On mySimon: Christian Louboutin Very Prive Pumps
BNET Business Network:
BNET
TechRepublic
ZDNet

May 5th, 2009

Windows 7 still allows unsafe files to be disguised as safe files

Posted by Adrian Kingsley-Hughes @ 7:58 am

Categories: Security, Windows 7

Tags: Virus Writer, Microsoft Windows 7, Executable, Microsoft Windows, Operating Systems, Software, Adrian Kingsley-Hughes

[UPDATE: The folks at F-Secure have posted a Q&A on this issue:

Q: But if the file came from the Internet, Explorer will warn you that it came from an "Untrusted Zone"!
A: Only if you use Internet Explorer to browse the web and Outlook to download your e-mail attachments. There are plenty of other ways to download files from the net: 3rd party web and e-mail clients, BitTorrent and other P2P clients, chat programs etc. Also, you can't rely on such warning dialogs if the file is on a network share or an a USB drive.

A very good point.]

The good folks at F-Secure uncover the first Windows 7 security fail … and it’s a classic.

The issue in question is nothing new. In fact, it’s been around for so long that I didn’t even bother checking to see if it had been fixed.

You see, in Windows NT, 2000, XP and Vista, Explorer used to Hide extensions for known file types. And virus writers used this “feature” to make people mistake executables for stuff such as document files.

The trick was to rename VIRUS.EXE to VIRUS.TXT.EXE or VIRUS.JPG.EXE, and Windows would hide the .EXE part of the filename.

Additionally, virus writers would change the icon inside the executable to look like the icon of a text file or an image, and everybody would be fooled.

Surely this won’t work in Windows 7.

Lets try.

Hmm. It sure looks like a text file in Explorer:

OK, the sort of person who reads ZDNet would immediately spot what’s going on here, but for everyone else out there in “computerland” this sort of trickery could well go unnoticed.

Personally, the whole idea of being able to hide file extensions just doesn’t make sense to me, and it’s still one of the first “features” that I turn off when I install Windows. Combined with the ability to change the icon on certain potentially dangerous file types such as .EXE files, it’s a very easy way to get people clicking on the wrong sorts of files.

What could Microsoft do? Maybe disable the ability to hide file extensions and add some sort of overlay image onto executables that aren’t digitally signed.

[UPDATE: Just to be clear here, I'm not labeling this as a high risk, but rather as a piece of legacy from a bygone era where the risk that someone is fooled outweighs the benefits of trimming four characters off the end of a filename.]

Thoughts? Ideas?

Adrian Kingsley-HughesAdrian is a technology journalist and author who has devoted over a decade to helping users get the most from technology. He also runs a popular blog called The PC Doctor. See his full profile and disclosure of his industry affiliations

Want to get in touch? Got a tip? Feel free to drop me a note! I ALWAYS respect anonymity. I'm also on Twitter (@the_pc_doc)

Right to Reply: Should any industry representatives wish to comment on any posts on Hardware 2.0, I will be happy to publish their reply verbatim on this blog.

Subscribe to Hardware 2.0 via Email alerts or RSS.

