back to article Win 7 RC fails to thwart well-known hacker risk

An almost-ready version of Windows 7 retains a feature from Windows NT which expedites a well-known hacker trick, according to net security experts. Win 7 RC omits a fix for a long-standing security shortcoming in Windows Explorer. As with previous versions of Windows, dating all the way back to windows NT, the version of …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Thumb Down

    Oh FFS...

    ...surely they should have stamped on this one by now. It's always on my list of "things I have to do when I install windows to stop it sucking quite so much". It's purely cosmetic, and what's more, it makes it a pain in the a*se to change a file's extension in explorer.

    Seriously, I hope they get rid of this "feature" before 7 proper comes out.

    (As an aside, Windows "7" appears actually to be Windows NT 6.1... what's going on there?)

  2. Anonymous Coward
    Anonymous Coward

    errr..

    kinda a non story, you only have to go into the settings for explorer and change the setting back. IF they had set it as default to show extensions then teh average user would be confused because they are not used to seeing extensions!

    Hardly newsworthy but i guess the internet anti MS group need something to bash on windows 7 for, clutching at straws if this is all they come up with.

  3. Brian Whittle

    why

    I never understood why Microsoft insist on this.

    I thought though would the total numnuts who have PCs (but shouldn't) realise not to click on stuff if it had a .exe extention ?

    I am not saying you are a numnut if you buy a Windows PC but some people are clueless

  4. Ash
    Thumb Down

    Non story

    The alternative side is when extensions are shown in file names, people DELETE them when renaming files "because they looked untidy" or "because that's not the name I wanted to call it" and they screw something up, or "lose their work" and cause headaches.

    Keep extentions hidden.

    @Christopher; Windows NT 6.1 is the kernel revision. NT5 was windows 2000, 5.1 was XP, 6 was Vista, 6.1 is Win7. The underlying system is from Win Vista is all it means.

  5. Chris Dickens

    Why not...

    If they like the feature so much, why not just always display the extension on executables or, even better, add an overlay icon (like the shortcut arrow) to all executables.

    Since few people actually ever see the .exe (only the shortcut) that would make it very obvious it's an executable and make it impossible to disguise it.

    Perhaps I should patent that idea....

  6. Stuart Clark

    Non story

    Very much a non-story. Yes, of course virus writers can "exploit" this "bug", but in fact it's a featue created to make things prittier for users.

    And the feature doesn't date from NT - it dates from Windows 95!

  7. D@v3
    Thumb Down

    just for the record

    The AutoPlay has not been disabled by default. I am sitting here with Win7 in front of me, I plug in a Kingston USB drive, and up pops the AutoPlay window.

  8. Anonymous Coward
    Anonymous Coward

    @errr...

    It's the common user that doesn't know to turn extensions on, that would more likely get tricked by it.

    And users will always be confused about it if they never get the chance to learn. Look at other applications/OSs that only highlight the filename portion of the file whenever you click rename/F2 etc...

  9. Tony Hoyle

    @AC

    That's the point. The average user will not know how to change the settings, and will click on anything that looks like a jpeg - exactly the problem described.

    To say they're not used to seeiing extensions is bunkum - they turn up in all sorts of places (the web for example, and emails) and people are quite happy with them. Hiding them in explorer never made any sense... if MS really want secure by default they should apply it consistently.

  10. Alex
    Thumb Down

    How do MS win?

    This seems a bit of a non-story and a non-issue - While security firms may like to take a jab at MS over this insecurity that isnt an insecurity, if Explorer did show filetypes by default, the same Joe Home User that would get stung by virus.jpg.exe with filetypes hidden is the same type of user who will try to convert all his music to mp3 by renaming bobdylan.wav to bobdylan.mp3 then wonder why it doesnt work any more, or wont know the extension is needed in the first place and shorten reallyimportantfinances.doc to finances then find he has no functioning finances document any more, despite the warning given when you try to rename a file and change it's extension.

    As far as i'm concerned the "problem" is 6 of one and half a dozen of the other, so why not have it default to the one thats nicer looking for the large majority of MS's customers who dont know *or care* about file extension types.

  11. abigsmurf

    Wow...

    You're really stretching for this one.

    This 'bug' is in place because it's what users want. There's no real way to defend against user stupidity. Pretty much every program known to man will warn you when downloading an executable, they'll definitely warn you if you try and open a download.

    That aside, it takes what, 10 seconds to unhide extensions?

