×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows 7 Users Warned Over Filename Security Risk

timothy posted more than 4 years ago | from the death's-too-good-for-some-people dept.

Security 613

nandemoari writes "Would-be Windows 7 users have been warned to change a default setting which could leave them vulnerable to attack via bogus files. As a result, Microsoft is taking flak for failing to correct a problem found in previous editions of Windows. The issue involves the way Windows Explorer displays filenames. In all editions of Windows after Windows 98, the default setting hides the filename extension (which identifies what type of file it is). This means that a Word file titled 'partyinvite.doc' will show up in Windows Explorer as simply 'partyinvite'. The only exception to this rule is if Windows does not recognize the file type. The reason for this setting is that it makes for a less cluttered look and avoids filling the screen with redundant detail. However, a flaw in the way it works leaves it liable to exploitation by hackers. They can take an executable file (which can do much more damage to a computer when opened) and disguise it by calling it 'partyinvite.doc.exe.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

613 comments

How can this be? (5, Funny)

Burkin (1534829) | more than 4 years ago | (#27865685)

How can this possibly be? I thought this was the most secure OS on the planet.

Re:How can this be? (5, Insightful)

Kadagan AU (638260) | more than 4 years ago | (#27865901)

I see your sarcasm, but honestly this isn't as much of a security flaw in the OS as it is a "feature" in the OS that makes stupid users even stupider. A maliciously named file does nothing on its own, only when a user double-clicks it does it turn bad. Stupid users will break things on any OS.

Re:How can this be? (2, Insightful)

Foofoobar (318279) | more than 4 years ago | (#27865979)

but honestly this isn't as much of a security flaw in the OS as it is a "feature" in the OS that makes stupid users even stupider.

Wow. What an amazing feature. Looks like the development team at Microsoft has been hard at work on the new OS as per usual.

Re:How can this be? (4, Informative)

pugugly (152978) | more than 4 years ago | (#27866123)

This is something I have instantly turned off in every version of Windows so far. Thank god for nLite [nliteos.com] - you can create your install disk with all this bs turned off to start with!

Re:How can this be? (5, Funny)

David Gerard (12369) | more than 4 years ago | (#27866241)

Bah. Vista is far superior [facebook.com]. Windows 7 is for Mac-wannabes who want to "do" things with their computer, not just admire its AWESOME MIGHT as your CPU fan starts lifting your house into the air.

How can this be? sufixication (4, Interesting)

goombah99 (560566) | more than 4 years ago | (#27866369)

How can this possibly be?

Your question actually has a face value in excess of it's sarcasm content. How did we get here?

I'm stating common knowledge but it's worth reflection since it paints a large picture. In the begining there was the file and the file was just a marked off stretch of physically contiguous bytes on a tape or drum. it had no internal structure. Have a directory that associated names with files regions was something you had to implement yourself. The filesystems formalized this to having names, hierarchies, and even non-contiguous allocation tables for blocks.

Since that time every new file system has tried to codify the notion of metadata. And in this land of babble, the only common durable hiding place for meta data has turned out to be the filename itself.

Look at HFS for example as a valiant effort in defining meta data like "kind" and "creator", and defining different kinds of forks some of which had uniform storage protocols for resource, so that programs other than the creator could inspect and edit them. And boy what a snarl that has perpertually been. While these still exist, apple has punted and gone to just using file structures and a specially named file (plists) to hold meta data in a quasi XML format.

And so here we are 30 years later and were still putting suffixes on our files just like back in the days of DEC and Prime and even before.

And think about perhaps the biggest failure of the Longhorn Debacle. The promise of a revolutionary new filesystem that put meta data and it's inspection first. An entirely relational storage system underneath that only mimmiced the hierachical system for legacy purposes.

Deleted from Longhorn, promised again for vista, and then gone. Promised for windows 7 then gone.

It's bizzare. Everyone knows what the problem is. HFS was much maligned precisely because it was more complex than suffixes but it's what we really needed back in 1984. and all the others all made so much sense too.

Why are suffixes so enduring? How can this be?

Re:How can this be? sufixication (3, Insightful)

colourmyeyes (1028804) | more than 4 years ago | (#27866589)

Why are suffixes so enduring?

