Windows 7 Users Warned Over Filename Security Risk

Dennis Faas's picture

Would-be Windows 7 users have been warned to change a default setting which could leave them vulnerable to attack via bogus files. As a result, Microsoft is taking flak for failing to correct a problem found in previous editions of Windows.

Hidden File Extensions by Default

The issue involves the way Windows Explorer displays filenames.

In all editions of Windows after Windows 98, the default setting hides the filename extension (which identifies what type of file it is). This means that a Word file titled 'partyinvite.doc' will show up in Windows Explorer as simply 'partyinvite'. The only exception to this rule is if Windows does not recognize the file type.

The reason for this setting is that it makes for a less cluttered look and avoids filling the screen with redundant detail. However, a flaw in the way it works leaves it liable to exploitation by hackers. They can take an executable file (which can do much more damage to a computer when opened) and disguise it by calling it 'partyinvite.doc.exe'.

Executable File Icon Appearance Ambiguous

Windows will see this, treat it as a Word document file, and simply display it as 'partyinvite'. Because executable files can be set up to appear with any icon (usually one specific to the program concerned), anyone could set this file to appear with the Word icon. This means that unless the user has the 'Details' view switched on and notices that the file is listed as an 'Application', they would have little chance of realizing it was not a legitimate Word file. (Source: computerworld.com)

Security firm F-Secure has noted this option is still the default setting in Windows 7, despite the problem. It's possible Microsoft could still change this in Windows 7, but it seems unlikely now that the system is at the Release Candidate stage. (Source: f-secure.com)

Users More Easily Fooled

It's worth remembering that you should never open any file unless you are 100% certain it is legitimate and comes from a trusted source. However, most users are much more likely to be fooled by a document file than an executable program file, particularly when it is spread through an email virus. A rogue executable file can do much more damage, as it can attack Windows directly rather than have to exploit a specific problem in an application.

Windows Explorer's settings can be changed so that the legitimate file extension is always visible, regardless of what view mode you have selected. To make the change, open a folder in Windows Explorer, select Folder Options from the Tools menu, and then choose the View tab. From here, un-select the options 'Hide extensions for known file types'.

Rate this article: 
No votes yet