Windows 7 at risk from legacy flaw, F-Secure says

Microsoft has failed to remove a long-recognized Windows Explorer security risk from Windows 7, according to security company F-Secure.

The "hide extensions" feature, which was present in Windows NT, 2000, XP, and Vista, is also included in the Windows 7 release candidate, Mikko Hypponen, F-Secure's chief research officer, said Tuesday in a blog. The feature could allow virus writers to trick users into opening and running malicious files, he added.

Images: A peek at Windows 7 release candidate

View the full gallery

"In Windows NT, 2000, XP and Vista, Explorer used to hide extensions for known file types," Hypponen said. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."

For example, malicious code writers could name a "virus.exe" file as "virus.txt.exe" or "virus.jpg.exe," he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see "virus.txt" or "virus.jpg." Additionally, virus writers could change the icon displayed with the file in Windows Explorer so it looks like the icon of a text file or an image. Users might then click on the disguised file.

The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers Thursday. Microsoft hasn't yet given a release date for the final product.

Microsoft had not responded to a request for comment at the time of writing.

Tom Espiner of ZDNet UKreported from London.

[michael_j_x]

Don't windows ask for confirmation, to run executable files from the internet, regardless whether the .exe is shown or not?

[alexakay]

That is totally separate issue. UAC can be turned off by anybody with Admin rights. Pretty much every person who uses his / her own computer is an admin and not everybody is an expert about viruses. Hiding extensions of known types is a Stupid oversight by M$. Turnign off this feature is the first thing I do when I get a new computer or install a new OS. I want to know the full file name of the file I am dealing with. Why would anybody hide the extension is beyond me. When you hide the extension only the last extension is hidden so Picture.jpg.exe would look like Picture.jpg ...very dangerous and the virus writers are drooling over this I am sure. Shame on Micro$oft for such a DUMB oversight.

[Angmarr]

not true i have an admin account and UAC is still on!

[kheechun]

I think the use of ".jpg.exe" is a poor example, because if a user hides all the known extensions, he/she wouldn't expect to see the .jpg as part of the file name of a normal jpg file. If the ".jpg" is noticed, it would be deemed suspicious by any alert user.
A better example would be the use of an exe file with a folder icon and the name with ".exe" extension hidden, it really mimics a folder. I've fell into this trap once.

[alexakay]

What about the "non alert" users? This is such a simple security feature that it's amazing MS does not make this by default. Spending Millions of $ to make Windows secure and yet a code that change that will take 5 minutes to implement is overlooked. Go figure !

[B-Ri]

@alexakay the problem is those "non alert" users would still have the problem because if they aren't alert enough to notice the .jpg they sure aren't going to pay attention to the .exe. I'm not sure why MS would have that as the default but then again there are a lot of default settings that I don't get.

[SergeM256]

No, ".jpg.exe" would show as ".jpg". There is no such thing as firs or second or last extension. There is only one extension, the rest is part of the file's name and, as long as dot is allowed to be part of the name, there is a possibility to have these pseudo-extensions.

[firefoxluva95]

When do users accept the responsibility for securing their computer? Oh wait, Microsoft is expected to do everything for us.

[jake3373]

If people are alert enough to notice ".jpg" or even know what it means (my mom doesn't even know how to minimize or open multiple windows), they should have extensions visible. Non-alert people are the ones who hide the extensions.

This is one of Microsoft's biggest failures. Although my mom would say, "I typed in 'cat'. Why did it call it 'cat.jpg'?"

[derilium]

macs hide extension too. if somebody really wanted to, they could create an app with the icon just like a folder... and BOOM. The only problem is somebody has to spend the time writing a virus.

[alexakay]

"The only problem is somebody has to spend the time writing a virus"

You think this is a problem ? !...Have you checked lately how many viruses are out there? People do this as a challenge and am sure they spend 100% of their time to find a workaround to all the virus software and security features. Viruses cost the whole world Million$ in lost productivity and lost data. Such a simple code change could prevent at least a good percentage of virus propagation. It's the low hanging fruit and M$ refuses to budge.

[iain1962]

A few things: Macs only hide known extensions: pdg, jpg, and so one. Also, OS X doesn't use the file extension to determine if the file is runnable. It requires the UNIX system execute flag to be set, and this flag is cleared on every downloaded or copied file. It's much harder to sneak an executable onto OS X, or any UNIX-based system.

[dlauber]

Good gads, all Microsoft has to do is change the default setting. When I build a computer for a client, I always -- and mean always -- change this setting to show all extensions.

In Windows XP:

Control Panel | Appearance and Themes | Folder Options | View | Advanced Settings
Just uncheck "Hide extensions for known file types".