Because the human using the computer wants a quick way to determine what the file most likely contains.

umask 224 (5, Funny)

ArsonSmith (13997) | more than 4 years ago | (#27865701)

it shouldn't be made executable by the default umask though, so when you go to click on it it'll just try to associate an application with the .exe extension.

Re:umask 224 (0)

Anonymous Coward | more than 4 years ago | (#27865811)

it shouldn't be made executable by the default umask though, so when you go to click on it it'll just try to associate an application with the .exe extension.

Uhhh, we're talking about windows.

Re:umask 224 (2, Insightful)

tilandal (1004811) | more than 4 years ago | (#27865839)

Less clutter? How about showing file information in a list by default instead of as 1000 little icons without any useful information? Really, who in the world though that was a good way to display file information?

Welcome to Windows 95 (0)

Anonymous Coward | more than 4 years ago | (#27865705)

Old news is old

Bah (5, Funny)

MyLongNickName (822545) | more than 4 years ago | (#27865713)

This is a non-issue. With all of the vulnerabilities in applications that think they are a programming interface (like Acrobat), EXE's might actually be safer to open.

I never did like that feature (3, Insightful)

EvilBudMan (588716) | more than 4 years ago | (#27865719)

or any of the others that make you jump through hoops to get at something.

1. Partial menus (Office)
2. The Search Dog (Windows XP)
3. I don't what else but the way they have features turned off and on makes no sense at all.

The I'm done sig.

Re:I never did like that feature (4, Funny)

TheBig1 (966884) | more than 4 years ago | (#27866425)

I don't what else ... makes no sense at all.

Ahh.... Irony at its best... ;-)

Extensions (1)

LogarithmicSpiral (1463679) | more than 4 years ago | (#27865721)

In most explorer views isn't there a little thumbnail that shows an image of a type of file? Partyinvite.doc.exe would show a cmd window probably, instead of a blue W. Either way, you should be able to tell what type of file it is.

Re:Extensions (5, Insightful)

lukas84 (912874) | more than 4 years ago | (#27865803)

You can easily add the Word icon to your malware, and this will fool users easily.

Re:Extensions (0)

Anonymous Coward | more than 4 years ago | (#27865809)

Except for that one can include icons in executables, which makes the icon useless here.

Re:Extensions (1)

Burkin (1534829) | more than 4 years ago | (#27865813)

You do realize it's trivially easy to change the icon of a .exe file to be anything you want, right? The common tactic is to have it use the same icon as a word document or whatever filetype it's attempting spoof.

Re:Extensions (2, Insightful)

Anonymous Coward | more than 4 years ago | (#27865817)

Only if the creator is stupid. All it takes is to get an icon from a doc and use that icon as the default icon resource within the exe file, and voilà - not only it seems to be named .doc, it looks like a word file, too.

The only correct solution is stop trying to hide information from users: showing extensions should be the only acceptable alternative. Hiding them could make sense before, but since Vista even the UI is correct: you click on a filename to edit it and only the non-extension part is selected by default.

Re:Extensions (0)

SCPRedMage (838040) | more than 4 years ago | (#27866243)

Except that the users most likely to fall for this in the first place are the ones who don't know crap about file extensions in the first place.

Of course, this is nothing but FUD in the first place. Even XP gives you a security warning before opening an executable that was downloaded from the Internet or from e-mail. A warning that is FAR more likely to be actually understood than some three letter file extension.

Re:Extensions (1)

Burkin (1534829) | more than 4 years ago | (#27866291)

Actually most users don't bother to read the warning and just click through. The problem is that no matter how many warnings the OS throws up, the average user will still run programs they shouldn't.

Re:Extensions (1)

SCPRedMage (838040) | more than 4 years ago | (#27866367)

Again, even with the average idiot's tendency to click through just about anything, this warning STILL is far more likely to help than seeing the file extension, because the average idiot has NO idea what a file extension is in the first place.

Re:Extensions (1)

Whyte Panther (868438) | more than 4 years ago | (#27865849)

It's trivial for the writer of the "application" to include the legitimite Word document file icon as part of the .exe. Heck, at that point, calling it Partyinvite.exe would be enough to fool most people who have the extensions hidden, because they wouldn't be used to seeing .doc at the end of the name.

