Windows 7 at risk from legacy flaw, F-Secure says
Microsoft has failed to remove from the Windows 7 release candidate a long-recognized security risk. The feature can let virus writers trick users into running malicious files, a security company says.
Microsoft has failed to remove a long-recognized Windows Explorer security risk from Windows 7, according to security company F-Secure.
The "hide extensions" feature, which was present in Windows NT, 2000, XP, and Vista, is also included in the
"In Windows NT, 2000, XP and Vista, Explorer used to hide extensions for known file types," Hypponen said. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."
For example, malicious code writers could name a "virus.exe" file as "virus.txt.exe" or "virus.jpg.exe," he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see "virus.txt" or "virus.jpg." Additionally, virus writers could change the icon displayed with the file in Windows Explorer so it looks like the icon of a text file or an image. Users might then click on the disguised file.
The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers Thursday. Microsoft hasn't yet given a release date for the final product.
Microsoft had not responded to a request for comment at the time of writing.
Tom Espiner of ZDNet UKreported from London.