backtop

Print 95 comment(s) - last by ggordonliddy.. on May 27 at 6:18 PM
Issue allows nefarious users to change file extensions unknown to user

Computer users and IT administrators around the globe are waiting for Windows 7. Many companies have still not upgraded from Windows XP due to the backlash against Windows Vista and a myriad of bugs and issues the operating system had upon its release.

The next operating system from Microsoft, Windows 7, is expected to debut in October and the latest Windows 7 RC is available to download now. The demand for the latest RC was so high that the number of requests for the operating system crashed the servers at Microsoft.

One of the things expected from Windows 7 is improved security. Despite that expectation, Mikko H. Hypponen, chief research officer at F-Secure, says that Windows 7 still suffers from a security hole that has plagued Windows Explorer since the days of NT.

The security issue, according to Hypponen, is a flaw in the way that Windows Explorer allows users to hide file extensions. This flaw allows a malicious user to write a virus, worm, or hack and rename the .exe file to something more innocent sounding like a .txt file that the user is more likely to click on.

InformationWeek reports that this security issue might not be so newsworthy if it weren't for the End-to-End Trust Vision that Microsoft is promoting to enhance computer security. One of the basic aspects of computer security is being able to correctly identify the type of files on a user's computer. Microsoft's Craig Mundie said at a conference in 2008, "[It is] important that we give people the tools to empower them to make good trust choices."

Microsoft has made some important security improvements in Windows 7 reports InformationWeek. One of the big improvements is stopping an attack initiated by the automatic execution of applications on flash drives when the flash drive is connected to the PC. This was one of the methods that allowed the Conficker worm to propagate rapidly from flash drives.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
This is bullcrap (apparently '5hit' gets censored)
By oTAL on 5/7/2009 9:44:45 AM , Rating: 5
This is not a security flaw. Hiding extensions is not my favorite feature and I always choose to see them. Nevertheless, the reasoning behind it was that average users do not know what the extensions mean, but they know the icons.

Windows 95 (I think...) introduced the possibility of having '.' in file names. These two things together allow a user to have a file named virus.txt.vbs or something like that and the OS will hide the extension displaying only the name 'virus.txt'.
It is my humble opinion that those that have extensions hidden AND can't notice the difference between the two icons, would run the virus even if they could see the extension!

Most of the times Windows will tell you the file may be dangerous! If you still run it, then no OS security can save you and you might as well buy a Mac and tell everyone you know that MS is a joke...

This is not a security flaw... this is trying hard to find something to complain about!.... Do you propose any solutions for this 'flaw'?




By sdoorex on 5/7/2009 10:08:28 AM , Rating: 3
The reason is that if you have enough of a reason and knowledge to be critical of something you should at least know how to solve the issue. Otherwise you are complaining for the sake of complaining.


By rdeegvainl on 5/7/2009 11:08:39 AM , Rating: 5
Criticism has a very important place seperate from problem solving. Not everyone has the time or resources to fix every problem they see, and to say they shouldn't point it out because of that, and label such criticism as "complaining for the sake of complaining" is ignoring the limits of individuals.
Example:
Pointing out a fault in a fuel line. If I can see that it leaks, should I stay silent just cause I don't know how to fix it?


By VaultDweller on 5/7/2009 1:35:36 PM , Rating: 1
quote:
All OSes that I have used have some type of file extension and a means of hiding them

I have never used any other OS that hides file extensions by default.

I don't think this default setting in Windows is a significant vulnerability, but I have found it to be a significant PITA since Windows 2000.


By Souka on 5/7/2009 2:07:54 PM , Rating: 5
The intent to hide the extension was in part to help prevent files from becomming disassociated with the application that was required to use them.

Example.. you receive a document called "Document1.doc". Prior to Vista, if it was re-named by a user it could easily lose the .doc extension..resulting in something like "MayReport" which would create a problem for the user when they tried to open it.

With the Vista explorer interface, they made a nice improvement by only highlighting the file name, and leaving the .doc (or whatever extension) unhighlighted. This helped the issue, but still the extension was vunerable.

By hiding the extension you make life easier for the typical user, but also open a "vulnerability" to the OS.

Life goes on... people that love Windows will praise it, people that hate Windows will hate it... the rest of us just read the comments of the two types mentioned above and roll their eyes.

My $.02


By fic2 on 5/7/2009 3:56:44 PM , Rating: 5
So, the little warning that pops up when you are changing an extension is not enough?

If you change a file name extension, the file may become unusable.

Are you sure you want to change it?

______ _____
| Yes | | No |
------- ------

(would have been prettier, but all the white space gets stripped out...)


By murphyslabrat on 5/7/2009 9:03:30 PM , Rating: 2
quote:
What the hell is an extension? Oh no, it can become unusable? What do I do....help, Microsoft customer support? I need help....

this would be the typical response.

Here's a solution: go a step farther than Vista, and have two separate "rename" boxes. So, if you hit end, it'll only take you to the end of the filename, before the final extension. Meanwhile, if you wanna change the extension, you click on the extension portion.


By Helbore on 5/9/2009 7:35:26 PM , Rating: 2
What you say makes sense, but only to people who actually read dialog boxes.