Re:Extensions (1)

orclevegam (940336) | more than 4 years ago | (#27865915)

If it's a windows executable you can specify the icon to use (and if it isn't it's probably not going to run very well). All you'd need to do is specify the generic word doc icon (pick the one from Word 2003 and you'd probably get most people). The icon being displayed should not be an indicator of the file type anyway, that's merely a convenience for skimming a long list of files.

Isn't this a dupe? (1)

Thornburg (264444) | more than 4 years ago | (#27865729)

Maybe I read this somewhere else, as I can't find it on here.

Anyway this is just some prick trying to get a bunch of publicity over something stupid.

You want a solution? How about this: Windows should only hide file extensions for files that don't use custom icons. IOW, a .doc would show up as a Word document (by icon), so it doens't need the .doc. But if you change the icon of your .exe file to be the word doc icon, then the .exe still shows up.

Now, I'll go make a quick patch and submit the .diff... oh, wait, nevermind.

Re:Isn't this a dupe? (3, Interesting)

tepples (727027) | more than 4 years ago | (#27865909)

Now, I'll go make a quick patch and submit the .diff

I wonder if ReactOS, the project to make a free Windows XP clone, might take it.

Mod Parent UP (1)

iamhigh (1252742) | more than 4 years ago | (#27866277)

As informative. never knew about the reactos project... just burned the live cd to try it out!

Re:Isn't this a dupe? (5, Insightful)

Hatta (162192) | more than 4 years ago | (#27866265)

You want a solution? How about this: Windows should only hide file extensions for files that don't use custom icons

How about we never hide the extension for any reason? If you're worried about clutter, and redundant information on screen, ditch the icons. The extension is all of 3 bytes, and it's far, far easier to read 3 letters than it is to squint at the icon and guess what it's supposed to be.

Re:Isn't this a dupe? (1)

vertinox (846076) | more than 4 years ago | (#27866583)

You want a solution? How about this: Windows should only hide file extensions for files that don't use custom icons. IOW, a .doc would show up as a Word document (by icon), so it doens't need the .doc. But if you change the icon of your .exe file to be the word doc icon, then the .exe still shows up.

Why not just have the OS make anything that has the extension of *.exe to display no matter what?

That way, docs and pdfs won't show extensions but no matter what icon is being used and no matter the name, the exe file will always end in exe.

MY GIRLDFRIEND IS BACK ! (0)

Anonymous Coward | more than 4 years ago | (#27865737)

All say hello to brittneyspearsnaked.jpg.exe !

Re:MY GIRLDFRIEND IS BACK ! (0)

Anonymous Coward | more than 4 years ago | (#27865945)

Please be telling me where I finding this?

This again? (1)

Anenome (1250374) | more than 4 years ago | (#27865741)

Gah, these things never die, do they. You'd think the only people falling for this old trap are senior-citizens and six-year-olds.

Today I had to explain to my father that he didn't need to reinstall flash just because some website said so. One of those video sites had simply changed media-servers and since it wasn't on the whitelist the vids began suddenly getting blocked by noscript again.

So I glad I was young when computers were new ._. and old before they got really dangerous (in virus terms).

Re:This again? (1)

Darkness404 (1287218) | more than 4 years ago | (#27865897)

Today I had to explain to my father that he didn't need to reinstall flash just because some website said so. One of those video sites had simply changed media-servers and since it wasn't on the whitelist the vids began suddenly getting blocked by noscript again.

But that is mostly a flaw in noscript (which, judging from your post, you installed on your father's machine) rather then the site or any viruses.

So I glad I was young when computers were new ._. and old before they got really dangerous (in virus terms).

Really most viruses actually aren't dangerous now. Most try to sell you something via adware or other malware. On the other hand, most viruses before that became popular decided to wreck havoc on Windows (or DOS) by changing registry values, clobbering partion tables, wiping hard disks, infecting floppies, etc. Today, viruses are merely annoyances unless by chance you get a nasty keylogger or such.

Plus, OSes other than Windows are immune to most viruses (sure, they might get them in the future, but not now), OS X is quite mature and very much usable, and same with Linux. Plus both have lower total cost of ownership.

Re:This again? (3, Insightful)

twidarkling (1537077) | more than 4 years ago | (#27866255)

Plus both have lower total cost of ownership.

[citation needed]
Seriously. It's not like I paid for my A/V software. It's not like I run scans when I'm using the system, so my work isn't being slowed.

