Win 7 RC fails to thwart well-known hacker risk An almost-ready version of Windows 7 retains a feature from Windows NT which expedites a well-known hacker trick, according to net security experts. Win 7 RC omits a fix for a long-standing security shortcoming in Windows Explorer. As with previous versions of Windows, dating all the way back to windows NT, the version of …
...surely they should have stamped on this one by now. It's always on my list of "things I have to do when I install windows to stop it sucking quite so much". It's purely cosmetic, and what's more, it makes it a pain in the a*se to change a file's extension in explorer.
Seriously, I hope they get rid of this "feature" before 7 proper comes out.
(As an aside, Windows "7" appears actually to be Windows NT 6.1... what's going on there?)
kinda a non story, you only have to go into the settings for explorer and change the setting back. IF they had set it as default to show extensions then teh average user would be confused because they are not used to seeing extensions!
Hardly newsworthy but i guess the internet anti MS group need something to bash on windows 7 for, clutching at straws if this is all they come up with.
The alternative side is when extensions are shown in file names, people DELETE them when renaming files "because they looked untidy" or "because that's not the name I wanted to call it" and they screw something up, or "lose their work" and cause headaches.
Keep extentions hidden.
@Christopher; Windows NT 6.1 is the kernel revision. NT5 was windows 2000, 5.1 was XP, 6 was Vista, 6.1 is Win7. The underlying system is from Win Vista is all it means.
If they like the feature so much, why not just always display the extension on executables or, even better, add an overlay icon (like the shortcut arrow) to all executables.
Since few people actually ever see the .exe (only the shortcut) that would make it very obvious it's an executable and make it impossible to disguise it.
Perhaps I should patent that idea....
It's the common user that doesn't know to turn extensions on, that would more likely get tricked by it.
And users will always be confused about it if they never get the chance to learn. Look at other applications/OSs that only highlight the filename portion of the file whenever you click rename/F2 etc...
That's the point. The average user will not know how to change the settings, and will click on anything that looks like a jpeg - exactly the problem described.
To say they're not used to seeiing extensions is bunkum - they turn up in all sorts of places (the web for example, and emails) and people are quite happy with them. Hiding them in explorer never made any sense... if MS really want secure by default they should apply it consistently.
This seems a bit of a non-story and a non-issue - While security firms may like to take a jab at MS over this insecurity that isnt an insecurity, if Explorer did show filetypes by default, the same Joe Home User that would get stung by virus.jpg.exe with filetypes hidden is the same type of user who will try to convert all his music to mp3 by renaming bobdylan.wav to bobdylan.mp3 then wonder why it doesnt work any more, or wont know the extension is needed in the first place and shorten reallyimportantfinances.doc to finances then find he has no functioning finances document any more, despite the warning given when you try to rename a file and change it's extension.
As far as i'm concerned the "problem" is 6 of one and half a dozen of the other, so why not have it default to the one thats nicer looking for the large majority of MS's customers who dont know *or care* about file extension types.
You're really stretching for this one.
This 'bug' is in place because it's what users want. There's no real way to defend against user stupidity. Pretty much every program known to man will warn you when downloading an executable, they'll definitely warn you if you try and open a download.
That aside, it takes what, 10 seconds to unhide extensions?
I think the article writer has a very valid point. It may be blindingly obvious to the likes of you and me what a file's extension really is, but it's not to the average home user (who's PCs are the target of malware and botnet software most of the time). Most of these users won't even know that they can turn off this feature, never mind know how.
It should matter a lot that it is precisely this feature that enables the spread of a fair percentage of malware and viruses and that Microsoft still choose to have it activated by default.
Besides all that, it's my opinion that it really doesn't bring any benefit to the end user anyway, which is why nearly all people who know how to, turn it off.
that's what you get with an OS written for a mass user-base of lazy tards who haven't a clue what the f**k is going on when they click hither and thither. The spread of malware is proliforated by the "home user" group who take the cheap arse machine out of the box, plug it into everthing it will plug into and leave it switched on / connected without a care in the world.