Find me an average user (read: not someone who has an interest in computers, but uses them as a tool at work or home) that doesn't just click "yes" on every dialog box that pops up because "its an annoying thing that gets in the way of what I want to do" and...well..i didn't actually bother to think about what I'd do in such a circumstance because its likelihood is so low!


By Helbore on 5/9/2009 7:41:12 PM , Rating: 2
I should add that the only "security flaw" here is incompetant users. If people don't know what they're executing before they click it, they deserve whatever they get.

Imagine an unqualified driver pushing random controls in a car. You don't blame Ford if the driver pulls the door open handle whilst the car is in motion. You blame the idiot who pulled a lever before knowing what it does. Then you thank Darwin for explaining the theory relating to why it was a good thing for the species that this guy just copped it on the motorway.


By Joz on 5/7/2009 4:18:08 PM , Rating: 2
Why doesnt this have a 6 yet?


By MRwizard on 5/8/2009 7:50:36 AM , Rating: 2
thats worth more than 2c my bro!


By Chocobollz on 5/10/2009 11:59:42 AM , Rating: 2
quote:
The intent to hide the extension was in part to help prevent files from becomming disassociated with the application that was required to use them. Example.. you receive a document called "Document1.doc". Prior to Vista, if it was re-named by a user it could easily lose the .doc extension..resulting in something like "MayReport" which would create a problem for the user when they tried to open it.


But, would it cause problems from a security standpoint? What're those UNDO button used for? If a user do some mistake, they can *always* UNDO it so that is not a problem. I'd rather have some user complaining about their document cannot be opened than a lot users complaining about they had been infected by a virus.

quote:
By hiding the extension you make life easier for the typical user, but also open a "vulnerability" to the OS.


Actually, I would say it is not. Yes, you make their life easier, but you're also make their life harder, when they get a virus because of they've mistakenly run some virus program disguised as some safe format.


By DM0407 on 5/7/2009 5:55:05 PM , Rating: 2
quote:
I have never used any other OS that hides file extensions by default.

So this is your first OS? J/k

I think KDE hides by default, and yes, its definitely a pain in the crapper.


By PrezWeezy on 5/7/2009 7:43:48 PM , Rating: 2
OSX hides by default. Between Windows and Mac, you make up pretty much 100% of the "I don't understand what the .*** means" population. So even if no Linux distro does by default, it is for a completely different audience of people who HAVE to know what the extension is to be able to use it.


By artemicion on 5/7/2009 1:26:56 PM , Rating: 4
While I understand your analogy I think what the OP is trying to say that it's not a flaw and it's not worth criticism in the sense that the designers are probably well aware of the issue and made the design choice to continue to hide extensions after weighing the options (hiding the extensions for usability vs. revealing extensions to avoid to "exploit).

A more appropriate analogy would be a guy who complaining about the few drops of gasoline that drip from the nozzle after you fuel your car. Yes, it's not ideal - it wastes gas and it's probably not good for the environment. But everybody is already aware of the "problem" so there's no point whining about it unless you've got a better solution for us.


By DM0407 on 5/7/2009 5:48:13 PM , Rating: 2
This is only a RC build...

I don't see this as a major threat. If it is so dangerous they would have fixed it in XP/Vista. The fuel line analogy doesn't work. A broken fuel line is broken, and was not designed to leak.

Its more like driving a Honda and questioning why the seat belt doesn't automatically buckle. If your dumb ass is willing to drive without a seat belt, or open an unknown file, then be prepared to deal with the consequences. I will never understand why we expect everyone to protect us from our own stupidity. (Seat belt law makes sense, its hard to pay hospital bills when your dead.)

Moral of the story: Wear a seat belt and don't hide your file extensions... or you will die.


By Spoelie on 5/7/2009 12:23:10 PM , Rating: 2
But IMO there are pretty obvious solutions
1) take away the hide extensions feature (not likely)
2) overlay icons of executable code and scripts with a mark not unlike the one for shortcuts. It won't matter if the extensions were hidden or a text icon was defined in the exe, the mark would still be there

Of course, one would need to choose what to mark. Word macros are executable code as well, but that doesn't warrant marking every word document, while a screensaver would.


By foolsgambit11 on 5/8/2009 7:13:53 PM , Rating: 3
Yes, there's another pretty obvious solution - by default, you could set up Windows to prompt users to confirm before executing any executable. Oh, wait. Windows already does this.

While the solution might not be perfect protection for every dumbass out there, Windows is set up to warn people before they fall for this exploit. If a user turns that feature off, then it's their own fault.

Turning on file extensions by default wouldn't help many people in this case. So many users these days don't know what a file extension is, much less any of the common extensions.


By Samus on 5/7/2009 5:34:21 PM , Rating: 2
What 'problem'? This is a feature.


By amanojaku on 5/7/2009 10:02:30 AM , Rating: 5
quote:
This is not a security flaw... this is trying hard to find something to complain about!.... Do you propose any solutions for this 'flaw'?

Solution 1: Take computers away from idiots.
Solution 2: Make money off of idiots by selling them "security" software.


