Windows 7 RC ignores file extension security risk

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9132626

By Gregg Keizer
May 6, 2009 
Computerworld

Windows 7 Release Candidate (RC) continues a long-running Microsoft 
practice that puts users at risk, a security researcher said today.

The new operating system's Windows Explorer file manager still misleads 
users about the true extension of a file, said Patrik Runald, chief 
research advisor at Helsinki-based F-Secure Corp. Rather than reveal the 
full extension for a filename, Windows Explorer hides the extension for 
known file types, giving hackers a way to disguise malware by using 
those file types' extensions and icons.

Windows Explorer, for example, will show the .txt icon and display 
"attack.txt" as the filename for a Trojan horse that's actually been 
named "attack.txt.exe" by the hacker. The practice goes back to at least 
Windows NT, and has been criticized in the still-popular Windows XP and 
the newer Windows Vista.

"People typically look at the icon to know what the file is," said 
Runald. "If it looks like a Word doc or a PDF file, there's an implicit 
trust in it, and users are more likely to click on those files, even if 
they are actually an executable."

[...]


--
LayerOne 2009, Information Security for the discerning professional. 
May 23-24 2009 @ The Anaheim Marriott in Anaheim, California 
Visit http://layerone.info for more information