Windows 7 fails to close longstanding loophole
A security firm is complaining that Microsoft has failed to fix a security flaw dating back to before Windows XP. F-Secure notes that Windows 7 will continue a pattern of allowing hackers to disguise executable files as safer document files.
The problem involves an intentional feature in all editions of Windows since NT, namely that Windows Explorer hides the extension on the name of any file which is of a recognized type. It’s designed for a cleaner look, meaning for example that a Word document appears simply as ‘Filename’ rather that ‘Filename.doc’.
However, this is open to abuse by hackers as, to use F-Secure’s example, they simply rename VIRUS.EXE as VIRUS.TXT.EXE. Windows automatically hides the .EXE element of the name, meaning it appears to the reader as ‘VIRUS.TXT’. If the hackers can change the file to display the icon associated with the text file, it’s very easy for a user to be confused.
Of course, it’s not a good idea to open any file you are uncertain about, particularly document files which could exploit a vulnerability in packages such as Microsoft Office. But in cases such as attachments sent through e-mail worms, it’s much easier to trick a user into opening a ‘document’ supposedly coming from a friend or colleague than an executable file.
Given that Microsoft has shown it’s willing to sacrifice a ‘useability’ feature for the sake of security with its recent decision to switch off AutoPlay for USB drives in Windows 7, it’s still possible the firm will change the file extension loophole in response to the publicity that’s developing over F-Secure’s comments.
However, given the system is at the release candidate stage where theoretically only major security and performance flaws are fixed, it could be that Microsoft waits until the first service pack to change policy, if indeed it does so at all.
Related Posts:
May 6th, 2009
Please… John, if you’re going to be the tech writer on this site about W7, can you please actually use Windows before you start sufferring from “keyboard”-(verbal)-diarrhea? If you’ve used any Windows OS at least as far back as XP/NT days, you’ll notice that Explorer has Options (wow) that you can turn on and off.
One of these is a simple checkbox, “Hide(/Unhide) extensions for known file types”.
The ‘hide’ is turned on by default, 5 clicks later (in XP) and it’s off (Tools > Options > View > Untick “Hide extensions…” > OK).
By your description of “security flaw”, some of the files used by the Oracle JInitiator, which many corporate organisations make use of, would be considered a security risk. Let’s watch as all corporates stop using Windows because of your hype about a false “flaw”, which any user can resolve now with the 5 clicks stated above.
May 6th, 2009
Geoff — Thanks for your feedback, and for the explanation of how to change the settings. That’s definitely something I should have included in my piece.
I felt ‘flaw’ was a more accurate term in this case than ‘bug’ or other terms used for security issues. As well as the literal flaw in Windows Explorer itself (that it can effectively be fooled by a bogus file extension appearing before the legitimate file extension), there’s also a strong argument that Microsoft’s decision to keep this default setting is itself flawed by favoring useability/aesthetics over security.