By DM0407 on 5/7/2009 5:56:45 PM , Rating: 4
quote:
Solution 1: Take computers away from idiots.


Officially killing 90% of dailytech's traffic.


By JonnyBlaze on 5/7/2009 10:13:42 AM , Rating: 5
Stop letting idiots use computers


By FITCamaro on 5/7/2009 10:15:38 AM , Rating: 1
But aren't you supposed to cater to the minority?

Like any competent Windows user, I don't hide file extensions. I think its stupid to do so.


By crystal clear on 5/7/2009 10:18:46 AM , Rating: 2
...or much ado about nothing....in the end, though its probably nothing to lose sleep over....


By omnicronx on 5/7/2009 10:52:28 AM , Rating: 5
quote:
They're only hiding them because they're ashamed of using technology that is so old.
Both Windows and OSX hide file extensions by default.. Even in unix if you click on a shell script labeled porn.jpg, it is still an executable as this is based on meta data (usually an executable flag). Not sure about OSX, but I am pretty sure it works in a similar fashion. At least in windows, if you rename an executable or script to another extension, it won't run!


By themaster08 on 5/13/2009 8:12:31 AM , Rating: 2
Spot on.

It's only a security flaw to reader1 because he's an anti-Microsoft fanatic.

I'd like to point out a suggestion to this issue.
If a filename contains a "what could be" extension, the OS could possibly detect this so-called extension, and when executed, warns the user that there could be a file extension in the name and this is not the actual extension, then prompt them if they wish to continue to open the file. For example "The filename possibly contains an extension (hello .txt ) which may be misleading. The actual extension of this file is hello.txt .exe (executable file) which is hidden by default. This type of file could be a threat. Do you wish to open the file?"

Then it is down to the user whether they wish to actually read the warning and continue at their own peril.
I know there are already security warnings in place when opening an executable, but said warning is more specific to the actual "threat" and will also educate less computer literate users of what could be a threat. With the current system in place, they won't have any idea of why the file could be a threat, thus not educating users.

quote:
They're only hiding them because they're ashamed of using technology that is so old.

They're hidden so that idiots do not accidentally rename them, rendering their files unusable until the extension is put back in place, which an average user would have no idea about.
This is an even bigger threat than hiding extensions, having a so-called extension in the name and then a warning message popping up asking if you wish to open the executable. Something tells me you are completely aware of this, but your anti-Microsoft idiocy is kicking in, hence your -1, which I will gladly call a -2.


By mikefarinha on 5/7/2009 10:56:37 AM , Rating: 4
I don't see how this is a security flaw.

How would this be remedied by another file system? A *NIX system doesn't have extensions; however that doesn't solve the *problem* this guys is complaining about.

Also, if a user unwittingly tries to open such a file he will get a UAC prompt. If the UAC prompt doesn't concern him then he was waiting to be hosed in the first place and changing the format of file names would have been of little consequence.

I swear, a lot of the *analysts* in the IT industry should simply be rebranded as pundits.


By ClownPuncher on 5/7/2009 12:24:59 PM , Rating: 2
I propose you start using facts and reason. Not to be confused with iFacts and iReason.


By mino on 5/13/2009 4:35:56 PM , Rating: 1
Such a shame on us for still using Archimedes's math.


By dgingeri on 5/7/2009 11:01:07 AM , Rating: 5
quote:
Nevertheless, the reasoning behind it was that average users do not know what the extensions mean, but they know the icons.


This is the exact problem. By catering to average users on a security sensitive thing like this, they create the vulnerability. The average users just need to learn that there are extensions.

Of course, this also creates headaches for support personnel. (Have you ever told someone to run "setup.exe" in a driver folder, and with the extensions hidden, the user sees 3-4 different "setup" icons? They then ask "which one" and you have to run through showing extensions just to allow the user to know which file to run? Talk about a major headache.)

Personally, I find this extension hiding the stupidest design flaw in Windows history.


By omnicronx on 5/7/2009 12:23:11 PM , Rating: 2
quote:
Personally, I find this extension hiding the stupidest design flaw in Windows history.
I don't, it saves the stupid users from a lot of problems. I would like you to perform a test, so that you realize that a file extention is not going to help someone that will click on anything.

Make a txt file. Notice how even in thumbnail mode the file will look like a notepad. Now rename that txt file with a .exe extension. It now has the default application in the thumbnail. If a user cannot see this, do you really think they are paying attention to the file extension in the first place? All known file types have their own set of icons, regardless of which view you are using in explorer.

Furthermore, how about we compare to the Unix world. As I previously mentioned, no file actually needs an extension. That being said, a file named test.txt can be an excecutable, and if you double click on it, it will run. This is a far greater problem if you ask me.


By gstrickler on 5/7/2009 1:48:46 PM , Rating: 3
quote:
I don't, it saves the stupid users from a lot of problems. I would like you to perform a test, so that you realize that a file extention is not going to help someone that will click on anything.
It doesn't save users from anything. Hiding file extensions does NOT make things easier, clearer, or simpler for users, it ONLY serves to make these types of attacks easier and to make it more difficult for users who do pay attention to file extensions.