Then, vs. just OSX, the hardware's cheaper, you can upgrade it and futureproof it, so you don't need to buy an entirely new $1.5k machine, and software's same price or cheaper, with more options. And as for security, may I point you to the Mac-only botnet that was recently discovered due to pirated copies of iLife, or iWork, or whatever it was? Stupid people will fuck up any system you give them, regardless of OS. Windows is not inherently superior or inferior, it's just the one that does what I need.

Re:This again? (0)

Anonymous Coward | more than 4 years ago | (#27866469)

You do understand that the AV must scan every file before opening it? Gah, I'm wasting my time here. Just look at your UID.

Perspectives (1)

MikeOtl67of (1503531) | more than 4 years ago | (#27865749)

Why is this happening everytime there is a new important release from Microsoft? Is it because everybody focuses on that or because they did not do their homework?

LOL (0)

Anonymous Coward | more than 4 years ago | (#27865761)

Seriously?

The next story will be warning you that the default account made has Admin privileges and blame Microsoft for not setting up 2 accounts.

Re:LOL (1)

lukas84 (912874) | more than 4 years ago | (#27865843)

Yeah, a default account that can elevate to admin privileges in some cases. Just like in other operating systems, like Mac OS X or Ubuntu.

Re:LOL (0)

techno-vampire (666512) | more than 4 years ago | (#27866175)

You do realize, don't you, that Ubuntu isn't an operating system? In case you didn't, it's a distribution of the linux Operating System, although it does have the feature you mentioned.

Re:LOL (0)

Anonymous Coward | more than 4 years ago | (#27866347)

You must be kidding.

Re:LOL (1)

lukas84 (912874) | more than 4 years ago | (#27866361)

A Linux distribution is the equivalent to commercial operating systems like Windows or Mac OS X. I just didn't want to make my sentence that convoluted, but i should've known someone would go and nitpick that.

Not really news, and a non-issue (4, Insightful)

lukas84 (912874) | more than 4 years ago | (#27865767)

Most people wouldn't change their behaviour even if the did see the file extension.

Email programs such as Outlook block .exe attachments, and Executables downloaded using IE display a stern warning before execution.

Changing this wouldn't have helped anyone.

And associating this with Windows 7 is mostly FUD, jumping on the bandwagon just because you don't like it.

Re:Not really news, and a non-issue (1)

Archangel Michael (180766) | more than 4 years ago | (#27866041)

Hey, here's an idea. WHY not have the file contain the meta data needed for it, within it, and not use Extensions to decide what runs, what is a doc, and what opens a particular file? That way, I can have one JPG file that opens in GIMP, and another that opens in Firefox?

I know, I know, that is too complicated for the user to figure out, and extensions (which are hidden) are SO much easier to figure out.

Re:Not really news, and a non-issue (2, Insightful)

lukas84 (912874) | more than 4 years ago | (#27866093)

The metadata-thing is what Apple did and it has the same security issues - there's no way to tell from the icon or filename if something is an application or a document.

Think of the file-extension as filename embedded meta-data, and it starts to make more sense.

Re:Not really news, and a non-issue (0)

Anonymous Coward | more than 4 years ago | (#27866387)

The metadata-thing is what Apple did and it has the same security issues

Yup, that's why in Mac OS X there is other metadata that says, in essence, "this was downloaded from the Internet", so that when you open such a new application for the first time (and only the first time, so it doesn't become an annoyance that users ignore), the OS warns you that you are about to run for the first time an application that was downloaded and that this might be a bad idea.

This is the way that it has worked since 10.3, i.e. several years already.

Re:Not really news, and a non-issue (2, Insightful)

clone53421 (1310749) | more than 4 years ago | (#27866217)

Because an extension is far easier to change when I actually want to change it than the meta-data would be.

There are already the "Open with" and "Send to" options if you want a choice of applications to open the file with.

Re:Not really news, and a non-issue (1)

twidarkling (1537077) | more than 4 years ago | (#27866491)

That way, I can have one JPG file that opens in GIMP, and another that opens in Firefox?

I know, I know, that is too complicated for the user to figure out, and extensions (which are hidden) are SO much easier to figure out.