[Ted Miller]

That comes as no surprise from such an incompetent company as Microsoft, who keeps coming out with disfuctional software...Talk about a consistent track record. By the way I am devote Microsoft user, but the truth is the truth, and I am the first to admit to that fact.

[rhsc]

Clearly it's not incompetence, as they include the option to show file extensions. This article is FUD being spewed by an antivirus company. What a surprise. Any user with a lick of sense already shows their file extensions.

[B-Ri]

I agree with you rhsc, incompetence would be if MS had it as the default and no way to change it. Also if you think all their software is disfunctional why would you be a devoted MS user? I don't think it's all bad so that's why I use their products. But then again I also use Mac and have tried ubuntu as well so I'm not married to one company. Just trying to find the best tools for the things I need/want to do.

[firefoxluva95]

No, more like the incompetence of the user. It's about time that the end user "uses the computer" not the computer "uses the end user". You can have the securest OS out there but an incompetent user can still cause havoc. If you wish to lock everything down, well then the user once again has no control over things.

[jake3373]

The idiots who turn off file extensions are probably the most likely ones to get a virus (even if they did have extensions visible) through something stupid like an ad or email. They are also the ones least likely to run good antivirus, update their computers, etc.

The aware people turn on extensions and they never get viruses. Well... maybe not "never"

[DMAN3k]

Question: why would people be downloading files like virus.jpg.exe in the first place?

[tm_anon]

Just in case that wasn't sarcasm, it was an example name.

[firefoxluva95]

Why would people be running executable that never knew existed on their computer before?

[jake3373]

email - "Hey, look at this cool pic I sent you!" has an attachment (coolpic.jpg.exe) that shows as coolpic.jpg

[FlairFan]

Oh please... if your stupid enough to still get caught by this, you shouldn't be allowed near a keyboard or mouse!

[alexakay]

Well I can list lot more stupid things people would do with computers. Dont insult the intelligence of the average consumer who has been victim of Viruses. Just look at the number of infected computers at any day, you will see that this issue is far more common than you think.
Note: By the way "your stupid enough" is not correct English, you should have said "you are stupid enough" Are you stupid or something?

[DrtyDogg]

He has a point, the same "stupid" user that would click on a file named "virus.jpg.exe" would still click on the file if it just showed up as "virus." It is an absolute moot point. Sensationalism at work.

[The_happy_switcher]

That didn't take long. Epic failure.

[ducttape36]

I bet you feel really cool saying 'epic faii' in a posting huh? You are an original, don't stop being a rebel. lol
(thats a quote from you responding to another poster haha)

[The_happy_switcher]

I just wanted to demonstrate I could be as trite as a Windows user.

[ducttape36]

what was that? i couldnt hear you over the foot in your mouth.

[The_happy_switcher]

You guys are really grasping for straws now, huh? Congrats on knowing how to use Google search ducttape. Do you feel really powerful now? I guess you've got nothing better to do than read all my postings--I guess you're a fan.

[ducttape36]

man, i wish i could never see your postings. unfortunately for the internet you post your comments everywhere and can't be avoided.
do i feel powerful? yes, but mostly cause i am. :)

[The_happy_switcher]

"do i feel powerful? yes, but mostly cause i am. :)" And you're a legend--in your own mind.

[Dalkorian]

Duct tape is like the force
It has a light and dark side
And it holds the universe together.

LOL - hope you all enjoyed that joke as much as I did when I first heard it!
;-)

[firefoxluva95]

Actually you don't have much power in your Mac OS because everything is closed source. Your Mac is using you...you aren't using your Mac. I'm sorry but I prefer to use a computer.

[otte-o]

This is a non-issue and is not a security flaw. As michael_j_x pointed out. It will warn you if you try to open an exe. Besides, the save as dialog when you download the file clearly shows the extension.

[alexakay]

huh? Whey you click on a download there is always a warning so most of the time people just ignore the warning and download the file anyway. I think M$ should make file extensions visible by default and warn them about this VERY security flaw when they choose to hide the extensions. Now that would be smart coding wouldn't it?

[Dalkorian]

Apparently otte-o works in the security department at M$, or is qualified to.

[alegr]

This misfeature is so stupid. A friend of mine (who is quite proficient in computers) received a file by email that looked like an MP3 once. He clicked on it. Unfortunately, it was a .vbs script file that deleted most of .JPG on the disk.

It is as stupid as autorun from writeable media. I guess MS just doesn't care.

[rhsc]

You mean the autorun from writable media that doesn't exist anymore? Yes, they fixed that. And the fact that you CAN make all the file extensions visible? That's been in windows for more than a decade.

[tm_anon]

@rhsc

They didn't fix it, they just tweaked it for some (not all, just most) flash drives. That means CDs and DVDs still have autorun enabled and can therefore still be carriers of viruses.