One way it makes is harder is that there are frequently multiple files with the same name, but different extensions in a folder, with extensions hidden, it looks like there are multiple files with the same name. If none of them are executable files, it's even likely that they will have the same icon.

Relying on users recognizing the icon is also not a viable solution. A Windows executable can have it's own custom icon. The scammers will just make the custom icon look like a text, Word, Excel, PDF, or other common document.

Hiding extensions has absolutely no advantages, and it has definite disadvantages. That option should be removed from ALL versions of windows via a security update.

The idea of adding an overlay to the icon that identifies "executable" files, similar to the way shorcuts are handled is one that would help, however, if it doesn't reliably flag 100% of all "executable" files (including those with macros, etc.) then the scammers will just start using whichever type doesn't get flagged. Still, even if it misses some, it would reduce the number of attack vectors, and therefore would be an improvement.


By UNHchabo on 5/7/2009 3:12:01 PM , Rating: 2
quote:
Hiding extensions has absolutely no advantages, and it has definite disadvantages. That option should be removed from ALL versions of windows via a security update.


I'd be ok if the option remained in place for those few users who actually prefer it, but I want them to change the default.


By dgingeri on 5/7/2009 2:34:57 PM , Rating: 2
There is a little flaw in your example. a Windows executable can contain icon files. All someone would have to do to avoid being seen as an executable is to include the same icon that a text file, or jpeg, or wma, or wmv, etc, would have and put it inside the exe. That's easy.

It creates a lot more problems than it 'solves'. Sure, it may be easier for a user to identify a file type by icon, but most users can't memorize the file types except for the very few they use. (My users rarely identify any file type more than Word or Excel.) In many installers, there is a setup.exe, setup.ini, setup.doc, setup.inf, and/or a setup folder. The Setup.exe doesn't even have a consistent icon. They change radically between manufacturers for driver installs.

In addition, if the trick I noted above is used, it makes the user think "oh, yeah, I know that icon. It's just a picture. It will be fine to open." then they get infected by a virus, spyware, or trojan and rarely even know it until we tell them their computer is showing virus like traffic.


By Visual on 5/8/2009 7:12:34 AM , Rating: 2
Ever since XP SP2, you are prompted to confirm running any new exe that you got off the network or email or I guess removable media too. This should be enough to protect anyone from being confused that something is a text document or image or anything else.
(Ok, I admit I don't know what exactly triggers this prompt, but it seems reliable enough to me)

There are also other ways to verify the type of a file. In details view mode, there is a file type column right after the file name. In any view mode, the selected file's type appears both in the status bar and in the info panel on the left. Images, movies and even documents with a decent handling application would have a preview appear in the panel.

Users should by default be sceptical about the safety of any unknown random file they got from a spam mail. They can view the file properties to determine its type and what application it will open with.

Also, your second paragraph is completely irrelevant. Yes, there are many inconsistent icons on many file types and it is normal that the user may not be able to identify them by the icon - but those are all files that the user should not trust by default anyway. Not recognising their icons is not an issue. Being misled by a fake safe icon is, but again common sense should protect you from that along with all the other features of the OS that I mentioned.

Regarding the original article - my oppinion is that any user that actually has a clue about what file extensions are (and hence is able to base the decision of wether a file is safe or not on its extension) will also know how to display them, so the OS default of hiding them is not a problem. And I can also see how some novice users would feel more confortable without seeing these ugly extensions on their files as well. I am on MS's side this time.


By Helbore on 5/9/2009 7:49:02 PM , Rating: 2
Serves you right for allowing your end users to run executable files. Never, in my entire life running the NT platform, have I EVER allowed end users the right to run setup files. That's what IT departments are for.

The moment end users can run setup.exe on their PC is the moment you can spend the next week cleaning a massive malware infection off your company network. BAD NEWS, in my opinion.

The only executables end users should be running is the exes used by already installed software - and they can run them via shortcuts on the desktop and start menu.All of which lack visible file extensions anyway.

for anytihng else, there's secure admin accounts and remote access for IT professionals. Idiot home users deserve all they get. Learn how to use a computer before you buy one. Its what people do with cars.


By walk2k on 5/7/2009 12:55:40 PM , Rating: 2
This RC isn't quite ready for prime time anyway.

I installed it yesterday and was doing a de-frag when it bluescreened. I hadn't even been using it 2 hours and already crash...


By dgingeri on 5/7/2009 2:45:16 PM , Rating: 2
It may not be the OS itself. My testing machine had a Creative Labs Audigy 2zs sound card. I put Windows 7 Beta (build 7000) on it, and it worked great, up until the sound driver loaded. As soon as Creative's driver loaded, the hing would blue screen on boot every single time. I had to take out the Creative card to get the install to go.

After removing it, it went fine and never bluescreened. I even tested World of Warcraft on it (with the crappy on-board sound) and i performed faster and more reliably than Vista on the same box.

The fault in that lies with Creative (Whom I have hated specifically for their lack of support for the Audigy 2zs for a very long time.) They just don't put in the effort to make good drivers. Unfortunately for all of us, there are many companies out there that are the same way. ATI was one of those for a long time. I'm thankful they changed. Maybe Creative will. (I'm not holding my breath for that though.)


