back to article Win 7 RC fails to thwart well-known hacker risk

An almost-ready version of Windows 7 retains a feature from Windows NT which expedites a well-known hacker trick, according to net security experts. Win 7 RC omits a fix for a long-standing security shortcoming in Windows Explorer. As with previous versions of Windows, dating all the way back to windows NT, the version of …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Flame

@Greg Fleming

At the same time, there are files that may look similar to each other internally but are actually used very differently practically. Consider that a program trying to inspect a CBZ (Comic Book Archive), an XPI (Firefox extension), and a JAR (Java Archive) could easily mistake each of them for a ZIP. Little surprise--all three are themselves ZIP archives with particular files within them.

How about this for a proposal: Since icons and names can't be trusted (since people may delete exposed extensions AND be suckered by hidden ones--no win here), how about color-coding the name of the program. IIRC, compressed files and folders in XP and up are shown in blue text. How about make all executable programs show up in red text, to indicate that they're executable? Now, even with extensions hidden, they're clearly visible, and the malware can't change the color of the text (since it's not subject to the program itself).

0
0
Anonymous Coward

@Jason Togneri

I did have a slight feeling that the newer Windows OSs might have done that, and that's why I didn't dismiss or confirm it.

Even so, your point (and mine) is still valid... if it automatically highlights only the file name then there is only one reason left to hide it in newer windows, vanity.

It's bad enough they want use to use "Tiles" where the icon is huge and the file name you can only read the first 10-20 chars... List View FTW!

0
0

Hidden file extensions and super-hidden file extensions

After reading a lot of the comments here, there seem to be many saying just how easy it is to enable the viewing of file extensions. Of course, in doing so, those commenters have shown themselves to be just as ignorant as the idiots they're complaining about. If you don't believe me, then go ahead and go to the folder options and uncheck the option to hide file extensions. Then take a look at your desktop, scratch your head, and wonder why your shortcuts DON'T show the ".lnk" extension (or ".url" extension for Internet links). Then look in your WINDOWS folder, scratch your head, and wonder why the "_default" file doesn't show the ".pif" extension.

There are quite a few extensions that Windows will continue to hide even after you tell it to NOT hide file extensions. The only way to fix that is to add a registry setting for each super-hidden file type you want to show the extension for. There is no global "Yes, I really do want to see ALL file extensions" checkbox.

Using those super-hidden extensions, it would be easy to create a seemingly innocent file which will execute a malicious file, even when you have your system set to view file extensions (for example, by creating a file called "My_picture.jpg.pif" which is a PIF file that loads "delete_c.exe").

0
0

It IS a Problem

90% or more of my users wouldn't have the faintest clue how to change that setting - no matter how many times they were told or shown. However, they either want to know where their file extensions are or readily agree when I explain the reasons for changing the setting. I have yet to meed a single user who preferred not to see the file extensions.

The Microsoftheads who persist in keeping this setting as the default are idiots - pure and simple.

0
0
Boffin

Re: @ michael

“[Linux] keeps track of the file type by the associated flag that the FS assigns to it when it is created. The file type is NOT in the header (text files have no 'header' for example) yet the OS knows what it is by keeping track of the app that created it or the permissions that are assigned to it by the user.”

No. Neither permissions nor the creating app have anything to do with this: you can use cat to create a shell script or sed to modify a text file. Or you could use, say, emacs or joe or nano.

“For example: a shell script is just a text file but if I've marked it executable it will run in the shell. But only for ME, It WON'T execute on another login unless it [is] root.”

Wrong again. There's that bit of identification stored in at the start of the file: that "#! /bin/sh" line. Also, you've not said that it isn't readable by others; if it is, that's enough to allow a shell run by any of them to interpret it ("sh ~foo/bar.sh"). Execute permission would allow them to do this implicitly, with the kernel running the executable named in the #! line ("~foo/bar.sh").

File type information is determined by content and/or the extension part of the filename. Content takes precendece.

0
0
Linux

Hide or don't hide -

it makes no difference at all. Windows is insecure by design and no amount of fiddling with file extensions is going to fix that. There's only one way to make Windows secure - run something else.

0
0
Thumb Down

Tsk ...

You are all missing the point: the file extension is NOT IMPORTANT.

Any OS that is _still_ fooled by the *.jpg.exe 'trick' is unfit for purpose. END OF. There is no justification for this stupidity continuing.

Reading some of the comments here make me despair. Anyone who is still discussing this hiding/showing file extensions nonsense is missing the obvious problem. That is, Windows has consistently been fooled by this for years and STILL falls for it. That to me proves this product is an OS unworthy of even being called an OS -- its a piece of garbage.

Totally, utterly unbelievable anyone can find this remotely acceptable. Far less PAY MONEY for it. It _does_ prove that there is one born every minute. Oh wait: that's Miscrosoft's actual business model!

0
0
Thumb Down

Tsk ...

You are all missing the point: the file extension is NOT IMPORTANT.

Any OS that is _still_ fooled by the *.jpg.exe 'trick' is unfit for purpose. END OF. There is no justification for this stupidity continuing.