By the way, how many people actually know how to change the feature to allow all file extensions to be shown?

The answer? If you know how to change that feature, odds are, you're also smart enough to be running a good antivirus and scan all files before you open them in the first place.

[nonicks]

with such stupid reports .. no wonder.. no body uses F***-Secure's Anti Virus.

Guys , 2 things...

- First, It's a bogus report. Any one worth pinch of salt in using Windows, knows not to do it. Plus, What do we pay Anti Virus software for. To stop such things getting downloaded to my machine. If an Anti Virus software can't stop downloading VIRUS.JPG.EXE, why blame others. hahaha :)

- Second, Kudos to C!Net for providing a Sensational Headline to such a third grade report/analysis.

Thanks c!net, you are making your own legacy. :)

[tm_anon]

First, it's not a bogus report just because it was released by F-Secure, it's a very simple way to hide a virus and when pared with a simple E-Mail distribution exploit, it's really simple to be caught by. Who'd ever expect grandma to send you a virus?

Second, the headline reflects the story, it's a very basic piece of journalism. Let people know what they're going to read.

[Dalkorian]

by nonicks May 6, 2009 8:17 AM PDT
Plus, What do we pay Anti Virus software for. To stop such things getting downloaded to my machine. If an Anti Virus software can't stop downloading VIRUS.JPG.EXE, why blame others.

------------------------------------------------------------------------

*facepalm*

There are people who know something about computers and there are people who believe what nonicks said. Folks, we just met the reason that botnets are so proliferate today! I'd consider recommending a safer OS to him, but there isn't an OS that can protect the user from himself.

[B-Ri]

The real issue here is that normal users don't know what the exe or jpg is anyway. While it would be nice if MS could lock down all possible vectors for viruses I think that is unrealistic considering that most viruses are propogated . If by now there is a PC user that is running things "willy nilly" then there isn't any default settings that are going to protect that person from getting bit.

[Dr_Zinj]

I've always turned off that blasted Hide Extensions "feature". If I could strip it out of the OS entirely, I would.

[Dalkorian]

You've shown more intelligence in this post than M$ has in their entire software development division!

[HJBartz]

have to agree with you. First thing i always do when loading windows is to change this setting so that i can see all of the extensions. why should anything be hidden by default on my computer? I want to see precisely what is on my computer. As to why this feature should be in windows is beyond me - it is totally unnecessary.

[Suny Buffalo]

This is an OLD issue. Rightly so, F-Secure was just pointing out that microsoft left the "hide extension" feature checked by default on windows 7. Yes, I know, anyone proficient with windows would know how to "uncheck" such feature (sic). However, I am also aware that two things make it possible for such "hidden" or "masked" virus seem visible to users.
1} If you have a paid Anti-virus installed, prior to downloading from a website, your antivirus will "Pop-up" declaring this to be a virus and even take action and quarantine such file. McAfee does this, so does Kasperskey. I am sure all paid anti-virus does the same thing.
2} I remember when i downloaded firefox and installed it, what i did not know was that the default download feature activated automatically and saved the file to my desktop (remember that one!), Once i realized that, i looked into the Options and selected to ask me/prompt me to save file and where. What that means is that a dialogue box opens and the file name is displayed in FULL (incl. extension) therefore you can "see" what type of file it is (b4 ur anti-virus gets winded about it , ya neva beat yer anti-virus lol).
the whole thing is that we as computer users have come along way and have learned much of what a computer does and what MS OS functions exist, what options to exercise, and a whole lot of other things aside lol.
Yes, it may seem like MS has done a "disservice" as F-secure states, but MS did not do so as this is their "default" setting and that they know, You the user, know how to toggle these settings to fit you particular taste.
[I use win XP Pro, Vista Ult., Linux Redhat and Fedora--like them all!!]
Suny

[Dalkorian]

It's an old issue - built into a (supposedly) new OS. One would think they would have thought to fix this by now, but one wouldn't know the history of M$ then either.

Most of us know how to turn it off, but does everyone? What about grandma, who just bought her first computer at the wall of mart so she could email her grandchildren? Does she not count? Does she deserve to be a part of a botnet because she hasn't taken a class in winblows management?

There is no excusing this. Do yourself a favor and stop before you embarrass yourself further.

[kcotham]

This does not surprise me one iota. This is another example of why one should consider switching to either a Linux/BSD/Solaris solution or a Mac OS X solution. When Windows XP or Windows Vista has reached the end of it's service life for you, seriously give an alternative a chance.

Change is not that scary people. Think of all the headaches you WON'T have!

[Dalkorian]

Considering how people are talking about having to "relearn" winblows after fista anyway, I'd argue it's smarter to learn something better than it is to learn something that's the same but in a different wrapper. Be like an adult and learn something that allows you to be free instead of learning how to be M$'s slave under the cruel WGA (Winblows Genuine disAdvantage) whip.