No, the issue is the massive time sink in needing to tell the OS what to open the file with on each "first-run." I rip a CD, that's 14 times telling it to, yes, open with VLC. Even batch processing would slow it down, since the OS would need to tag each file, then double-check each one if you ever tried to open them individually. And then what happens if you run, say, WMP, and it opens the files? Does it retag them to open in WMP? If it doesn't, are you going to have issues trying to run an auto-play list, since when the file opens, it might decide that it wants to run in its tagged app? Just use the "Open With" feature, since predominately, you'll want to open all of one extension with one type of application. Saves time instead of trying to remember what's tagged with what app.

Unless you're suggesting that downloaded files are already told via the metadata what to open with, which kills any security gains, and can potentially fuck up anyone who gets a file that's told to open with a program they don't have, or to open in a program that doesn't handle that file type.

Re:Not really news, and a non-issue (0)

Anonymous Coward | more than 4 years ago | (#27866219)

You're a fool. Do you not have any idea how many winders executable formats there are? Probably closer to 30. And your stinking IE or OE don't give you zero warnings about those. I laugh my lungs out at the morons for continuing the One Microsoft Way...

This has been around for a long time. (1, Informative)

gcnaddict (841664) | more than 4 years ago | (#27865785)

Here's the thing: UAC is one layer of defense against this (even though UAC is never called a protective layer, it seems). If there is no verified publisher, UAC will say that the publisher is unknown and thus, in theory, it should trigger a red flag with people. That's how all of my computer illiterate friends approach it, and they've never had problems.

Second, the default view for most folders in 7 is the details view, which means whether a file is an executable will be exposed to the viewer by default regardless of whether extensions are hidden.

By all means, edit this setting if you must, but realize that 7 has already taken a good number of steps to deal with the danger.

Re:This has been around for a long time. (2, Informative)

lukas84 (912874) | more than 4 years ago | (#27865931)

UAC doesn't really come that much into play here. It's still possible to capture all your credit card data without elevating to admin.

That said, Explorer blocks execution of files downloaded from the Internet, and Outlook blocks executable attachments completely.

Re:This has been around for a long time. (2, Informative)

Darkness404 (1287218) | more than 4 years ago | (#27866013)

Here's the thing: UAC is one layer of defense against this (even though UAC is never called a protective layer, it seems). If there is no verified publisher, UAC will say that the publisher is unknown and thus, in theory, it should trigger a red flag with people. That's how all of my computer illiterate friends approach it, and they've never had problems.

Heck, just about all legitimate programs I download from a non-major publisher says that the publisher is unknown. About the only programs that I have installed with a "known" publisher are Firefox, and iTunes. The rest still say unknown publisher.

Becoming a verified publisher costs $$$ (1)

tepples (727027) | more than 4 years ago | (#27866017)

If there is no verified publisher, UAC will say that the publisher is unknown and thus, in theory, it should trigger a red flag with people.

In general, software not sponsored by a corporation has no verified publisher. This includes a lot of freeware and free software, as a lot of developers don't feel like blowing upwards of $200 per platform per year on certificates to digitally sign new versions of each program.

wtf? (0, Flamebait)

citylivin (1250770) | more than 4 years ago | (#27865791)

As the summary says, this is a "feature" from windows 98 onward. What the fuck does it have to do with windows 7? That they havent removed this stupid "feature" yet? Big surprise?

this is NOT news!

Um (4, Insightful)

Man On Pink Corner (1089867) | more than 4 years ago | (#27865795)

Welcome to Windows 95?!

Filename extensions have been hidden by default for many years now, in all shipping versions of Windows. And they've been making it easy for malware authors to fool users for just as long.

It was an insanely stupid policy on MS's part, and it borders on negligence that they're still doing it.

Not new, not unique to Windows (4, Informative)

nine-times (778537) | more than 4 years ago | (#27865815)

OSX hides extensions, too, and what's arguably worse, OSX allows you to arbitrarily replace the icon of any file, thereby allowing you to disguise files more easily. Don't some Linux DEs do the same thing?

It's sort of unfortunate that we rely on filename extensions to identify file type at all. Users have a tendency to accidentally remove extensions when they're renaming if you don't hide them. But then if you hide them, then users are missing the single most important cue as to what file-type a file is.

Re:Not new, not unique to Windows (0)

Anonymous Coward | more than 4 years ago | (#27866099)

Yeah, this isn't that much different from launchers in gnome. Those can be made to have any icon you want (and depending on settings) any displayed filename.