By Hawkido on 5/7/2009 3:16:21 PM , Rating: 3
I see your point about the complaining. This isn't a flaw it is a known exploit... The feature is part of the operating system as someone else said to prevent teh common user from wiping the .extention off the file.

as to the solution:

Don't allow "." in the filename, except for the .3 at the end.
boom problem solved... now what to do with all the idiots who have been using "."'s in their file names. They already prohibit the ":" and the "/" and "\" as they also are file system control characters. Why did they spare the "."

Maybe on windows 7 they should run a file name conversion and replace all "."'s in file names (except the ".3" at the end) with ","'s or better yet make the extention completely hidden (right click and check the file extension, and which programs are associated to execute that extention type).


By BikeDude on 5/8/2009 4:30:08 AM , Rating: 2
quote:
Don't allow "." in the filename, except for the .3 at the end.


Too late.

MS noticed many years ago that there are countless providers of Windows software, each depending on proprietary extensions.

There can only be one application associated with any given file extension.

If everybody wants to associate with the .dat extension, then chaos would soon prevail.

So the current recommendation from Microsoft is this: Use long and descriptive extensions, e.g. ".myappdocument".

But even if this wasn't so, your solution does not address the issue raised by the first comment here: Most users aren't computer savvy and will click almost anything. .txt or .exe does not matter one iota to them. Once they've learned the difference, they will enable the extensions. But until then...

Until then they can rely on the OS telling them that the file was downloaded from the Internet and that they are about to execute potentially harmful code.

But that doesn't solve anything either. As the first comment here said: People will click anyway.

Ironically, it is F-secure's customers who are most vulnerable. They, after all, have protection. Why should they worry about file extensions and OS warnings? They bought protection! They are per definition invulnerable!

...or maybe they aren't. Maybe the anti-virus industry is heavily beating down the wrong path, lulling their users into a false sense of security, all while selling the poor saps annual subscriptions that most people do not dare to run without.

(PS: I use F-Secure at work. After booting the PC, I cannot use my browser for several minutes. Last time I booted I simply stopped the F-secure services so I could start work -- their products suck)


By 16nm on 5/7/2009 5:48:21 PM , Rating: 2
In Windows, .dll .exe .ocx are common extensions of executable files. The problem is that one can take an executable, rename the extension from .exe to .txt and it can still be executed. Now, know that the Windows Explorer shell will not execute these files because it will ask Notepad to open them; however, the file may be executed by the operating system when it's installed as a service, for example. This is a common way for viruses to install themselves into Windows systems. If Microsoft would not allow just any type of file to be execute then this would not be a problem. I do bet that this would cause great headaches for backwards compatibility, though.

Frankly, I think this is much to do about nothing. This is why we have companies producing anti-virus software (and a few viruses here and there to keep things interesting ;).


By rbfowler9lfc on 5/7/2009 8:37:54 PM , Rating: 2
And what's exactly the point of allowing the user to SEE the file's extension if he can't freaking UNDERSTAND what it meant?

The average user will screw up the machine either way, because he DOESN'T KNOW what .exe or .com mean anyhow.

So it doesn't really matter if it's called NakedAngelinaJolie.txt.vbs or NakedAngelinaJolie.txt....


By 16nm on 5/8/2009 9:38:31 AM , Rating: 2
I saw one of these NakedAngelinaJolie viruses recently masked as a Naked1985Ethopian virus. It was a nasty little virus.


By foolsgambit11 on 5/8/2009 7:22:47 PM , Rating: 2
Plus, there's the added advantage that, when the extension is hidden, the unknowing user can't change it. If the extension is shown, the user could remove or rename the extension, and then ignore the warning that pops up. Havok.


By ggordonliddy on 5/8/2009 1:07:16 AM , Rating: 1
It should be obvious to anyone who is not a complete fool, that those responsible at Microsoft should be subjected to vast pain (think the Hellraiser chains, or Saddam's plastic shredders) for even considering hiding file extensions. These @sses insist on making life harder for us.


By CZroe on 5/8/2009 2:51:52 AM , Rating: 2
How do you expect the users to learn the difference if you hide even the most basic "inner workings" of the OS? If they can't learn it through experience, they must learn it through instruction. I find it so hard to describe the diffence between a data file, executable file, and data file containing execudable code (macros, scripts, etc) to the average user because Microsoft has kept them dumb. It would be MUCH simpler to understand if they didn't hide this. It is compounded by the fact that an executable file can have any icon it wants and the OS will display it without any other indication. How about a default overlaying mark, just like the shortcut arrow? They should not have allowed default hidden extentions without FIRST enacting such a feature.

IIRC, Win 95A showed them by default, OSR2 (Win 95B; FAT32 & USB support) had it hidden by default while OSR3 (Win 95C; IE4.0 Desktop Update) and every Windows release from then on continued the pattern.


By descendency on 5/8/2009 3:51:17 AM , Rating: 1
dangerous_virus.txt.exe with a specified icon to look like a text file would make it very not so obvious to even experienced users.