Own your own computer, don't allow M$ to own it for you. You deserve better. Without walls and ceilings, who needs windows or gates?

[firefoxluva95]

Who needs Terminal...oh wait...the linux user. You still have to do so some things in terminal. When you get a new OS, it's not just learning the new OS, it's learning the so called "equivalent" programs that run on that OS. Take Photoshop or some other image editor in Windows, now try teaching the average computer user how to run GIMP. If the user on Windows isn't competent enough to know how to show extensions, how do you expect them to learn new software, especially GIMP? How do you expect the Windows user to realize that Macs don't have a quick button to maximize the window? How do you expect the newbie Linux user to install some TrueType fonts, codecs, and drivers if they don't happen to be available on the Synaptic Package manager? I doubt the average computer user has the guts to go into a window with a black background and type stuff in a language they've never heard before "sudo apt-get install -insert package name here-". You don't. Change isn't that simple. I'd say I'm lucky to have elevated computer experience but not everybody is at the same level as most of us here are.

[firefoxluva95]

Steve Jobs owns all Macs though.

[kcotham]

@firefoxluva95
You can happily go your entire computing career without having to fire up the terminal in Linux, IF you have a complete distribution with plenty of GUI tools. But what's so bad about the terminal? Admittedly, I'd much rather have a GUI interface than a text one, but it's not the end of the world. I suppose there are too many people out there that have never had a command line in front of them. If one becomes proficient with a command line, it's arguably faster and more efficient. I personally, have rarely ever had to fire up the terminal in Ubuntu. And NEVER have I HAD to do it in Mac OS X. But it's there if I want it.

Most "average computer users" wouldn't have a clue how to do more than the most basic of tasks with Photoshop. And few of them would have the full version anyway. It's simply too expensive for most people. Those that are familiar with Photoshop will take to GIMP without any problems whatsoever. The UI is very very similar between the two programs.

Mac OS X does have a button to maximise the window, the green one to the right of every window. You obviously haven't ever used a Macintosh. The difference in behaviour is that the Mac OS X maximises it to an optimum area (showing all content and no larger). Windows maximises it to fill the screen (as Mac OS 9 and before did). I personally wish they would go back to the pre-Mac OS X way, but oh well.

Synaptic is there to make it easy for the average user and the beginning user. Once you gain some proficiency, then you can start learning the intricacies of the operating system and doing things manually. That's the beauty of Ubuntu.

Oh, and Steve Jobs does not "owns all Macs". I own my computer. I can do what I want to with it. That was a very stupid, poorly worded statement.

[Raschelle]

It is sad that M$ doesn't set the default to show all extensions. But, then again, neither does the Mac. That's also a preference that has to be turned on. I'm definitely a Mac lover and Windows avoider, but I hate seeing some of these other Mac users posting trash when Macs have the same issue. They only feel superior because the virus don't affect them - YET. I'm not so naive and I've made sure my company of all Macs have virus software installed. Especially since the bosses like M$ Office 2004 so much and that is vulnerable to Macro viruses.

To all my fellow computing brothers and sisters: STOP making this about which OS is superior. Read the article for what it's worth, comment on it thoughtfully and, if the information helps you better secure your OS, secure it and be thankful for the article's information.

God bless you all and safe computing!

[Rabo101]

Downloading W7 RC 4 (for XP) was easy, but took some time and a whole lot of my bandwidth, but when I began to realize what was required of me, and that I am just a normal "stupid enough" old man who booted up his first 286 about 9 years ago, it set me thinking (did ya smell the smoke?).

Microsoft has undoubtedly led me a not so merry dance, and I reckon I have spent more time on my PC fixing things, than playing with it., which in my case really is the same thing.

With this W7 - XP thing I can see a bad moon on the rise, so I sent for a Ubuntu 9 CD and who knows? I may just scrap this Microsoft institution altogether and start living a peaceful life - what's left of it.

Of course that will break Sir Bill's heart - and pocket..

[kcotham]

You can't download it on a Macintosh with any WebKit browser (Safari or OmniWeb). Mozilla browsers won't allow it either (Camino or Firefox). You have to use Opera 9.64.

You can directly download Ubuntu less than 700MB, if you don't want to wait for the CD-ROM to arrive.
http://www.ubuntu.com/getubuntu/download

[kcotham]

Forgot to mention, Ubuntu is a fraction of the size of Window 7 Release Candidate (32-bit or 64-bit) and will take a fraction of the time to download the ISO disk image.

Ubuntu 9.04 64-bit: 696.7 MB
Ubuntu 9.04 32-bit: 699 MB
Windows 7 64 bit: 3.05 GB
Windows 7 32-bit: 2.36 GB