How to rename files (3, Interesting)

tepples (727027) | more than 4 years ago | (#27866131)

Users have a tendency to accidentally remove extensions when they're renaming if you don't hide them.

That's why a good file manager, like the version of Nautilus that comes with Ubuntu Hardy, selects everything before the extension when the user chooses "Rename".

Re:Not new, not unique to Windows (2, Interesting)

clone53421 (1310749) | more than 4 years ago | (#27866147)

True. Ideally, the extension would be visible, but would not be changed unless the user deliberately intended to.

For instance: When renaming, the extension would not be highlighted by default. Deliberate selection with the mouse would permit the extension to be highlighted. Ctrl-A would initially highlight only the filename; to select both filename and extension, you would need to press Ctrl-A twice.

Re:Not new, not unique to Windows (1)

gEvil (beta) (945888) | more than 4 years ago | (#27866157)

Yeah. It's almost like we should move towards some type of hidden metadata that indicates what a file's type is, and maybe another one indicating what application created it. That way, a user could change the filename as much as they want, but the file will still retain the key information that identifies what it really is (which lets other programs open it), as well as what program initially created it (so that program will launch when the document is opened or double-clicked). Probably too advanced for modern systems, though...

Re:Not new, not unique to Windows (1)

nine-times (778537) | more than 4 years ago | (#27866579)

I don't know if you're being sarcastic or something, but that's what the old MacOS used to do. Of course, it became a problem because, if you transfered the files to some other filesystem, you could lose that metadata. With OSX, Apple switched over to using extensions in order to have greater compatibility.

It doesn't completely solve the problem, though. It was still possible to change the icon of programs and documents, and I don't know of anything that prevented people from disguising a program as a document. Another option would be for the OS to use some kind of overlay on every application's icon so that you know it's an executable file. Of course, there still wouldn't be any protection against users ignoring that overlay, so it's not quite so simple.

Re:Not new, not unique to Windows (3, Informative)

StikyPad (445176) | more than 4 years ago | (#27866193)

Vista (and 7) decrease the likelihood of accidental file extension deletion by highlighting only the filename (sans extension) when renaming files through explorer. Personally, I'm usually renaming the extension, or adding ".old".

Re:Not new, not unique to Windows (1)

techno-vampire (666512) | more than 4 years ago | (#27866331)

Don't some Linux DEs do the same thing?

Hiding extensions in Linux is rather pointless because Linux doesn't use the extension to decide what kind of file it is. (It does, granted, use it to decide the default application to use with it, but that's easy to override.) As an example, shell scripts don't need to end in .sh, they just need to have the executable flag set.

Um, Win7 is not yet a release (1, Interesting)

cptnapalm (120276) | more than 4 years ago | (#27865823)

I am a Microsoft Hater.

Having said that, Win7 is *not* yet a release, so I do not think that they can be blamed for this with regards to Windows 7.

That this was apparently a real problem on every OS they have released in the last 11 years, on the other hand, is blameworthy.

Re:Um, Win7 is not yet a release (3, Insightful)

David Gerard (12369) | more than 4 years ago | (#27866315)

Then this is the time to make a big fuss about it: so that it will be fixed for Win7.

Re:Um, Win7 is not yet a release (1)

cptnapalm (120276) | more than 4 years ago | (#27866565)

Perfectly true.

My reply was based upon this particular sentence: "Microsoft is taking flak for failing to correct a problem found in previous editions of Windows."

So it is both true that this would be the right time to make a fuss and it isn't yet a release, so I don't think they should be taking flak for it (with regards to Win 7).

Microsoft been PC (politically correct) (1)

juanhf (167330) | more than 4 years ago | (#27865847)

Security risk or not, most email programs Microsoft has put out already block potentially harmful files by blocking them from been executed by an uncanny user.

Having said that, why bother using double extension? If you are already hiding file extensions what is to stop you from creating an EXE file with the icon for a word document? That would avoid the mysterious trailing ".doc" on the file - oh no lock up your daughters and your wives!

