Technology for Mortals

Yeah, this is completely bogus. Windows, for quite sometime, flags executable files that originate off of the local system with a flag to make this happen. Not sure why this would be a "problem" in Windows 7 but not in Vista or XP. In addition, a user who is used to *not* seeing a file extension shouldn’t be fooled by suddenly seeing one.

Finally, I would imagine that on the overall scheme of things, hiding the extensions probably eliminates a huge number of help desk calls and other problems for most users. I’m sure some folks think, for example, that changing the extension from GIF to JPG converts the file (that’s not a bad feature though, now that I mention it), or accidentally remove it or change it to the wrong thing all of the time.

Hiding the file extensions is along the same lines as making it very inconvenient to access C:Windows by default. Would they argue that blocking access to the system directory is a problem too, because many piece of malware stick stuff in there? I hope not. It’s not about security, it’s about preventing accidents, which in this case, far outweighs any minor benefit.

J.Ja

Since Vista, they don’t highlight the extension by default when you try to rename a file. That’s actually quite convenient most of the time.

If I remember correctly, this was actually a feature that came out in Windows XP RC. That happened to be out more than eight years ago.

F-Secure looks to be really on top of things these days.

May be in five to six years to find out about UAC and they will complain about how click happy they become.

I’ve never liked the idea of hiding extensions on file names and always disable that feature. To me isn’t the problem of changing a filename from malwareprogram.exe to malwareprogram.txt.exe but the fact is some people would be fooled by just using the notepad icon in the .exe file. As I said, I always disable the hide extension of known file types feature, so I can see that I’m about to open an executable (.exe or .com), batch file (.bat), text (.txt) etc. file. Maybe Microsoft should include a new feature where if extensions are hidden, the icon would flash alternately between the icon in the file and another system icon to alert the user what the file type actually is.

Chuckster wrote:
"but the fact is some people would be fooled by just using the notepad icon in the .exe file."

I don’t understand your point. If you change x.txt to x.txt.exe, the icon changes to a default executable icon, so the icon itself shouldn’t fool anyone.

It’s deja vu all over again.

This sort of thing doesn’t happen with Linux–you must set (chmod) a file’s execute bit before it will even run.
So, that requires extra steps by the user who presumably is fully aware of what they are doing.

BTW, I’ve been running Windows 7 and so far I am not impressed with it. It is less usable than Windows XP and slower, yet requires more memory, hard disk and processing power to run.

I don’t see a compelling reason for Enterprises to rush to W7.

In fact, Ubuntu 9.04 is really looking good as a replacement for any shop using XP.

You wrote:
"I don’t understand your point. If you change x.txt to x.txt.exe, the icon changes to a default executable icon, so the icon itself shouldn’t fool anyone."

You misunderstood his point.

His point was that if the bad boys rename VIRUS.EXE to USEFUL_DOCUMENT.EXE and change the Icon *inside* the executable to resemble the icon of a Word document or a text file, many people would think it is a text file – despite the extension.

Of course, a double extension like .DOC.exe would make it even more devious.

Hello George,

This is Mikko from F-Secure; I wrote the original blog post you’re referring to.

Your comments are perfectly valid as long as you’re using Internet Explorer and Outlook as the *only* way to introduce new files to your computer. In the real world that’s not the full picture.

For example, I clicked on the demo link in your post, downloaded text.txt.zip, opened the zip in Windows Explorer and doubleclicked on text.txt.cmd.

It executed with NO security prompts whatsoever.

This was with Opera 9 web browser.

Same thing applies to email; Outlook will flag files as coming from the Internet, other clients might not.

There’s plenty of ways you can introduce executable files to a computer:
- Non-Microsoft web and email clients
- File shares
- USB thumb drives
- CD-ROMs
- Bittorrent and other P2P clients
- etc

Again, as an example: there’s plenty of existing worms that copy files with double extensions and tempting names to shares and removable drives.