Microsoft would loose profit if each user had to pass a competence test. So they prefer to sell the bells and whistles medja experience to the masses and let the vxer's crack on with lifting info and hosting bots etc. - so long as those holiday snaps show up when you visit "My Pictures" nobody gives a sh*t. It's all about laziness - let us do the things you want (don't understand) for you with magical clicks and jolly animated icons, it must be good :-)
Now then, where does the responsibility lie, with the producer or the user, ....mmmmm
And it even says that it is more social engineering than anything. For a start the virus should be picked up by a virus scanner not by the user with a different extensions.
MS do a lot wrong but I would say the amount of users now worried about their AV software has shot whereas even around 1 year ago people would use PCs for months without AV.
Seriously, its not a problem at all and can easily be fixed by going into a folder, press ALT to show the menu bar, click tools - folder options and untick the "Show known extentions" bit... taadaaaa!
I admit that by default they should have this unticked... But its not a massive problem as people make it out to be :/
If you try to open a .jpg.exe and you find its opening a dos prompt or something rather than your default image viewing program then you need a slap :/
OS X lets you disguise files as other types, and even lets you change the icon in the Finder. Its not a big issue though, because its a decent, permissions-based OS. So if Joe Bloggs inadvertently executes a malicious, nothing untoward will happen unless he supplies an admin username and password. And if he DOES unwittingly enter credentials just to open a .jpg without raising an eyebrow, he deserves all he gets...
The real question is whether Win7 will allow the malware to run without throwing up a UAC prompt, and just grant it full permissions to do what the hell it likes in C:\Windows\...
.. nice to see el reg falling into the daily mail trap, with a nice headline of "MASSSIVE SECURITY FLAW" when in actuality, its a setting, one that won't stop users double clicking on any old trash tey got via emails if it was set to show extensions in the first place.
Also one of the posts above had it in one, peopel do stupid things liek delete extensions if they see them and they are not used to it, to make the file name better!
Non-story overhyped, el reg is now part of the generic mass media :(
"Do you really think it'd make a difference to the so called "average user" if he sees extensions by default ? Most of them don't even know what an executable is."
Yes it would make a difference because, as mentioned above, people would delete the extensions when renaming files, then cry when they "don't work" any more.
Remember, the average user needs their PC to be as complicated as their toaster, or they panic. File extensions, or files not opening when double clicked, scare them. Simple as.
Me, I'm all for making people learn how to use a PC before employing them, but then, I'm biased, right?
The idiot users who delete them because they don't like the look will have to learn, like everyone else has done till now, not to change the extension.
I get trouble from users who have several files in the one directory with the same name and they don't know what one to run (setup.exe, setup.ini, etc)
"It is possible that Microsoft will thwart this particular social engineering trick, once the full version of the software becomes available in late October"
Oh I laughed, I laughed so hard a little bit of wee came out. I do hope you typed that with tongue in cheek! If they genuinely cared that would have been quite high on the list of things to fix given how exploited it was last year.
"The alternative side is when extensions are shown in file names, people DELETE them when renaming files "because they looked untidy" or "because that's not the name I wanted to call it" and they screw something up, or "lose their work" and cause headaches.
Keep extentions hidden."
Ash, why would Windows users have problems with extensions, when users of other OSes (say, OSX) don't? If they don't know enough about computer user to know that extensions are a necessary part of the file name, then they may also be more likely to double click on a random file that turns out to be a virus.
I say that Microsoft needs to do three things.
1) SHOW extensions by default.
2) Change autorun so it operates in the same way as OSX (Audio CDs and DVDs cause the relevant applications to start, but other disks do nothing)
3) Start to move away from the idea of fie extensions. Use a code in the actual file itself to denote format.
The problem is that Windows is an OS that relies on file extensions in the first place? The extension should not dictate the filetype to the OS unless in a fall-back situation where there are no registered applications for that file type?
Linux "knows", for example, that this jpg I have on my desktop is in fact a jpg and offers to open it appropriately even though it has no file extension. Sticking a meaningless .exe (or any other dumb thing) on the end won't fool it into thinking it must be an executable and waste its time trying to run it.