Reading some of the comments here make me despair. Anyone who is still discussing this hiding/showing file extensions nonsense is missing the obvious problem. That is, Windows has consistently been fooled by this for years and STILL falls for it. That to me proves this product is an OS unworthy of even being called an OS -- its a piece of garbage.

Totally, utterly unbelievable anyone can find this remotely acceptable. Far less PAY MONEY for it. It _does_ prove that there is one born every minute. Oh wait: that's Microsoft's actual business model!

0
0
Alien

Just a thought.....

But why allow "double extensions" at all?

you should only be allowed one "." in a filename(although you can have them in a directory name, otherwise "content.IE5" won't work /thud)

you can still have your ".exe_old" or whatever.

Seems pretty simple from where I'm sitting.

0
0

Or...

...they could write the file type under the file name...

Like

VIRUS.TXT

application

etc...

It is a pain in the arse, though - non-nerds will often want to not see .exe as they don't care about extensions, they just want something that looks less confusing. Douchebags.

0
0
Paris Hilton

How SLOW are m$ at learning?????!!!

Can't microsoft LEARN faster? or LISTEN more? This has been a problem for years ffs. Give Windoze to Paris to program!!

0
0
Anonymous Coward

@ Mark "What about the Mac?"

Quote: "Mac OS X application bundles hide their contents away from the user to the extent that an entire folder full of who-knows-what is hidden behind an innocuous looking icon.

No complete suprise that El Reg isn't up in arms about this, though, is it?"

You are right, it is no surprise. However, that would be because they aren't complete fucking, ignorant tools like you evidently are:

(1) That "who-knows-what" can't do a damn thing to the system without the express permission of the user because Mac OS X is based on *NIX and it has a cast-iron security model by default that "just works" rather than being the idiotic, piece of shit, doomed to fail at every single point that the Windows "security" model is, and

(2) selecting "Show package contents" will show you everything that is inside an application bundle should you want to look there.

Ergo, there is no security risk here beyond any of the typical Trojan and PEBCAK ones that can't be solved other than by people being clued-up.

In response to all the other Wintards here - Jesus, do you folks have no clue at all about things outside the extent of your twisted Windows world. Here is what happens in other OS'es if you try to add (e.g. if it is hidden by default) or change an extension already there: you get a warning that it might do something unexpected or harmful to your system or the file. Wow, that is so fucking hard to comprehend and implement isn't it! Yet MS still hasn't added something like it to their shitty OS for decades and you twats actively celebrate their complete and utter idiocy.

0
0

Why allow double extensions at all?

I agree with Trevor - I don't see why Microsoft hasn't fixed this years ago by patching to deal explicitly with double file extensions. The exact form of that is another matter (maybe pop up a dialog for those cases when double-clicked, with the non-executable filetype as the default?), but it should be quite separate from showing those file extensions. In a file system assigning file types based on extensions, a file should only have one extension and when there's more than one that should be acknowledged as a problem! End of story.

0
0
Anonymous Coward

@ Quirkafleeg

"There's that bit of identification stored in at the start of the file: that "#! /bin/sh" line."

Not necessary. Make it executable and it still runs. No "#! /bin/sh" directive on the first line is strictly required (though it is common practice) Incidentally, when I then remove the extension .sh from the end of the file name, the script STILL runs fine.

"Also, you've not said that it isn't readable by others; if it is, that's enough to allow a shell run by any of them to interpret it ("sh ~foo/bar.sh"). Execute permission would allow them to do this implicitly, with the kernel running the executable named in the #! line ("~foo/bar.sh")."

Nope. It doesn't. Tried that.

0
0
Anonymous Coward

Erm...

The OS isn't being fooled by 'picture.jpg.exe' - t's an executable, the OS knows it's an executable, and it treats it as an executable. It's the *user* who's being fooled by not seeing the .exe part. Funny thing is, if file extensions are turned off the user wouldn't see the .jpg either were it a real .jpg file, but I digress.

0
0
Anonymous Coward

@ AA Tuesday 12th May 2009 12:24 GMT

Good point. Have a doughnut.

0
0
Paris Hilton

Managed Code

Computers can be wierd and stange things, I think that a smaller percentage of people that use computers have the patience and opportunity to learn how to use them as carefully as is required to avoid the dangers of the internet, most people just want to use their computer to do something, they don't want/need to know how it works, or bother with details such as file extensions, these people are not stupid.

The design of the operating systems need to be improved so that most people can use their computers safely. I don't think that displaying file extensions or not is going to help with that effort, since most people don't know or care about file extensions.

How can the design of the operating system be improved?

if a file comes from the internet and is executable, don't let it execute if it can do something harmful, no warnings are UAC type questions, just don't execute it

"something harmful" usually involves writing or reading to certain parts of the hard drive, using code access security, it is possible to determine whether certain types of executable files contain functionality that will write to the hard drive or read certain parts of it

The answer can be found in managed code, if a file is downloaded from the internet and it isn't managed code then by default it should not be allowed to execute, advanced users would be able to enable this at their own risk.

OS X displays a warning if you execute a file that you downloaded from the internet, this is a step in the right direction, but more needs to be done.

0
0

Page:

This topic is closed for new posts.

Forums