Comments on: F-Secure is mistaken regarding Windows 7 RC security “fail”

By: Sean

Sean — Thu, 27 Aug 2009 22:01:18 +0000

The other thing that annoys me about hiding extensions is a setup program

setup.exe, setup.msi, setup.ins, setup.txt, setup.com

“please click on setup’

Which one???

With this, it’s easy to release something that has a similar name to a genuine program (does anyone remember companion viruses) and for it to launch the geniune article, thereby hiding the realisation that something is amiss

By: Jan

Jan — Tue, 25 Aug 2009 19:08:05 +0000

“But if you the user goes out of your way to change the default applications to something else that doesn’t automatically flag untrusted files, then you either should know better or you’re responsible for your own actions.”

That is silly; there are many reasons to use Firefox instead of IE nowadays, and many people who are not extremely knowledgeable do. There is no warning anywhere in Windows 7 that installing non-Microsoft software will open you to this kind of danger.

Arguably, the addition of this ‘flagging an executable as possibly dangerous’ means that this problem is now a security hole in any program that does not use it. Saying that there is no security hole because anyone who does not use Microsoft software should know what he is doing is silly, however.

(And, incidentally, I think that, since simply displaying the file types would fix the problem to some degree, MS is still partly to blame).

By: Jvans

Jvans — Tue, 12 May 2009 11:17:32 +0000

If find this incredible because it’s coming from a firm that is responsible for problably the worst anti-malware program in the world. Don’t you believe me . Have a look a this :

http://www.youtube.com/watch?v=ZlHgZBkwyEg

http://www.youtube.com/watch?v=OUTWqHIFzM8

F-Secure Fails

By: gubment.cheez

gubment.cheez — Tue, 12 May 2009 11:17:29 +0000

this sounds like the exploit that requires administrative privleges to work

By: George Ou

George Ou — Sat, 09 May 2009 14:03:18 +0000

Kelbo, it already is done automatically. But if you the user goes out of your way to change the default applications to something else that doesn’t automatically flag untrusted files, then you either should know better or you’re responsible for your own actions.

By: Kelbo

Kelbo — Sat, 09 May 2009 14:02:18 +0000

"advanced users who don't use IE probably know better and already undo the extension hiding"

The experts should be making the policies to protect the general public who do not possess the knowledge of either the potential vulnerabilities or the procedures to prevent impact . If the "people who know" do something, it should be done automatically for the "people who have no clue".

By: ctelon

ctelon — Fri, 08 May 2009 14:11:25 +0000

I don’t like having extensions shown because I usually forget to add the extension when renaming a file, causing other problems. I have other habits that help me prevent opening unwanted executables. This is how it has been as far as I can remember. Why is showing extensions an issue now? The average user is not interested in knowing what the file extension is, and probably don’t even know what an extension is. An advanced user would just set the computer to show the extensions if needed. Educating the users is definitively the way to go. And why blame Microsoft for the way third party apps work…what is that?!

By: sneeze

sneeze — Thu, 07 May 2009 21:02:28 +0000

dietrich: That’s not true at all; any tar archive can store files with +x. For this problem, it would depend on whether the distro lets people run executables just by clicking on them, which it shouldn’t.

By: nuCrash

nuCrash — Thu, 07 May 2009 17:26:03 +0000

I don't really think this applies to Microsoft. This has been around for years. You have one of two choices and either one comes down to educating the end user.

1. Disable the file extensions by default and teach the users what changing the file extensions do (Something I already implement at my work site.)

2. Hide the file extensions and teach the users to scan any files that they save to their computer or open on a source that may not be trustworthy. (Again, something I do already at my work site.)

Should this be even considered an exploit?

By: George Ou

George Ou — Thu, 07 May 2009 12:22:56 +0000

That’s fine Mikko, but I think you should point out that MOST default vectors on the Windows platform are indeed covered and advanced users who don’t use IE probably know better and already undo the extension hiding. As for those applications you mention that fail to mark files untrusted, that’s a security failure in those particular applications from third party vendors. You should blame those third parties for these problems and not Microsoft.

As for sneakernet techniques, autorun is a MUCH larger risk than this particular vector. But again, I would prefer that Microsoft stop hiding file extensions but it isn’t really accurate to portray this as a Windows 7 issue nor is it even a marginal security issue.