  • Talkback
  • Most Recent of 237 Talkback(s)
People just need to be better informed of the option
I have the option to hide extensions turned on so that when renaming a file I don't accidentally erase the extension, causing windows to unassociate the file with any program. I turn it on only if I n... (Read the rest)
Posted by: mccall1 Posted on: 06/11/09 You are currently: a Guest | | Terms of Use
They should....  daMan25 | 05/05/09
THIS IS A NON-ISSUE!!!  nucrash | 05/06/09
Yeah ...  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
Let me explain a little better  nucrash | 05/06/09
It's tricker to overwrite the extension ...  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
Or take a page from Apple  cgarrett | 05/06/09
Much as I hate to admit it  jonj@... | 05/06/09
two forks  john_gillespie@... | 05/06/09
Or Linux....  rjacksix | 05/06/09
How 'bout REAL file types???  Digital Video Expert | 05/06/09
Renaming files  dsluter@... | 05/06/09
That's the answer  Timpraetor | 05/06/09
Are you sure you want to do that?  Ozone71 | 05/06/09
@Ozone71  tmsbrdrs | 05/10/09
Well, W7 (at least)...  fairportfan | 05/06/09
It does... sort of...  ahumeniy | 05/06/09
Easy solution  ShadowGIATL | 05/06/09
Renaming files  tikigawd | 05/06/09
And I thought I was being obtuse...  Timpraetor | 05/06/09
file extension  blacksheepxlch | 05/06/09
At least as far back...  fairportfan | 05/06/09
We need to still be able to change the file types  MadWhiteHatter | 05/06/09
emailing problems  mswift@... | 05/06/09
Really determined idiots  Greenknight_z | 05/07/09
And what do you do when hit with a barrage of inane warnings?  InAction Man | 05/07/09
And yet, the extension still gets changed  nucrash | 05/08/09
". . . some of these users. . .?"  clarnT | 05/07/09
"This bag is not a toy". "Coffee is hot".  ye | 05/07/09
actually. . .  clarnT | 05/07/09
@clarnT: Which doesn't change what I wrote.  ye | 05/07/09
User Problem is an OS Problem  daengbo | 05/07/09
MIME type?  rtk | 05/07/09
Such Ignorance...  InAction Man | 05/08/09
such arrogance.  rtk | 05/08/09
You read it but you couldn't understand it, right?  InAction Man | 05/09/09
Nice try  rtk | 05/09/09
And this changes the situation how?  ye | 05/07/09
And this changes the situation how  AndyPagin | 05/11/09
missing the point  cwhull | 05/07/09
Spot-on.  SkateNY | 05/06/09
renaming files on purpose  Pepper.dot.Net | 05/11/09
Did you notice...  djchandler | 05/06/09
maybe  midenginedrift | 05/06/09
I work with 300 users  nucrash | 05/06/09
OK, lighten up on us old folks happy  TranMan | 05/06/09
Maybe  AndyPagin | 05/11/09
non-issue ... for experts  john_gillespie@... | 05/06/09
Lack of Education/Protection.  nucrash | 05/08/09
Only you.  SkateNY | 05/06/09
And my point was education is the key.  nucrash | 05/08/09
non-issue for you and me .....  bluescreen_z | 05/16/09
OR...  shadfurman | 05/07/09
Hide File Extensions?  jemd@... | 05/11/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  Gladiatorcn | 05/05/09
Indeed...  harrydaham@... | 05/05/09
BAM! really?  TheTruthisOutThere@... | 05/05/09
Any program that doesn't originate locally  LiquidLearner | 05/05/09
Not true  fbax | 05/06/09
Sure, but...  fairportfan | 05/06/09
Usually that's not visible  Michael Kelly | 05/05/09
And when you double click it  mdemuth | 05/05/09
EXCEPT  bmgoodman | 05/05/09
Yes, cause our end users always adhere to those  riveroad | 05/06/09
But  rcfoulk@... | 05/06/09
It's e-mail attachments...  fairportfan | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  Loverock Davidson | 05/05/09
More dialogue boxes that users will ignore? (nt)  Economister | 05/05/09
Who ignores them?  Loverock Davidson | 05/05/09
Effective does not equal perfect  SamCPP | 05/05/09
Some people???  InAction Man | 05/06/09
I'm even guilty of it  Kid Icarus-21097050858087920245213802267493 | 05/06/09
And isn't THAT scary? (nt)  fairportfan | 05/06/09
...and SOME people start,,,  fairportfan | 05/06/09
...and it only takes one. (nt)  fairportfan | 05/06/09
Almost everybody ignores them!  InAction Man | 05/06/09
And after...  fairportfan | 05/06/09
Heavy abuse of the warning box got people desensitized to security  InAction Man | 05/06/09
And how many people...  fairportfan | 05/06/09
I never understood....  Erroneous | 05/05/09
Reason....  JoeMama_z | 05/05/09
MS needs to write  xXSpeedzXx | 05/05/09
Almost There  DannyO_0x98 | 05/05/09
Um, that is exactly what it is doing  NonZealot | 05/05/09
