Microsoft has failed to remove a long-recognised Windows Explorer security risk from Windows 7, according to security company F-Secure.
The 'hide extensions' feature, which was present in Windows NT, 2000, XP and Vista, is included in the Windows 7 release candidate, F-Secure's chief research officer, Mikko Hyppönen, said. The feature could allow virus writers to trick users into opening and running malicious files, he added.
"In Windows NT, 2000, XP and Vista, Explorer used to Hide extensions for known file types," Hyppönen wrote in a blog post on Tuesday. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."
For example, malicious code writers could name a 'virus.exe' file as 'virus.txt.exe' or 'virus.jpg.exe', he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see 'virus.txt' or 'virus.jpg'. Additionally, virus writers would change the icon displayed with the file in Windows Explorer so it looked like the icon of a text file or an image. Users might then click on the disguised file.
The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers on 30 April.
Microsoft had not responded to a request for comment at the time of writing.
Talkback
Is this really a flaw, I'm not conviced, its certainly debatable.
Would it really make a difference if the whole extension was visable? I suspect it would make very little difference if it was. If you have a good understanding of extensions then you are likely to have a good chance at spotting something is wrong with the file. Present the avarage user with a file showing the extension and it means nothing, if it looks like a photo they'll click on it regardless of the extension.
"if it's not a security issue, why do we see file extensions such as .txt.exe or .txt.cmd or .txt.pif on malware already? It's obviously there to fool someone."
http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=64144&messageID=1193168
On a personal note, I've received several emails recently, supposedly from my Bank and containing a "PDF" file. Except that they actually contain a .PDF.HTM file containing a suspiciously long line of binary data in Javascript code...
The issue is more like this:
1) Is your User community or group too stupid to protect themselves? Or stated another way: "Do you trust your User groups to always do the right thing?"
2) Do you want to do everything you can to protect your Windows related infrastructure?
3) Are you tired of fixing and delousing malware infected desktops?
I view it as one more thing to add to the checklist to secure the systems from the Users virtually certain inability to protect themselves and their work pro-actively.
Windows XP Pro and Home editions are practically useless with a lot of software applications if the default install is done into c:\Program Files AND the User is actually setup as User and not local Admin.
Users on Visaster, complain constantly about the UAC window boxes that come up if a desktop has it locked down. That has more than likely caused IT Admins to loosen security on the main complainers' desktops.
Windows 7 looks like it will mitigate some of that but the UAC infrastructure is still there.
An social experiment I would like to run would be have the Users sign a voluntary reimbursement agreement. Subsequently if it is found that the User installed something that he/she shouldn't have, violated security policies of the IT department, used an elevated logon when they shouldn't have, opened email attachments from unknown senders or with prohibited filename extensions or deliberately web-surfed sites on the black-list, the penalty should be their hourly pay-rate times the number of hours required by the IT tech to fix the malware. Assigned to the slowest and most methodical IT technician, a couple of instances and suddenly the entire corporate domain User groups would be in compliance quickly!
Users who won't sign the agreement, only get User status on their logon. No Local Admin or PowerUser privileges.
Of course, the IT department would have to devise a really tight security profile that would be applied to the User logons. Logging successful user logons in the event file with the User and LocalAdmin profiles denied browse or read access to the event logs would document who was on the system when things went sour.
Obviously this entire experiment could be un-done by the pointy-haired bosses caving in to User pressure to get it changed back OR showing favoritism for certain "pet" employees.
The virus writers believe that by sticking .pdf somewhere in the file name is good enough. What is the evidence that virus writers are using this "flaw" in the way described? I haven't read Adrian Kingsley-Hughes blog, but may I offer this suggestion, with some actual evidence to back it up.
There are are a heck of a lot of users out there who understand a little bit about extensions, spot pdf and think "oh thats alright it's a pdf" and don't understand the significance of the following extension. As evidence I would use phishing attacks. In these it's common for the name of the target instituituion to appear in the address, users look at the address, see the address and are fooled. On the other hand those who understand url's can clearly see they're fake because of all the other stuff in the address.
"On a personal note, I've received several emails recently, supposedly from my Bank and containing a "PDF" file. Except that they actually contain a .PDF.HTM file..."
This sort of proves my point, you saw the whole extension. Email clients tend to do that, including Outlook Express. To get saved onto your computer to be seen in Windows Explorer, users will already have seen the extension and ignored any issues with it.
"This sort of proves my point, you saw the whole extension."
So the point I've really demonstrated is that seeing the whole file name is a really Good Idea and that hiding the extension is a Bad Thing. (GNU/Linux boxes don't hide file extensions, of course.) I only mentioned this at all because it was a genuine piece of malware that I had received recently that was actively trying to leverage this odious feature of Windows.
"The virus writers believe that by sticking .pdf somewhere in the file name is good enough."
Only if the true .HTM extension gets hidden...
"There are are a heck of a lot of users out there who understand a little bit about extensions, spot pdf and think "oh thats alright it's a pdf" and don't understand the significance of the following extension."
Rubbish. Have you ever seen a malware file named xxxpdf.exe, pdf.xxx.exe or xxxpdfxxx.exe? These files are consistently named xxx.pdf.exe in order to leverage Windows "extension hiding" capabilities.
"I haven't read Adrian Kingsley-Hughes blog"
It's not a long blog, and I did provide the link...
I agree with you Knapper, nothing serious here. It's just Redmond continuing on with what they have always done. Not fixing the problems.
They should have did a complete rebuild of XP, but they decided to keep everything integrated so a hacker can roam your HD at will, and get all the info he needs. Thanks to Redmond I switched to Linux, and have never looked back. Windows is okay for games, but hook it to the internet and you are asking for trouble.
Windows 7 at risk from security flaw?
Which windows edition hasn't had a flaw?
What is amazing is that the 'hide extensions' feature was also present in Windows NT, 2000, XP and Vista!!!
TFD
-----
"This sort of proves my point, you saw the whole extension."
So the point I've really demonstrated is that seeing the whole file name is a really Good Idea and that hiding the extension is a Bad Thing. (GNU/Linux boxes don't hide file extensions, of course.) I only mentioned this at all because it was a genuine piece of malware that I had received recently that was actively trying to leverage this odious feature of Windows.
----
What you've demenstrated is that someone who is techincally savy spotted the extension and understood it's meaning, I'm not saying that's not the case.
-----
"There are are a heck of a lot of users out there who understand a little bit about extensions, spot pdf and think "oh thats alright it's a pdf" and don't understand the significance of the following extension."
Rubbish. Have you ever seen a malware file named xxxpdf.exe, pdf.xxx.exe or xxxpdfxxx.exe? These files are consistently named xxx.pdf.exe in order to leverage Windows "extension hiding" capabilities.
-----
Chris, this is not rubbish, it's a fact that I have experience of. I don't appreciate being called a liar. If you want to have a debate we can, but only if you can maintain it sensibly. My point is that many users understand that an extension is a dot followed by something else, they don't really have a good understanding of it though, hence my point about phishing.
"What you've demenstrated is that someone who is techincally savy spotted the extension and understood it's meaning."
The point you've missed is that the true extension was *there to be spotted* in the first place! And this a crucial point when the topic of conversation is how Windows hiding the true file extension is a security risk.
"Chris, this is not rubbish, it's a fact that I have experience of. I don't appreciate being called a liar."
Huh? I was saying that you are *wrong*, which is completely different to calling someone a liar. I also explained *why* you are wrong: malware authors *always* construct their fake file names to leverage Windows extension-hiding capabilities. They wouldn't bother unless they expected to fool people by it.