Windows 7 Security Fail: File Extensions Still Hidden
The release candidate for Windows 7 is now available for download, and techies everywhere are busy kicking the tires on the new operating system. But as the folks over at Finnish anti-virus firm F-Secure observe, Microsoft persists in misleading users on the true nature of file types, by hiding file extensions of known file types in Windows 7.
The default behavior of Windows Explorer in every version of Windows from Windows 2000 through Windows Vista is to represent files using icons, and to hide each file's extension type, such as ".txt" for text files, ".doc" for Microsoft Word files, and so on. But as Security Fix has noted before, this is a usability vs. security decision that Microsoft should have reversed long ago, and it's disheartening to see this behavior persist in Windows 7.
That means that our average Windows user -- when he or she opens up their "My Documents" folder -- doesn't see the ".doc" extensions that accompany Microsoft Word files, or the ".pdf". They just see a bunch of programs represented by tiny icons.
Why is this a big deal? Let's say I'm a virus writer, and the computer worm I want to spam out to the rest of the world is called nice.exe. If I rename that program to "nice.txt.exe," the file will appear to Windows recipients who haven't changed the default settings as "nice.txt."
While tinkering with a file type in Windows can change the appearance of the icon that represents the file in Windows Explorer, attackers also can change the icon inside the executable to look like the icon of a text file or an image, and everybody would be fooled, as F-Secure notes.
The following screen shot from F-Secure visually explains what's going on here:
This is one of those architectural design issues that Microsoft should have changed long ago, sort of like how Internet Explorer 6 allows Web sites to steal information stored on a visitor's "clipboard," the storage space that serves as a semi-temporary repository for any text the user has recently cut-and-pasted or copied in virtually any Windows program. Microsoft changed this behavior in IE7, making potential clipboard data theft optional, and I suppose it's possible this file types feature will finally be corrected in the final release of Windows 7, but I'm not holding my breath.
May 6, 2009; 12:32 PM ET
Categories: From the Bunker , Safety Tips | Tags: deja vu, f-secure, file types, windows 7
Save & Share: Previous: Safari, Opera Users Lag Behind in Security Updates
Next: ZeusTracker and the Nuclear Option
Posted by: MikeWyman | May 6, 2009 2:07 PM | Report abuse
Posted by: jesseruderman | May 6, 2009 2:40 PM | Report abuse
Posted by: blasher | May 6, 2009 2:58 PM | Report abuse
Posted by: cyberpunk | May 6, 2009 4:33 PM | Report abuse
Posted by: boywaja | May 6, 2009 8:15 PM | Report abuse
Posted by: root | May 7, 2009 4:18 AM | Report abuse
Posted by: cyberpunk | May 7, 2009 12:27 PM | Report abuse
Posted by: williehorton | May 7, 2009 1:07 PM | Report abuse
Posted by: Rixstep | May 9, 2009 9:30 AM | Report abuse
The comments to this entry are closed.