It is handy to use periods in file names  seabird20 | 05/06/09
That was a choice based on performance  jonj@... | 05/06/09
NT would lose compliance with POSIX standards.  Custard_over_2x_Pie | 05/06/09
Banning double periods  tikigawd | 05/06/09
What I find ridiculous  Michael Kelly | 05/05/09
Then everyone around here  mdemuth | 05/05/09
Nice idea..  JT82 | 05/05/09
Unblock  mswift@... | 05/06/09
This is the top ZDNet headline today?!  PB_z | 05/05/09
Where?  Adrian Kingsley-HughesZDNet Moderator | 05/05/09
Neutered UAC allows anything to bypass UAC prompts  PB_z | 05/05/09
Problem with UAC is that it was a dumb mechanism ...  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
Just like TSA and its airport screening methods...  fairportfan | 05/06/09
works for MAC...or so they say...  boberuski | 05/06/09
At what point does the user start taking accountability?  ye | 05/07/09
Users should be responsible but...  Terry Riegel | 05/07/09
"Users should be responsible but..."  ye | 05/07/09
You can't "fool" other OSes.  TripleII | 05/05/09
But......  Economister | 05/05/09
I know.  TripleII | 05/05/09
Just to clarify  NonZealot | 05/05/09
?  TripleII | 05/05/09
You STILL don't get it  NonZealot | 05/05/09
I see the disconnect.  TripleII | 05/05/09
Why are you trying to fool yourself?  NonZealot | 05/05/09
What are you talking about?  TripleII | 05/05/09
Windows allows icons to be embedded into executables.  Zogg | 05/05/09
Here is the problem  NonZealot | 05/05/09
Thanks Zogg, that was my misunderstanding  NonZealot | 05/05/09
Thanks Zogg  TripleII | 05/05/09
Really? How so?  sporkfighter | 05/05/09
You can't get such nonsense past sporkfighter! NT  djchandler | 05/06/09
Technically it IS fooling you and the OS.  storm14k | 05/05/09
Yes, yes you can  rpmyers1 | 05/05/09
I use Konqueror.  TripleII | 05/05/09
I told you what OS X did  rpmyers1 | 05/05/09
Except OS X will show "File.txt.app"  Bruizer | 05/05/09
You're right  rpmyers1 | 05/06/09
OSX does have Windows beat on this  Lerianis | 05/06/09
As much a problem as a blessing  deadcrow | 05/06/09
Nope.  rahbm | 05/06/09
I love people that have never used a mac.  Bruizer | 05/06/09
Hmm.  ShadowGIATL | 05/06/09
It never ends.  SkateNY | 05/06/09
re: It never ends.  rtk | 05/07/09
And...  ShadowGIATL | 05/07/09
Mime very useful  djchandler | 05/06/09
That's not neccessarily better...  jonj@... | 05/06/09
It's not the OS that needs to be fooled...  fairportfan | 05/06/09
This is ridiculous ...  mckenzl | 05/05/09
No, it is ridiculous that they need to click to know.  TripleII | 05/05/09
WRONG  rpmyers1 | 05/05/09
Different...  techconc | 05/05/09
Baloney. It's the same  rpmyers1 | 05/05/09
Simple really  Intellihence | 05/05/09
You mean *EXACTLY* like this windows issue?  rpmyers1 | 05/05/09
By the .App extension.  Bruizer | 05/05/09
Yes but . . .  sporkfighter | 05/10/09
And it certainly won't be the last  Alan Smithie | 05/05/09
windoze 7 probably has more holes than swiss cheese  InAction Man | 05/06/09
I hate the hide feature too... BUT!  Narg | 05/05/09
Clarify, please  bmgoodman | 05/05/09
Do they get their security experts out of a packet of Cracker Jacks?  HypnoToad72 | 05/05/09
Probably not.  Erroneous | 05/05/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  shellcodes_coder | 05/05/09
When did you say W7 SP1 coming out again?.....  no_zd_user_name | 05/05/09
Will still not be fixed  bmgoodman | 05/05/09
Quite hard to figure out what has 'locked' the drive  Lerianis | 05/06/09
You seem to be confused.  threedaysdwn | 05/05/09
Absolutely wrong.  TripleII | 05/05/09
How about this?  rpmyers1 | 05/05/09
Sorry but...  storm14k | 05/05/09
Close, but no.  TripleII | 05/05/09
Here comes the freetard parade...Adrian, nice fishing for trolls  transposeIT | 05/05/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  n.ang | 05/05/09
I agree that Microsoft should stop hiding file extensions, but  georgeou | 05/05/09
What do you expect George. Adrian, would bite anything to put MS down....  transposeIT | 05/06/09
@transposeIT ...  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
I've found AKH to be very objective when it comes to Windows.  ye | 05/06/09
In general, I agree.  Bruizer | 05/06/09
I show why this is not a security vulnerability here  georgeou | 05/06/09
Might be a little more useful if your URL wasn't broken... (nt)  fairportfan | 05/06/09
So we're agreed? happy  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