The problem is Windows, its file system and its reliance on the brain-dead file extension method of telling the OS what a file is meant to be. This PROVES that Windows is the same old crap under the hood that it has always been. A mediocre desktop OS entirely unsuited to the modern networked world. How much would it really take to revise and fix this behaviour? ITS LAZY.
Just Dumb, dumb dumb ...
all linux dose is hide the file extension in the file header rather than in the open and when the dos oppertaing system was first developed anybody who could get to see the file extentions knew what they meant. of linux was as popular as windows I am sure there would be similar problems with it's way of doing this as we find with dos/windows
go the Gnome way then - if you edit the file, by default you don't change the extension and you get warned when you do the latter (windows does the 2nd part already).
Or go the unix/mac way and work out what sort of file it is by the content, not some poxy extension.
Or simply educate people. its hardly rocket science.
"A mediocre desktop OS entirely unsuited to the modern networked world. How much would it really take to revise and fix this behaviour? ITS LAZY."
its BACKWARDS COMPATABLE, something that is actually important to MS's end users.It would take a lot to fix it and make everything still work with the old software.
"Ash, why would Windows users have problems with extensions, when users of other OSes (say, OSX) don't?"
I bet some OSX users do, but the percentage of non IT techy people on the other OS'es is a hell of a lot lower than on windows.
"The idiot users who delete them because they don't like the look will have to learn, like everyone else has done till now, not to change the extension."
the idiot users are your clients, the same ones who will complain to you and cost you money when something breaks, also liekly to go moaning on a forum somewhere to generate bad publicity when idiot ms haters find it much like the fact that autorun still pops up is being used by ms haters, as they forget that fact that the trick in questionis actually closed because you can't create your own tasks in there!
@Greg this is indeed a fundamental shortfall. The method works by fingerprinting characteristics of particular file types, is called "Magic" and is an open standard, I can only guess that the issue is "not invented here" and backwards (in this case very backwards) compatibility.
With magic and permissions, users would have to go out of their way to run a disguised executable. They can also call their files whatever they like.
"all linux dose is hide the file extension in the file header rather than in the open and when the dos oppertaing system was first developed anybody who could get to see the file extentions knew what they meant. of linux was as popular as windows I am sure there would be similar problems with it's way of doing this as we find with dos/windows"
Errrrr .... nooooooo. It does not. It keeps track of the file type by the associated flag that the FS assigns to it when it is created. The file type is NOT in the header (text files have no 'header' for example) yet the OS knows what it is by keeping track of the app that created it or the permissions that are assigned to it by the user. For example: a shell script is just a text file but if I've marked it executable it will run in the shell. But only for ME, It WON'T execute on another login unless it has root. Such concepts simply DO NOT exist in Windows.
If an OS had to parse the file header of every file it looked at it would run slower than molasses in January. Consider also that file headers are not consistent:: they can vary enormously depending on the application that wrote them. This is particularly true of graphics files.
The OS does NOT parse/interfere with the content of files in order to determine file type (that's what Viruses and Worms do). Only applications open and close files.
I suggest you go away and learn how OS's and file systems actually work.
And how do you think Linux and Macs work out what application to use to open a file?
Do you really think that linux looks at the content of the file and "decides" that the hex looks like a jpeg. No, it looks at a portion of the file header that says this is a jpeg file, and then opens it using the application that is registered to open jpegs, which is essentially exactly the same way that windows works only with Windows the extensions are more visible.
For once, I see that although linux users often take the high ground when it comes to technical understanding of their chosen OS, easy to use linux distros promote a lack of understanding in its user base.
Maybe Linux is ready for the mass market after all.
"If an OS had to parse the file header of every file it looked at it would run slower than molasses in January."
Crikey! I'm so glad my A/V suite doesn't scan the entire contents of everything I write to disk looking for known or similar to known byte sequences according to a heuristic detection algorithm, recursing archives as necessary My machine would be waaaay too slow to be usable then.
Oh, wait. It does and it isn't.........
Agree with you 100%
I've heard multiple times when I worked on someones PC and enable the extensions so I could locate their virus and forget to re-disable them. "Why did you rename all my files to something with a .txt or .exe and why don't my files open anymore that I removed them?" So in this case its better off disabled than enabled because just seeing something.jpg.exe won't stop them from clicking and opening it to try and see whats inside if they were told its a picture.