  12. Anonymous Coward
    Anonymous Coward

    @errr

    Man you're dumb.

    Normal users don't change it back becouse they don't know about it, it's a stead fast vx social engineering move. It's classic, and it's used succesfully time and time and time again.

    It's pure stupidity that an option to obscure the extension in the first place exists.

  13. Anonymous Coward
    Anonymous Coward

    @AC 10:35 errr..

    I think the article writer has a very valid point. It may be blindingly obvious to the likes of you and me what a file's extension really is, but it's not to the average home user (who's PCs are the target of malware and botnet software most of the time). Most of these users won't even know that they can turn off this feature, never mind know how.

    It should matter a lot that it is precisely this feature that enables the spread of a fair percentage of malware and viruses and that Microsoft still choose to have it activated by default.

    Besides all that, it's my opinion that it really doesn't bring any benefit to the end user anyway, which is why nearly all people who know how to, turn it off.

  14. nicolas
    Dead Vulture

    autoplay disabled ??

    well, I installed the RC yesterday and autoplay was checked by default for ALL types...

    Maybe they meant to do that, but it was not done...

    Check for youself !

  15. Scott Broukell
    Stop

    windowze for lazy fu**ers

    that's what you get with an OS written for a mass user-base of lazy tards who haven't a clue what the f**k is going on when they click hither and thither. The spread of malware is proliforated by the "home user" group who take the cheap arse machine out of the box, plug it into everthing it will plug into and leave it switched on / connected without a care in the world.

    Microsoft would loose profit if each user had to pass a competence test. So they prefer to sell the bells and whistles medja experience to the masses and let the vxer's crack on with lifting info and hosting bots etc. - so long as those holiday snaps show up when you visit "My Pictures" nobody gives a sh*t. It's all about laziness - let us do the things you want (don't understand) for you with magical clicks and jolly animated icons, it must be good :-)

    Now then, where does the responsibility lie, with the producer or the user, ....mmmmm

  16. David Gosnell

    Re: errr..

    Would the average user likely to fall for such trickery know about such settings? This is preaching to the converted.

  17. George

    I agree, not newsworthy

    And it even says that it is more social engineering than anything. For a start the virus should be picked up by a virus scanner not by the user with a different extensions.

    MS do a lot wrong but I would say the amount of users now worried about their AV software has shot whereas even around 1 year ago people would use PCs for months without AV.

  18. Antoinette Lacroix

    On the other hand

    Do you really think it'd make a difference to the so called "average user" if he sees extensions by default ? Most of them don't even know what an executable is.

  19. Daniel Bennett
    Stop

    Overhype about nothing!

    Seriously, its not a problem at all and can easily be fixed by going into a folder, press ALT to show the menu bar, click tools - folder options and untick the "Show known extentions" bit... taadaaaa!

    I admit that by default they should have this unticked... But its not a massive problem as people make it out to be :/

    If you try to open a .jpg.exe and you find its opening a dos prompt or something rather than your default image viewing program then you need a slap :/

  20. Matt
    Jobs Halo

    Not just Windows though...

    OS X lets you disguise files as other types, and even lets you change the icon in the Finder. Its not a big issue though, because its a decent, permissions-based OS. So if Joe Bloggs inadvertently executes a malicious, nothing untoward will happen unless he supplies an admin username and password. And if he DOES unwittingly enter credentials just to open a .jpg without raising an eyebrow, he deserves all he gets...

    The real question is whether Win7 will allow the malware to run without throwing up a UAC prompt, and just grant it full permissions to do what the hell it likes in C:\Windows\...

  21. Anonymous Coward
    Anonymous Coward

    well..

    .. nice to see el reg falling into the daily mail trap, with a nice headline of "MASSSIVE SECURITY FLAW" when in actuality, its a setting, one that won't stop users double clicking on any old trash tey got via emails if it was set to show extensions in the first place.

    Also one of the posts above had it in one, peopel do stupid things liek delete extensions if they see them and they are not used to it, to make the file name better!

    Non-story overhyped, el reg is now part of the generic mass media :(

  22. Anonymous Coward
    Anonymous Coward

    Ash is right...

    "Do you really think it'd make a difference to the so called "average user" if he sees extensions by default ? Most of them don't even know what an executable is."

    Yes it would make a difference because, as mentioned above, people would delete the extensions when renaming files, then cry when they "don't work" any more.