I'm for having a good anti-virus program and educating users.

i seen js javascript the same way (2, Interesting)

FudRucker (866063) | more than 4 years ago | (#27865859)

many years ago when i was using win98 i would always set folder options to NOT hide file extensions and it still hides that second extension, i had what looked like an ordinary bitmap file file_name.bmp but i clicked on it to open it and bam! its true colors show up and it disappears completely even with show all files enabled (file_name.bmp.js) shows for a second and its gone, so i fdisk windows off and reinstall since anti-virus did not find anything and that looked too fishy to be innocent, that taught me no not click on a file to open it, always open a graphics editor/viewer and use file > open to open them then if something is wrong the graphics app will complain if something is wrong with the file.

Moving on... (0)

Anonymous Coward | more than 4 years ago | (#27865985)

>>>This means that unless the user has the 'Details' view switched on and notices that the file is listed as an 'Application', they would have little chance of realizing it was not a legitimate Word file.

Perhaps noticing that this alleged word file is the ONLY file in their list that actually shows a *.DOC extension might be a cue. But if they don't notice something like that, then they're probably just as likely to click on an *.exe file that was assigned a Word DOC icon.

Joe User is, and has always been, his worst security hazard.

Extensions? No extensions? (2, Insightful)

clone53421 (1310749) | more than 4 years ago | (#27865997)

Do we really think that it's going to make a difference to Joe Schmoe? If it has a Word document icon, our hapless friend is going to be duped regardless of whether it ends in ".doc" or ".doc.exe".

May I remind you that, with file extensions hidden by default, ONE SHOULD NEVER SEE A FILE ENTITLED "partyinvite.doc", because that extension should be hidden. The fact that it isn't hidden is already a glaring red flag — which Joe Schmoe is obviously oblivious to.

I turn extensions on by default, but I really don't think that would help Mr. Clueless. Somebody needs to sit him down and explain to him what's going on, and nothing is going to save him from the trouble of paying the proper attention to the files he opens.

Re:Extensions? No extensions? (3, Insightful)

taustin (171655) | more than 4 years ago | (#27866079)

ONE SHOULD NEVER SEE A FILE ENTITLED "partyinvite.doc",

That is true. However, an .exe can have it's own icon embedded in the file, so one could name it partyinvite.exe and give it the icon from a Word doc, and Joe Schmoe would have no clue. In fact, a lot of people would miss that.

Re:Extensions? No extensions? (1)

clone53421 (1310749) | more than 4 years ago | (#27866375)

True enough. Even so... if that was going to make a huge difference in the number of people who were duped, malware authors would have surely figured this out and you'd see it happening more often.

sarcastic (0)

BigJClark (1226554) | more than 4 years ago | (#27866007)


Man, wouldn't it be great, if the window 7 filesystem contained, oh I dunno, a bit that one could turn on and off, telling the OS that this file was an executable or not?

Re:sarcastic (0)

Anonymous Coward | more than 4 years ago | (#27866267)

Can already be done in Vista: "icacls program.exe /deny everyone:(x)"

Re:sarcastic (1)

idontgno (624372) | more than 4 years ago | (#27866405)

Except, you know, double-clicking on a document to activate its standard editor and double-clicking an executable is indistinguishable to a user. (at least until it's too late.) And you know a malware skidiot smart enough to take advantage of the l334 h@x0r feature of Windows will be smart enough to turn on the executable bit before releasing his opus magnum.

Re:sarcastic (1)

BigJClark (1226554) | more than 4 years ago | (#27866509)


This is why the standard editor would have to be smart enough to ensure it doesn't "open" a file with the executable bit set to 1. Maybe this is too much to ask. A little AI. Sigh, I know.

Re:sarcastic (1)

clone53421 (1310749) | more than 4 years ago | (#27866479)

Sure, and then you'd have millions of calls to tech support lines from stupid users who now have to figure out how to enable the executable bit on legitimate software that they downloaded.

Re:sarcastic (1)

jonbryce (703250) | more than 4 years ago | (#27866547)

It does have such a bit. That feature has been available since at least Windows 2000.

The only problem is that the bit is turned on by default.

kill the filename.extension paradigm (5, Insightful)

line-bundle (235965) | more than 4 years ago | (#27866073)

The filename should not contain any metadata. The date is not included in the filename, so why is the filetype in there?

Ah, he(.conf) started(.d) (in)it... (0)

geekmux (1040042) | more than 4 years ago | (#27866411)

The filename should not contain any metadata. The date is not included in the filename, so why is the filetype in there?

Perhaps before we start pointing fingers at Windows, we should look way back before Bill was writing software at this whole extension nonsense?