So this is 100% non-issue.
ok sorry I mis phrased what I was saying
"Errrrr .... nooooooo. It does not. It keeps track of the file type by the associated flag that the FS assigns to it when it is created. The file type is NOT in the header (text files have no 'header' for example) yet the OS knows what it is by keeping track of the app that created it or the permissions that are assigned to it by the user."
so a file is created and flaged as a file type (for this instance a jpg) how is that diffrent that a file extention (as used in there original system NOT as used in windows) except that is is a hidden flag not a visible extension I am sure if linux was AS widely used as windows there would be tricks to get round this type of thing
OK ... Magic Numbers. Last resort to the OS if the file type flag is not set. See the "file" utility in UNIX/Linux.
The file extension is and should be purely an optional (and arbitrary) inclusion, not a bold instruction to the OS to take it at face value.
You would find it easy to change a file extension but not the binary MN.
None of this is difficult. Its been around since 1973. There's NO excuse for Windows to keep f*****g up like it does. None at all. Its a poorly implemented desktop OS with delusions of grandeur.
If one of the glorified mechanics (sorry, knowledgeable computer specialists) who have plastered their considered opinions all over this page could tell me why my 85 year old uncle, who has just moved into a nursing home and been given a computer (a laptop) for the first time in his life, so he can "keep in touch" with the world should have to know what a "jpg" is, never mind what an executable is, I WOULD BE VERY GRATEFUL.
There are numerous times when I have to explain to people. That running EXE (Or its various other executble file types) is bard. If you dont know what it is. They still insist though that they got infected by the downloaded file. Not the one they executed.......
M$ only fix stuff when theres a botnet infecting millions of PC's with it.
This is such a simple solution I'm surprised no-one has thought of it before.
Keep file extensions hidden, so that the numbnuts who rename them without the extension don't rename them, instead, if a file is MyFile.jpg.exe (it has more than 1 dot in the file name) it will show the whole file name (and perhaps the .exe part can be slightly faded, to show it's normally hidden, in a similar way to hidden folders are greyed out when set to 'view hidden folders')
Few people, if any, use dot notation outside of executable programme names (for patch installers for example) and anyone naming .exes (or using dot notation for other uses) is most likely someone who knows not to mess with file extensions.
"I'm so glad my A/V suite doesn't scan the entire contents of everything I write to disk ... My machine would be waaaay too slow to be usable then. Oh, wait. It does and it isn't........."
From which I can conclude one of three things. Firstly, perhaps your AV software is configured to scan rather less than you thought. Secondly, you've never actually compared the speed of your machine with and without AV enabled. Thirdly, you don't use your machine for much more than email, music and surfing.
Full blown AV checking is a massive hit. (A full drive scan, for example, is not a fast operation.) Something reasonably intensive, like unpacking MSIs and installing software, takes several times longer if AV software is enabled. That's "times", not "percent".
This is one of those features that users think is making things easier for them, but is actually keeping them from ever knowing anything. Consequently they get confused and turn again to those nice features that make everything simpler. The cycle continues.
Hiding the real filename DOES NOT make anyone's life easier.
The principle of file extensions is simple. Obfusticating it just makes l-users stupid and less likely to ever learn anything. Similarly, breaking the wonderful simplicity of a file hierarchy tree by grafting 'desktop' and 'my docs' etc. into the wrong place in it (again in order to supposedly make things easy) similarly makes it more difficult for l-users to ever really learn anything useful. As for hiding clearly unimportant things like *duh* email away in a hidden folder called C:\Documents and Settings\Silly User\Local Settings\Application Data\Identities\{9C1E56756-70E7-48FB-5676-C95656D33449}\Microsoft\Outlook Express, well clearly that is going to make things simpler for people and encourage the nervous to learn. Gah.
I wonder if W7 can show folder sizes in explorer ? that is what I have been begging for since The Beginning, When vista came out I found they had even taken the API away to stop most 3rd party tools from doing it !!
