Full Disclosure mailing list archives
Re: Windows XP Explorer Executes Arbitrary Code in Folders
From: Tobias Weisserth <tobias () weisserth de>
Date: Mon, 26 Jan 2004 23:14:42 +0100
Hi, Am Mo, den 26.01.2004 schrieb Exibar um 21:41:
It sure didn't look like a normal folder to me either. I could edit the file and such and renaming the file to having an .HTM extension makes it look like a "normal" html file. Certainly not like a directory at all, but a simple file.
That's totally not the point here. When you look at any Windows OS the way it is being _shipped_, then the file extensions are not visible to users _by default_. This means that user Joe _is_ seeing a folder when he looks at the file. Of course he can change the settings and then get the filename with the .foo extension but that's not the way 99% of Windows users see it because they wouldn't know how to enable this feature. Blending out the file extension by default was meant to ease usage of file management for users but in reality it poses a threat because the real identity of a file can easily be hidden behind a fake extension (foofile.jpg.vbs) or using this .folder trick. This is very effective against the average user because quite obviously people tend to trust an email attachment that is named foo.jpg.vbs when they only see foo.jpg. I can totally understand why this has been described as "idiot engineering". It may have been meant for greater ease of usage but it _IS_ posing a grave threat to security in the hands of the average user. Thor, I have a question. You seem to be very much into these MS matters. Is the upcoming service pack for Windows XP changing the default settings, thus showing the extension of files by default (Maybe you already answered this, but suppose I'm a six year old who doesn't understand ;-))? Will this affect both versions of Windows XP (Home and Pro)? regards, Tobias W. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Windows XP Explorer Executes Arbitrary Code in Folders JacK (Jan 26)
- Re: Windows XP Explorer Executes Arbitrary Code in Folders Thor Larholm (Jan 26)
- Re: Windows XP Explorer Executes Arbitrary Code in Folders Exibar (Jan 26)
- Re: Windows XP Explorer Executes Arbitrary Code in Folders Tobias Weisserth (Jan 26)
- Re: Windows XP Explorer Executes Arbitrary Code in Folders Exibar (Jan 26)
- <Possible follow-ups>
- Re:Windows XP Explorer Executes Arbitrary Code in Folders Ian Latter (Jan 26)
- Re: Windows XP Explorer Executes Arbitrary Code in Folders Thor Larholm (Jan 26)