    Remember, the average user needs their PC to be as complicated as their toaster, or they panic. File extensions, or files not opening when double clicked, scare them. Simple as.

    Me, I'm all for making people learn how to use a PC before employing them, but then, I'm biased, right?

  23. Wize

    I want my extensions shown

    The idiot users who delete them because they don't like the look will have to learn, like everyone else has done till now, not to change the extension.

    I get trouble from users who have several files in the one directory with the same name and they don't know what one to run (setup.exe, setup.ini, etc)

  24. Jason Togneri
    Boffin

    @ Simon

    "And users will always be confused about it if they never get the chance to learn. Look at other applications/OSs that only highlight the filename portion of the file whenever you click rename/F2 etc..."

    Umm... well, at least Vista (and I assume Win7) do this by default nowadays.

  25. Anonymous Coward
    Anonymous Coward

    I need a new office chair...

    "It is possible that Microsoft will thwart this particular social engineering trick, once the full version of the software becomes available in late October"

    Oh I laughed, I laughed so hard a little bit of wee came out. I do hope you typed that with tongue in cheek! If they genuinely cared that would have been quite high on the list of things to fix given how exploited it was last year.

  26. Paul Solecki

    Rear first....

    @D@v3 yeah but if you read what has actually happened, you can't create tasks in the Autoplay popup for USB devices. Nowhere does it say it's disabled.

  27. Stuart Castle Silver badge

    Extensions or not.

    "The alternative side is when extensions are shown in file names, people DELETE them when renaming files "because they looked untidy" or "because that's not the name I wanted to call it" and they screw something up, or "lose their work" and cause headaches.

    Keep extentions hidden."

    Ash, why would Windows users have problems with extensions, when users of other OSes (say, OSX) don't? If they don't know enough about computer user to know that extensions are a necessary part of the file name, then they may also be more likely to double click on a random file that turns out to be a virus.

    I say that Microsoft needs to do three things.

    1) SHOW extensions by default.

    2) Change autorun so it operates in the same way as OSX (Audio CDs and DVDs cause the relevant applications to start, but other disks do nothing)

    3) Start to move away from the idea of fie extensions. Use a code in the actual file itself to denote format.

  28. Anonymous Coward
    Thumb Down

    Surely ...

    The problem is that Windows is an OS that relies on file extensions in the first place? The extension should not dictate the filetype to the OS unless in a fall-back situation where there are no registered applications for that file type?

    Linux "knows", for example, that this jpg I have on my desktop is in fact a jpg and offers to open it appropriately even though it has no file extension. Sticking a meaningless .exe (or any other dumb thing) on the end won't fool it into thinking it must be an executable and waste its time trying to run it.

    The problem is Windows, its file system and its reliance on the brain-dead file extension method of telling the OS what a file is meant to be. This PROVES that Windows is the same old crap under the hood that it has always been. A mediocre desktop OS entirely unsuited to the modern networked world. How much would it really take to revise and fix this behaviour? ITS LAZY.

    Just Dumb, dumb dumb ...

  29. Dave Morfee

    Autoplay....

    I think you will find the window that pops up will ask what you want to do with it, but it will no longer have the option to run the exe file in that list

    Just the usual ones of exploring etc

  30. michael
    Stop

    @Greg Fleming

    all linux dose is hide the file extension in the file header rather than in the open and when the dos oppertaing system was first developed anybody who could get to see the file extentions knew what they meant. of linux was as popular as windows I am sure there would be similar problems with it's way of doing this as we find with dos/windows

  31. Anonymous Coward
    Flame

    @ash

    go the Gnome way then - if you edit the file, by default you don't change the extension and you get warned when you do the latter (windows does the 2nd part already).

    Or go the unix/mac way and work out what sort of file it is by the content, not some poxy extension.

    Or simply educate people. its hardly rocket science.

  32. Anonymous Coward
    Anonymous Coward

    haha

    "A mediocre desktop OS entirely unsuited to the modern networked world. How much would it really take to revise and fix this behaviour? ITS LAZY."

    its BACKWARDS COMPATABLE, something that is actually important to MS's end users.It would take a lot to fix it and make everything still work with the old software.

    "Ash, why would Windows users have problems with extensions, when users of other OSes (say, OSX) don't?"

    I bet some OSX users do, but the percentage of non IT techy people on the other OS'es is a hell of a lot lower than on windows.