However, I have my security hole patched. I run my windows with extension display on.


By Helbore on 5/9/2009 7:56:34 PM , Rating: 2
One would hope that experienced Windows users wouldn't be clicking on random files unless they knew why said files were there in the first place.

If, by some chance, you've somehow managed to get some_random_document.doc replaced with some_random_document.doc.exe then you've got bigger security issues than hidden file extensions.


By Justin Time on 5/8/2009 7:26:46 AM , Rating: 2
I disagree, this IS a security issue.

Regardless of how stupid the user may or may-not be, this is a fairly obvious attempt to maliciously dupe the user into doing something they would not otherwise do.

This is essentially the domain of malicious software removal/control tools. If users are being duped by fle names that end in apparently safe extensions, but have the real extension hidden which is potentially dangerous, it should be a simple task for the O/S to alert the user to the discrepancy, if it's given the necessary rules to test & filter on.

-----------------------------
WARNING - POTENTIALLY UNSAFE:
-----------------------------
Full File Name is: "mysafefile.txt.exe"
DO YOU REALLY WANT TO RUN THIS EXECUTABLE ??


By adiposity on 5/11/2009 11:46:47 AM , Rating: 2
Amen.


File extensions are stupid.
By reader1 on 5/7/09, Rating: 0
RE: File extensions are stupid.
By MrPeabody on 5/7/2009 10:10:42 AM , Rating: 4
Yeah . . . yeah! And the use of a top hat is one example of how the Parker Brothers' Monopoly has held back progress.


RE: File extensions are stupid.
By rudolphna on 5/7/2009 10:10:42 AM , Rating: 2
I know I'm just feeding the troll, but I kind of want to hear this "logic" behind this. Tell me, reader1 (Aka PLAYSTATIONTHREE) why are file extensions stupid? How are they holding back progress? And what would you suggest instead.


RE: File extensions are stupid.
By chick0n on 5/7/2009 10:26:07 AM , Rating: 2
whats wrong with file extension ? so you're telling me that you can tell between a exe file and a txt file by just looking at the file name? it might be possible with just 2 files, but if there are 2000 files ?


RE: File extensions are stupid.
By wushuktl on 5/7/09, Rating: 0
RE: File extensions are stupid.
By omnicronx on 5/7/2009 10:59:12 AM , Rating: 1
Nah reader is right, although for all the wrong reasons. There should be no file extensions at all, Unix has it right, it should all be based on metadata. For all intents and purposes this was the way MS was going to go with WinFS (Which was originally suppose to be released with Vista), unfortunately it has been delayed so many times who knows if it will ever arrive. This would essentially do what you are saying, you would have the filename, another field to say what type of file it is by reading from the metadata. This would make indexing, sorting and searching of files far more efficient too.


RE: File extensions are stupid.
By japlha on 5/7/2009 12:09:43 PM , Rating: 3
It's true unix doesn't need extensions but they are still used. It helps to identify files and directories.
Executables usually don't have a extensions. Many files and directories use extensions on unix .pl, .awk, .py, .c, .sh, .h, .d. It certainly helps to have the extensions when running the file or navigating.
However, if running a file you should always know what you're doing. In windows people just click without thinking. That's the problem.


By gstrickler on 5/7/2009 2:40:35 PM , Rating: 2
quote:
There should be no file extensions at all, Unix has it right, it should all be based on metadata.
Ah, like Mac OS (all versions, not just the Unix based Mac OS X).

Had to throw that one in. ;)


RE: File extensions are stupid.
By Smilin on 5/7/2009 3:38:33 PM , Rating: 2
Awesome! That way I can have a file with a .jpg extension that is executable. That is a much better solution for dumb users! :/


RE: File extensions are stupid.
By Yeah on 5/7/2009 6:34:32 PM , Rating: 2
I just wanted to reply because most people may not understand what you say when you say metadata. I agree the existence of filename extensions is SOOO stupid. And in fact I recently had a run in with microsoft live because of the way they hide extensions. I am going to try to explain it to the lay person and I am sure to be corrected if wrong. If the file type like .doc was held in the metadata instead of the file name, when you click on the file windows starts to open the file and sees that within this file it should be opend with Word or, the default chosen application for .doc files you could name the file happyshoes.??? or whatever you wanted you dont need an extension. The OS will know what to open it with because it looks inside the file to see the file type instead of the file name. This should be the way it is done. The OS could learn any other file type alias's by looking within the meta for information on what to open the file with and if it was an unknown type, you could choose an application to open it with just like you do now when windows cant find the proper type. And then could add it to a registery entery as an Alias for .doc if it is a text type file. Created with some other program like wordperfect. So now the OS should learn ' I open this file that has .doc in it with word and this other one .wp in the meta info with word or whatever program you chose. I hope that makes sense and that I explained it correctly. I hope microsft gets rid of extensions alltogether. Getting infected by something makes no difference as your virus scanner should pick it up anyway.


By foolsgambit11 on 5/8/2009 7:35:21 PM , Rating: 2
Really, isn't a file name and file extension metadata to begin with? Doesn't it make more sense to have the file type metadata in the file name? If you put it in the file's contents, it would require reading the file's metadata from the contents instead of just reading the file name from the main file table (in FAT32/NTFS, anyway). That would (potentially) slow down a file browser.


