, a user can see it's a program and decide to not open it.

Now, in terms of using this to attack people - this would require dropping a malicious file on the user's drive (or getting them to connect to a share the attacker controls). Then they'd have to do some social engineering to get the user to open the file...

If they can drop files on the user's machine, they don't need to use this lame approach to get it to run - they probably are able to execute it already, or get it to run on startup.

Posted by: cyberpunk | May 6, 2009 4:33 PM | Report abuse

I thought George Ou addressed this rather well.

To me this sounds like another vender trying to get press.

Posted by: boywaja | May 6, 2009 8:15 PM | Report abuse

> in terms of using this to attack people
> this would require dropping a malicious
> file on the user's drive

Cyberpunk: this technique is typically used by USB malware. They drop tempting filenames to thumb drives and people click them open when they think they are opening a presentation or a document.



Posted by: root | May 7, 2009 4:18 AM | Report abuse

OK, if that is the attack vector, then I don't see how showing the true file extension will prevent people getting owned.

The malware author can just create something like
with the executable's icon set to PowerPoint's icon.

A non-technical user is going to see the icon and think it's a PPT file, and open it. A technical user will see the Type=Application, and *not* open it.

Posted by: cyberpunk | May 7, 2009 12:27 PM | Report abuse

I designed the Windows XP images that still run tens of thousands of computers at several corporations. For each image design, I changed this setting (in the 'Default User' profile) to show file extensions.
Most of the clients went along with the change peacefully. When one company balked, I spent an hour convincing them... it was time well spent.

Posted by: williehorton | May 7, 2009 1:07 PM | Report abuse

OMG WTF LOL - this is the exact 'weakness' that got the 'ILOVEYOU' Love Bug going nine years ago. For some it takes a long time to learn. Try sitting around in a programming class as the delegates try to figure out which file is the workspace, the project, the resource file, the icon, and so forth.

Posted by: Rixstep | May 9, 2009 9:30 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company