    "The idiot users who delete them because they don't like the look will have to learn, like everyone else has done till now, not to change the extension."

    the idiot users are your clients, the same ones who will complain to you and cost you money when something breaks, also liekly to go moaning on a forum somewhere to generate bad publicity when idiot ms haters find it much like the fact that autorun still pops up is being used by ms haters, as they forget that fact that the trick in questionis actually closed because you can't create your own tasks in there!

  33. Anonymous Coward
    Joke

    Math how many times

    NT 6.1 = 6+1= Win 7 simple math me boyos!!

  34. Anonymous Coward
    Thumb Down

    lets just ban/cull stupid people

    theyre the greatest security risk right? no point blaming the tools!

  35. The Reg-ular
    Thumb Down

    I've discovered a vulnerability affecting millions of PCs!

    Local power button denial-of-service exploit makes OS an all apps non-responsive with single press!

  36. Antti Roppola

    Magic and permissions

    @Greg this is indeed a fundamental shortfall. The method works by fingerprinting characteristics of particular file types, is called "Magic" and is an open standard, I can only guess that the issue is "not invented here" and backwards (in this case very backwards) compatibility.

    With magic and permissions, users would have to go out of their way to run a disguised executable. They can also call their files whatever they like.

  37. Anonymous Coward
    Anonymous Coward

    @ michael

    "all linux dose is hide the file extension in the file header rather than in the open and when the dos oppertaing system was first developed anybody who could get to see the file extentions knew what they meant. of linux was as popular as windows I am sure there would be similar problems with it's way of doing this as we find with dos/windows"

    Errrrr .... nooooooo. It does not. It keeps track of the file type by the associated flag that the FS assigns to it when it is created. The file type is NOT in the header (text files have no 'header' for example) yet the OS knows what it is by keeping track of the app that created it or the permissions that are assigned to it by the user. For example: a shell script is just a text file but if I've marked it executable it will run in the shell. But only for ME, It WON'T execute on another login unless it has root. Such concepts simply DO NOT exist in Windows.

    If an OS had to parse the file header of every file it looked at it would run slower than molasses in January. Consider also that file headers are not consistent:: they can vary enormously depending on the application that wrote them. This is particularly true of graphics files.

    The OS does NOT parse/interfere with the content of files in order to determine file type (that's what Viruses and Worms do). Only applications open and close files.

    I suggest you go away and learn how OS's and file systems actually work.

  38. Anonymous Coward
    Anonymous Coward

    @ @ash (12:27) and Greg Flemming

    And how do you think Linux and Macs work out what application to use to open a file?

    Do you really think that linux looks at the content of the file and "decides" that the hex looks like a jpeg. No, it looks at a portion of the file header that says this is a jpeg file, and then opens it using the application that is registered to open jpegs, which is essentially exactly the same way that windows works only with Windows the extensions are more visible.

    For once, I see that although linux users often take the high ground when it comes to technical understanding of their chosen OS, easy to use linux distros promote a lack of understanding in its user base.

    Maybe Linux is ready for the mass market after all.

  39. TeeCee Gold badge
    Thumb Down

    @Greg Fleming

    "If an OS had to parse the file header of every file it looked at it would run slower than molasses in January."

    Crikey! I'm so glad my A/V suite doesn't scan the entire contents of everything I write to disk looking for known or similar to known byte sequences according to a heuristic detection algorithm, recursing archives as necessary My machine would be waaaay too slow to be usable then.

    Oh, wait. It does and it isn't.........

  40. Kevin

    @Ash

    Agree with you 100%

    I've heard multiple times when I worked on someones PC and enable the extensions so I could locate their virus and forget to re-disable them. "Why did you rename all my files to something with a .txt or .exe and why don't my files open anymore that I removed them?" So in this case its better off disabled than enabled because just seeing something.jpg.exe won't stop them from clicking and opening it to try and see whats inside if they were told its a picture.

    So this is 100% non-issue.

  41. michael
    Thumb Up

    @Greg Fleming

    ok sorry I mis phrased what I was saying

    "Errrrr .... nooooooo. It does not. It keeps track of the file type by the associated flag that the FS assigns to it when it is created. The file type is NOT in the header (text files have no 'header' for example) yet the OS knows what it is by keeping track of the app that created it or the permissions that are assigned to it by the user."

    so a file is created and flaged as a file type (for this instance a jpg) how is that diffrent that a file extention (as used in there original system NOT as used in windows) except that is is a hidden flag not a visible extension I am sure if linux was AS widely used as windows there would be tricks to get round this type of thing

  42. Anonymous Coward
    Anonymous Coward

    @ michael

    OK ... Magic Numbers. Last resort to the OS if the file type flag is not set. See the "file" utility in UNIX/Linux.