RE: File extensions are stupid.
By BikeDude on 5/8/2009 4:37:43 AM , Rating: 2
quote:
Unix has it right, it should all be based on metadata.


Uhm, since when did Unix store metadata?

Last time I used a Unix like OS, they still had a x attribute for eXecutables. Jpeg pictures still had a .jpg file extension to help users and applications identify the file as a, well, jpeg.

May I ask how Unix (oh, and maybe you could define "Unix" for me?) transfer this metadata information when e.g. sending the file(s) by e-mail or zipping the file(s)?

True, jpegs and tiffs have similar file structures, and you can of course write filters that will detects image formats based on the binary stream alone, but once you start opening files to determine this information, you've created another problem: Determining the file type when the file is stored on a slow device (tape streamer, a server hooked up with a slow network, optical drive, etc).

Quite frankly, I think you're barking up the wrong tree.


By StevoLincolnite on 5/7/2009 11:52:49 AM , Rating: 3
quote:
Then once a file is created then its type field can never be altered


If it's Digital it can be altered, cracked, exploited.


User Account Control (UAC)
By GoodBytes on 5/7/2009 10:11:59 AM , Rating: 4
Well that is why you have User Account Control (UAC) in Vista and Win7.
When you run a a text file or picture and it asks you for Admin privileges, you know that this doesn't make sense, as a text/picture file has normally nothing to do in your system.




RE: User Account Control (UAC)
By dgingeri on 5/7/2009 2:48:47 PM , Rating: 2
Nearly every user here at my workplace who has Vista (down to about 2 dozen now) have UAC turned off.

I am smart enough to keep mine on, but I'm also smart enough to keep from clicking on things all willy-nilly like far too many users do.


RE: User Account Control (UAC)
By ggordonliddy on 5/8/2009 2:11:06 PM , Rating: 1
> I am smart enough to keep mine on

No, you are a complete moron who deserves to have his/her computer smashed into pieces. Go away, you UAC fanboi.


RE: User Account Control (UAC)
By foolsgambit11 on 5/8/2009 7:27:30 PM , Rating: 2
So.... just to be clear, you'd argue that, given the choice, it is smarter to turn UAC off? I won't deny it would be more convenient, but that's not the same thing as smart.

Ah.... I've responded to a troll, haven't I?


RE: User Account Control (UAC)
By ggordonliddy on 5/8/2009 11:06:49 PM , Rating: 1
UAC is only for idiots. Just like most of the crap MS is shoveling at us.


RE: User Account Control (UAC)
By Helbore on 5/9/2009 8:06:14 PM , Rating: 2
Most end users are idiots, unfortunately.

Also, if you are runing your computer propery, UAC is a non-issue anyway. If its popping up on a regular basis for you, its not because its annoying an experienced user, its because you think you know what you're doing, but are running lots of crap that you shouldn't be.

UAC won't bother anyone who isn't poking around in sytem configuration settings or trying to install applications onto their PC.


RE: User Account Control (UAC)
By ggordonliddy on 5/27/2009 6:18:32 PM , Rating: 2
You can't be serious.


RE: User Account Control (UAC)
By Helbore on 5/9/2009 8:02:30 PM , Rating: 2
Why does every user in your company have the admin priviledges necessary to turn UAC off? That's a bigger security threat than anything else that could come by, ever.

In my last firm, I caught the helpdesk staff having diabled UAC on their machines. Being the good Network Admin I was, I reported this to the IT Group Manager, who immediately put them all on a minor disciplinary and made them switch it back on.

Yes, they hated me for it. Yes, our company network maintained its security. If you want to keep your systems free of crap, all you need is an IT department that enforces best practices.

And quite frankly, I've never had a single security breach on a single network I've had sole control over.

End users + admin rights = long weekends for IT staff.

I have better things to do with my weekends.


Oooo scary!
By therealnickdanger on 5/7/09, Rating: 0
RE: Oooo scary!
By Spivonious on 5/7/2009 9:40:04 AM , Rating: 1
Well....the whole reason the Autoplay USB worm thing was even possible was because the worm maker gave their executable a folder icon. Since the .exe was hidden, users though they were just viewing the contents of the USB drive instead of executing an application.


RE: Oooo scary!
By VaultDweller on 5/7/2009 10:04:38 AM , Rating: 2
It makes no difference if the file extension is shown in that case. The name and icon presented in the Autoplay popup can be set arbitrarily, regardless of whether Explorer is set to hide extensions or not.


RE: Oooo scary!
By Spivonious on 5/7/2009 1:19:14 PM , Rating: 2
Oh, my bad. I didn't know you could set that text.


RE: Oooo scary!
By Smilin on 5/7/2009 3:33:42 PM , Rating: 2
+1 for being the only person in a debate on the internet who actually admits they made a mistake (albeit a trivial one).

Props.


Hide extensions for known file types?
By myhipsi on 5/7/2009 9:49:33 AM , Rating: 3
Ah, correct me if I'm wrong but isn't there a simple solution for this. Uncheck "hide extensions for known file types" under folder options. How is this even an issue?