At the same time, there are files that may look similar to each other internally but are actually used very differently practically. Consider that a program trying to inspect a CBZ (Comic Book Archive), an XPI (Firefox extension), and a JAR (Java Archive) could easily mistake each of them for a ZIP. Little surprise--all three are themselves ZIP archives with particular files within them.
How about this for a proposal: Since icons and names can't be trusted (since people may delete exposed extensions AND be suckered by hidden ones--no win here), how about color-coding the name of the program. IIRC, compressed files and folders in XP and up are shown in blue text. How about make all executable programs show up in red text, to indicate that they're executable? Now, even with extensions hidden, they're clearly visible, and the malware can't change the color of the text (since it's not subject to the program itself).
I did have a slight feeling that the newer Windows OSs might have done that, and that's why I didn't dismiss or confirm it.
Even so, your point (and mine) is still valid... if it automatically highlights only the file name then there is only one reason left to hide it in newer windows, vanity.
It's bad enough they want use to use "Tiles" where the icon is huge and the file name you can only read the first 10-20 chars... List View FTW!
After reading a lot of the comments here, there seem to be many saying just how easy it is to enable the viewing of file extensions. Of course, in doing so, those commenters have shown themselves to be just as ignorant as the idiots they're complaining about. If you don't believe me, then go ahead and go to the folder options and uncheck the option to hide file extensions. Then take a look at your desktop, scratch your head, and wonder why your shortcuts DON'T show the ".lnk" extension (or ".url" extension for Internet links). Then look in your WINDOWS folder, scratch your head, and wonder why the "_default" file doesn't show the ".pif" extension.
There are quite a few extensions that Windows will continue to hide even after you tell it to NOT hide file extensions. The only way to fix that is to add a registry setting for each super-hidden file type you want to show the extension for. There is no global "Yes, I really do want to see ALL file extensions" checkbox.
Using those super-hidden extensions, it would be easy to create a seemingly innocent file which will execute a malicious file, even when you have your system set to view file extensions (for example, by creating a file called "My_picture.jpg.pif" which is a PIF file that loads "delete_c.exe").
90% or more of my users wouldn't have the faintest clue how to change that setting - no matter how many times they were told or shown. However, they either want to know where their file extensions are or readily agree when I explain the reasons for changing the setting. I have yet to meed a single user who preferred not to see the file extensions.
The Microsoftheads who persist in keeping this setting as the default are idiots - pure and simple.
“[Linux] keeps track of the file type by the associated flag that the FS assigns to it when it is created. The file type is NOT in the header (text files have no 'header' for example) yet the OS knows what it is by keeping track of the app that created it or the permissions that are assigned to it by the user.”
No. Neither permissions nor the creating app have anything to do with this: you can use cat to create a shell script or sed to modify a text file. Or you could use, say, emacs or joe or nano.
“For example: a shell script is just a text file but if I've marked it executable it will run in the shell. But only for ME, It WON'T execute on another login unless it [is] root.”
Wrong again. There's that bit of identification stored in at the start of the file: that "#! /bin/sh" line. Also, you've not said that it isn't readable by others; if it is, that's enough to allow a shell run by any of them to interpret it ("sh ~foo/bar.sh"). Execute permission would allow them to do this implicitly, with the kernel running the executable named in the #! line ("~foo/bar.sh").
File type information is determined by content and/or the extension part of the filename. Content takes precendece.
You are all missing the point: the file extension is NOT IMPORTANT.
Any OS that is _still_ fooled by the *.jpg.exe 'trick' is unfit for purpose. END OF. There is no justification for this stupidity continuing.
Reading some of the comments here make me despair. Anyone who is still discussing this hiding/showing file extensions nonsense is missing the obvious problem. That is, Windows has consistently been fooled by this for years and STILL falls for it. That to me proves this product is an OS unworthy of even being called an OS -- its a piece of garbage.
Totally, utterly unbelievable anyone can find this remotely acceptable. Far less PAY MONEY for it. It _does_ prove that there is one born every minute. Oh wait: that's Miscrosoft's actual business model!
You are all missing the point: the file extension is NOT IMPORTANT.
Any OS that is _still_ fooled by the *.jpg.exe 'trick' is unfit for purpose. END OF. There is no justification for this stupidity continuing.