Take away extensions from Windows l-users and a *NIX SysAdmin noob and see who cries first.

perhaps (1)

jsnipy (913480) | more than 4 years ago | (#27866083)

Maybe an OS should think to something beyond a file extension to identify the role of a file.

Re:perhaps (1)

clone53421 (1310749) | more than 4 years ago | (#27866543)

Oh, you mean a sort of magic system?

How exactly would that prevent me from making an application, embedding the default "Word document" icon, and calling it whatever the hell I want?

"But the OS would warn the user..." you begin to say.

It already can, based on the extension. "Magically" detecting the file type isn't going to change anything...

Well, I take that back. It'll make it hard as hell to intentionally change the file type when I need to. Changing "New text document.txt" to "Launcher.js" will now undoubtedly be a PITA.

if less clutter was the design goal (2, Interesting)

yanyan (302849) | more than 4 years ago | (#27866105)

If less clutter was the design goal, MS could have started somewhere else. Like the explorer toolbar (just leave the up, back, and forward buttons thank you), the "Go" button beside the address bar, the big explorer sidebar with the many superfluous items, the cluttered search side bar, the pointless icon view, i could go on. They could probably even drop the whole Start menu paradigm and move to right-click on desktop to display the start menu contents, leaving the whole taskbar for application tabs.

I'm glad it's finally news but.. (1)

yakumo.unr (833476) | more than 4 years ago | (#27866135)

I never did understand why this fuss wasn't made when it was still such an idiot default setting in XP.... and then AGAIN in vista. I was utterly flummoxed it was still so in win7. I'm sure they have the 'well we've got security right now so it doesn't matter' attitude but they're still wrong.

Similar with OS X (3, Informative)

Charles Dodgeson (248492) | more than 4 years ago | (#27866139)

As an Apple fan-boy, I am chagrined to have to point out that there is an analogue of this problem on OS X. Meta information about a file will contain information about its "Creator" (which is often used to determine what application it should be opened with) and also the file Icon.

This allows for a file to have, say a plain text icon but open as something else altogether. Apple has taken some mitigating steps (warnings before executing downloaded files for the first time), but has not changed the underlying problem which stems from concealing information from the user.

file name settings (1)

whitefang1121 (1432411) | more than 4 years ago | (#27866173)

This seems pretty stupid that they just figure this out now and that people actually dont change the settings to show the extension, this would be the first thing you would want to change when you get a computer. So really it isn't all microsoft's fault, it is mostly their's, but people need to take the time to fix their settings so things like this wont effect you in any possible way.

Moot? (0)

Anonymous Coward | more than 4 years ago | (#27866263)

I don't use windows much, but does it have anything resembling launchers for gnome?

My point is, if you make a launcher in gnome you can give it any icon you want and any filename you want and have it run any command you want. If windows has something like that then I would say the extension problem is moot.

Should be on anyway (1)

labnet (457441) | more than 4 years ago | (#27866323)

On every windows system I've configured, one of my first tasks is to change the file exlporer to show extensions and a detailed list view.
I've always found extensions much easier to use than an icons, and a list view with size/dates much easier than a page of freaking big icons.
I assume most /.ers would be the same, but what do you find your users prefer?

Re:Should be on anyway (1)

whitefang1121 (1432411) | more than 4 years ago | (#27866507)

Thats what i said in my comment, people should really take responsibility for their computer and not wait on microsoft to tell us key information about their OS, because if you do you will wait another 11 years for them to figure it out.

BULLSHIT FUD (3, Informative)

sexconker (1179573) | more than 4 years ago | (#27866437)

Run virus.exe in XP (SP2), Vista, or (I presume) 7.

What's that box? A security warning about unsigned code?

Rename the file to virus.txt.exe and try again.
What's that box? A security warning about unsigned code?

Fuck off insecurity experts.

The reason for this setting is... (0)

Anita Coney (648748) | more than 4 years ago | (#27866577)

...to allow the typical Windows users to easily rename a file without having him or her remember the particular extension of the file.

Think of a noob trying to change the name of a file: "Image1.jpg" would become "Picture of my Dog Fluffy".

Of course after changing the name and eliminating the file extension, the file would no longer work with the user's favorite program, and chaos would ensue. MS merely nipped that problem before it started (and created another problem in the process!)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...