Nucrash has a good point that users rename those extensions  georgeou | 05/06/09
Windows has had this....  JoeMama_z | 05/05/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  atari8bit@... | 05/06/09
Not here  mswift@... | 05/06/09
It is NOT a Security Fail at ALL  Texnomic | 05/06/09
Existance of such a file on your system does not mean that!  fbax | 05/06/09
Actually, what if it DOESN'T trigger UAC?  Lerianis | 05/06/09
Right  SkateNY | 05/07/09
Removing "Hide Extensions...."  Gis Bun | 05/06/09
Why 10 updates in 3-4 days?  Randalllind | 05/06/09
HUH? I haven't had even one update  Lerianis | 05/06/09
no big deal just wonder  Randalllind | 05/06/09
I get an update...  fairportfan | 05/06/09
Dear Mr. Kingsley-Hughes,  Steve Goldman | 05/06/09
Simple ...  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
But it's not a security problem  georgeou | 05/06/09
Exactly ...  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
Someone already explained this to you...  Spiritusindomit@... | 05/06/09
This isn't a Windows 7 issue though  nucrash | 05/08/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  john.foggitt@... | 05/06/09
I always thought the extension hiding was just for annoyance..  readwryt@... | 05/06/09
Dual Boot from Vista  KrazyGuy | 05/06/09
I don't get it  voyager529 | 05/06/09
In the real world ...  Adrian Kingsley-HughesZDNet Moderator | 05/06/09
It's not that i'm against showing extensions by default  voyager529 | 05/06/09
re: It's not that i'm against showing extensions by default  n0neXn0ne | 05/06/09
Yet...  slurpee | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  dbarr@... | 05/06/09
Feature vs Bug  deadcrow | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  epobirs | 05/06/09
Microsoft Sucks  jdieter@... | 05/06/09
Just as annoying as hiding email addresees in Outlook  DaveMorris | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  mayres | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  pwn0tr0n | 05/06/09
Here's an even better idea  markdean | 05/06/09
Here's an even better idea - but  AndyPagin | 05/11/09
2nd Security hole found!  codepunk | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  vahnx | 05/06/09
Geezes, after all these...  sykandtyed | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  coachgeorge | 05/06/09
not for Home Users  john_gillespie@... | 05/06/09
It is an issue and honestly it's ridiculous it's still ongoing!  zdnet@... | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  jeyost@... | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  essin | 05/06/09
Surely this could be fixed VERY easily.  Custard_over_2x_Pie | 05/06/09
God almighty  Altotus | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  korn33@... | 05/06/09
Is that the best you could come up with?  Spiritusindomit@... | 05/06/09
IN all my years of "security issues"  Crestview | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  gnesterenko | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  robertleeking@... | 05/06/09
why am I not surprised?  Laraine Anne Barker | 05/06/09
Naive Post  sreesiv | 05/06/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  Gralyndr | 05/07/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  fabio479 | 05/07/09
So many moronic comments to a non-issue...go zdnet  transposeIT | 05/08/09
happy some<ocument.doc.doc.doc.doc.doc  emenau | 05/08/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  Insight Driver | 05/08/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  xonics | 05/09/09
Dont Rely on extensions  AndyPagin | 05/11/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  a.barry@... | 05/11/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  a.barry@... | 05/11/09
Would probably fool me  davidr69 | 05/11/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  victorxstc@... | 05/11/09
Firefox and Safari for Windows will also set the download bit on files...  Ambivi | 05/11/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  ceknight | 05/11/09
How did you change the Icon to notepad?  notsofast | 05/11/09
RE: Windows 7 still allows unsafe files to be disguised as safe files  jvanse | 05/12/09
I agree with you ...  seyisulu | 06/01/09
Thoughts?  Chrissd | 06/10/09
People just need to be better informed of the option  mccall1 | 06/11/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement
Click Here

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here