    The file extension is and should be purely an optional (and arbitrary) inclusion, not a bold instruction to the OS to take it at face value.

    You would find it easy to change a file extension but not the binary MN.

    None of this is difficult. Its been around since 1973. There's NO excuse for Windows to keep f*****g up like it does. None at all. Its a poorly implemented desktop OS with delusions of grandeur.

  43. Anonymous Coward
    Flame

    If one of the glorified mechanics

    If one of the glorified mechanics (sorry, knowledgeable computer specialists) who have plastered their considered opinions all over this page could tell me why my 85 year old uncle, who has just moved into a nursing home and been given a computer (a laptop) for the first time in his life, so he can "keep in touch" with the world should have to know what a "jpg" is, never mind what an executable is, I WOULD BE VERY GRATEFUL.

  44. Anonymous Coward
    Linux

    People are stupid.

    There are numerous times when I have to explain to people. That running EXE (Or its various other executble file types) is bard. If you dont know what it is. They still insist though that they got infected by the downloaded file. Not the one they executed.......

    M$ only fix stuff when theres a botnet infecting millions of PC's with it.

  45. Anonymous Coward
    Stop

    There is quite a simple soloution

    This is such a simple solution I'm surprised no-one has thought of it before.

    Keep file extensions hidden, so that the numbnuts who rename them without the extension don't rename them, instead, if a file is MyFile.jpg.exe (it has more than 1 dot in the file name) it will show the whole file name (and perhaps the .exe part can be slightly faded, to show it's normally hidden, in a similar way to hidden folders are greyed out when set to 'view hidden folders')

    Few people, if any, use dot notation outside of executable programme names (for patch installers for example) and anyone naming .exes (or using dot notation for other uses) is most likely someone who knows not to mess with file extensions.

  46. sage
    Joke

    hide it all

    Why stop at just the file extension? Text is ugly. It should only show the icon. Instead of just having to guess what filetype it is, having to guess which file is which would be so much more exciting!

  47. Ken Hagan Gold badge

    @TeeCee

    "I'm so glad my A/V suite doesn't scan the entire contents of everything I write to disk ... My machine would be waaaay too slow to be usable then. Oh, wait. It does and it isn't........."

    From which I can conclude one of three things. Firstly, perhaps your AV software is configured to scan rather less than you thought. Secondly, you've never actually compared the speed of your machine with and without AV enabled. Thirdly, you don't use your machine for much more than email, music and surfing.

    Full blown AV checking is a massive hit. (A full drive scan, for example, is not a fast operation.) Something reasonably intensive, like unpacking MSIs and installing software, takes several times longer if AV software is enabled. That's "times", not "percent".

  48. Mark
    Flame

    What about the Mac?

    Mac OS X application bundles hide their contents away from the user to the extent that an entire folder full of who-knows-what is hidden behind an innocuous looking icon.

    No complete suprise that El Reg isn't up in arms about this, though, is it?

  49. Anonymous Coward
    Anonymous Coward

    Confusion

    This is one of those features that users think is making things easier for them, but is actually keeping them from ever knowing anything. Consequently they get confused and turn again to those nice features that make everything simpler. The cycle continues.

    Hiding the real filename DOES NOT make anyone's life easier.

  50. kevin biswas
    Unhappy

    Keeps people ignorant.......

    The principle of file extensions is simple. Obfusticating it just makes l-users stupid and less likely to ever learn anything. Similarly, breaking the wonderful simplicity of a file hierarchy tree by grafting 'desktop' and 'my docs' etc. into the wrong place in it (again in order to supposedly make things easy) similarly makes it more difficult for l-users to ever really learn anything useful. As for hiding clearly unimportant things like *duh* email away in a hidden folder called C:\Documents and Settings\Silly User\Local Settings\Application Data\Identities\{9C1E56756-70E7-48FB-5676-C95656D33449}\Microsoft\Outlook Express, well clearly that is going to make things simpler for people and encourage the nervous to learn. Gah.

    I wonder if W7 can show folder sizes in explorer ? that is what I have been begging for since The Beginning, When vista came out I found they had even taken the API away to stop most 3rd party tools from doing it !!

Page:

This topic is closed for new posts.

Other stories you might like