Reading some of the comments here make me despair. Anyone who is still discussing this hiding/showing file extensions nonsense is missing the obvious problem. That is, Windows has consistently been fooled by this for years and STILL falls for it. That to me proves this product is an OS unworthy of even being called an OS -- its a piece of garbage.
Totally, utterly unbelievable anyone can find this remotely acceptable. Far less PAY MONEY for it. It _does_ prove that there is one born every minute. Oh wait: that's Microsoft's actual business model!
Quote: "Mac OS X application bundles hide their contents away from the user to the extent that an entire folder full of who-knows-what is hidden behind an innocuous looking icon.
No complete suprise that El Reg isn't up in arms about this, though, is it?"
You are right, it is no surprise. However, that would be because they aren't complete fucking, ignorant tools like you evidently are:
(1) That "who-knows-what" can't do a damn thing to the system without the express permission of the user because Mac OS X is based on *NIX and it has a cast-iron security model by default that "just works" rather than being the idiotic, piece of shit, doomed to fail at every single point that the Windows "security" model is, and
(2) selecting "Show package contents" will show you everything that is inside an application bundle should you want to look there.
Ergo, there is no security risk here beyond any of the typical Trojan and PEBCAK ones that can't be solved other than by people being clued-up.
In response to all the other Wintards here - Jesus, do you folks have no clue at all about things outside the extent of your twisted Windows world. Here is what happens in other OS'es if you try to add (e.g. if it is hidden by default) or change an extension already there: you get a warning that it might do something unexpected or harmful to your system or the file. Wow, that is so fucking hard to comprehend and implement isn't it! Yet MS still hasn't added something like it to their shitty OS for decades and you twats actively celebrate their complete and utter idiocy.
I agree with Trevor - I don't see why Microsoft hasn't fixed this years ago by patching to deal explicitly with double file extensions. The exact form of that is another matter (maybe pop up a dialog for those cases when double-clicked, with the non-executable filetype as the default?), but it should be quite separate from showing those file extensions. In a file system assigning file types based on extensions, a file should only have one extension and when there's more than one that should be acknowledged as a problem! End of story.
"There's that bit of identification stored in at the start of the file: that "#! /bin/sh" line."
Not necessary. Make it executable and it still runs. No "#! /bin/sh" directive on the first line is strictly required (though it is common practice) Incidentally, when I then remove the extension .sh from the end of the file name, the script STILL runs fine.
"Also, you've not said that it isn't readable by others; if it is, that's enough to allow a shell run by any of them to interpret it ("sh ~foo/bar.sh"). Execute permission would allow them to do this implicitly, with the kernel running the executable named in the #! line ("~foo/bar.sh")."
Nope. It doesn't. Tried that.
The OS isn't being fooled by 'picture.jpg.exe' - t's an executable, the OS knows it's an executable, and it treats it as an executable. It's the *user* who's being fooled by not seeing the .exe part. Funny thing is, if file extensions are turned off the user wouldn't see the .jpg either were it a real .jpg file, but I digress.
Computers can be wierd and stange things, I think that a smaller percentage of people that use computers have the patience and opportunity to learn how to use them as carefully as is required to avoid the dangers of the internet, most people just want to use their computer to do something, they don't want/need to know how it works, or bother with details such as file extensions, these people are not stupid.
The design of the operating systems need to be improved so that most people can use their computers safely. I don't think that displaying file extensions or not is going to help with that effort, since most people don't know or care about file extensions.
How can the design of the operating system be improved?
if a file comes from the internet and is executable, don't let it execute if it can do something harmful, no warnings are UAC type questions, just don't execute it
"something harmful" usually involves writing or reading to certain parts of the hard drive, using code access security, it is possible to determine whether certain types of executable files contain functionality that will write to the hard drive or read certain parts of it
The answer can be found in managed code, if a file is downloaded from the internet and it isn't managed code then by default it should not be allowed to execute, advanced users would be able to enable this at their own risk.
OS X displays a warning if you execute a file that you downloaded from the internet, this is a step in the right direction, but more needs to be done.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