Think about files with names like like:

E:PRESENTATION.PPT .exe
E:DOCUMENT.DOC .exe
E:PORNVIDEO.AVI .exe

Many would click on these, especially if the icon of the file looks like a document icon – and if Windows hides the ".exe" part of the name,

And, since the worm itself has created these files on another, already-infected computer, they don’t have any Zone information in them and Windows Explorer would not prompt the "Security Warning" on them.

Bottom line: I still fail to see why Windows insisting on hiding the last extension in the filename. It’s just misleading,

Cheers,
Mikko Hypponen
F-Secure Corp

That’s fine Mikko, but I think you should point out that MOST default vectors on the Windows platform are indeed covered and advanced users who don’t use IE probably know better and already undo the extension hiding. As for those applications you mention that fail to mark files untrusted, that’s a security failure in those particular applications from third party vendors. You should blame those third parties for these problems and not Microsoft.

As for sneakernet techniques, autorun is a MUCH larger risk than this particular vector. But again, I would prefer that Microsoft stop hiding file extensions but it isn’t really accurate to portray this as a Windows 7 issue nor is it even a marginal security issue.

I don’t really think this applies to Microsoft. This has been around for years. You have one of two choices and either one comes down to educating the end user.

1. Disable the file extensions by default and teach the users what changing the file extensions do (Something I already implement at my work site.)

2. Hide the file extensions and teach the users to scan any files that they save to their computer or open on a source that may not be trustworthy. (Again, something I do already at my work site.)

Should this be even considered an exploit?

dietrich: That’s not true at all; any tar archive can store files with +x. For this problem, it would depend on whether the distro lets people run executables just by clicking on them, which it shouldn’t.

I don’t like having extensions shown because I usually forget to add the extension when renaming a file, causing other problems. I have other habits that help me prevent opening unwanted executables. This is how it has been as far as I can remember. Why is showing extensions an issue now? The average user is not interested in knowing what the file extension is, and probably don’t even know what an extension is. An advanced user would just set the computer to show the extensions if needed. Educating the users is definitively the way to go. And why blame Microsoft for the way third party apps work…what is that?!

"advanced users who don’t use IE probably know better and already undo the extension hiding"

The experts should be making the policies to protect the general public who do not possess the knowledge of either the potential vulnerabilities or the procedures to prevent impact . If the "people who know" do something, it should be done automatically for the "people who have no clue".

Kelbo, it already is done automatically. But if you the user goes out of your way to change the default applications to something else that doesn’t automatically flag untrusted files, then you either should know better or you’re responsible for your own actions.

this sounds like the exploit that requires administrative privleges to work

If find this incredible because it’s coming from a firm that is responsible for problably the worst anti-malware program in the world. Don’t you believe me . Have a look a this :

http://www.youtube.com/watch?v=ZlHgZBkwyEg

http://www.youtube.com/watch?v=OUTWqHIFzM8

F-Secure Fails

“But if you the user goes out of your way to change the default applications to something else that doesn’t automatically flag untrusted files, then you either should know better or you’re responsible for your own actions.”

That is silly; there are many reasons to use Firefox instead of IE nowadays, and many people who are not extremely knowledgeable do. There is no warning anywhere in Windows 7 that installing non-Microsoft software will open you to this kind of danger.

Arguably, the addition of this ‘flagging an executable as possibly dangerous’ means that this problem is now a security hole in any program that does not use it. Saying that there is no security hole because anyone who does not use Microsoft software should know what he is doing is silly, however.

(And, incidentally, I think that, since simply displaying the file types would fix the problem to some degree, MS is still partly to blame).

The other thing that annoys me about hiding extensions is a setup program

setup.exe, setup.msi, setup.ins, setup.txt, setup.com

“please click on setup’

Which one???

With this, it’s easy to release something that has a similar name to a genuine program (does anyone remember companion viruses) and for it to launch the geniune article, thereby hiding the realisation that something is amiss