Maybe MS should leave this option unchecked by default. I have to remind myself that the level of technical knowledge the typical Windows user possesses is fairly limited.




RE: Hide extensions for known file types?
By reader1 on 5/7/09, Rating: -1
By themaster08 on 5/13/2009 11:19:29 AM , Rating: 1
quote:
their OS monopoly is a detriment to society.

Just as your trolling is a detriment to this website.


RE: Hide extensions for known file types?
By Clauzii on 5/7/09, Rating: -1
RE: Hide extensions for known file types?
By Clauzii on 5/7/2009 3:47:10 PM , Rating: 1
WTF :D


By Clauzii on 5/7/2009 3:51:57 PM , Rating: 2
Oh, my troll is back, I see....


What crap
By Smilin on 5/7/2009 10:56:38 AM , Rating: 3
I swear MS has to deal with supertankers full of FUD.

Notice how this behavior has remained unchanged for a decade yet it catches news only when MS is about to release a new OS?

This is so utterly retarded. If a user is so dumb that they don't notice that opening jpeg is causing UAC to trigger there isn't much more that can be done.

I'm sure we'll hear about this in a Mac ad soon. The journalists at Windows websites are chipping away at their own livelyhood by bringing attention to this tripe.




RE: What crap
By amandahugnkiss on 5/7/2009 2:43:57 PM , Rating: 2
FWIW, Macs do the same thing, to change the behavior you have to go into the advanced Finder prefs and select 'Show all file extensions'. Wonder why it isn't a threat on their platform :). I get far more perplexed looks from Mac users when they hear 'extension' than I do from Windows users, even though there was that wonderful extension manager utility pre OS X.


Silly
By dagamer34 on 5/7/2009 12:28:40 PM , Rating: 2
Don't confuse OS problems with PEBKACs.




RE: Silly
By gstrickler on 5/7/2009 2:13:16 PM , Rating: 2
Failure to account for user behavior (PEBKAC, Id10t, social engineering, etc.) is a security problem. All security systems are dependent upon people, failure to address "common", "predictable", or "likely" human behavior in the design and implementation of your security system is a flaw in the security system, not in the users.

See http://www.cryptosmith.com/password-sanity
for some examples of failing to address user behavior causing big security problems.

To have any chance of having security, set defaults that reduce the likelihood (or possibility) of careless/clueless users doing something stupid. In this case, hiding file extensions gives no benefits, it's just a bad idea and that option should be removed.


By borowki2 on 5/7/2009 2:48:02 PM , Rating: 2
Like it predecessors, Windows 7 will have a feature called "wallpaper" or "desktop background." What it does is displays a bitmap image in portion of the computer screen unoccupied by windows. It's a serious design flaw. It allows malicious hackers to place a image that resembles an actual Windows session on an unsuspecting user's screen, but which has no possibility of interaction. The attack may come in the form of an icon that cannot be removed. Or a browser window with embarassing contents that cannot be closed. One known variant shows an fake error window that tells the user to reboot his computer, leadig to continual shutdown of the machine, as the procedure would not make the message go away.




By Smilin on 5/7/2009 3:36:12 PM , Rating: 2
I would +1 you but I already posted.

If you haven't seen it already.. www.thewebsiteisdown.com


By japlha on 5/7/2009 11:57:56 AM , Rating: 2
Hide extensions for known file types is a horrible option. At the very least it could be disabled by default instead of enabled.
The combination of filename and extension is vital information. The OS makes decisions on how to run a file based on the extension. Why hide this valuable piece of information?




The real solution:
By Randomblame on 5/7/2009 7:13:03 PM , Rating: 2
Take away the ability to use a "." in a file name.

the whole problem is people are naming files in this format: porn.jpg.exe and the .exe is being hidden. I don't think I've ever seen a legitimate use for having a . in a filename and anyone who currently has software using it would simply have to change their wascally ways




Nothingburger
By Shadowmaster625 on 5/8/2009 1:07:31 PM , Rating: 2
I never understood how this was an issue. If you had a virus called "virus.exe" and you renamed it to "virus.txt" nothing is going to happen when you open it because you're opening it in a text editor.

And if you have extensions turned off, then you're never going to see a file called "virus.txt" even if it is called "virus.txt.js" because the "txt" will be hidden right along with the "js". I've never seen a case where this wasnt true. I always set up my machines to show ALL hidden files and show ALL extensions and I've never had a problem.




Filename extensions are important
By wvh on 5/9/2009 8:30:56 AM , Rating: 2
It's "Mikko H. Hyppönen", with umlaut. Without umlaut it's not a valid word in the Finnish language due to vocal harmony. ;)

And I think he's right. Hiding extensions has always been an absurd practice to me... Why would you hide the most crucial information of a file? It's just asking for problems. People don't even know the difference between a .doc, .exe or .bat, and ideally they should have a minimal level of understanding to know what is potentially harmful and what isn't. Somehow, they should be taught the distinction between DATA and CODE, i.e. what 'is' and what 'does'.




"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki