[UPDATE: The folks at F-Secure have posted a Q&A on this issue:
Q: But if the file came from the Internet, Explorer will warn you that it came from an "Untrusted Zone"!
A: Only if you use Internet Explorer to browse the web and Outlook to download your e-mail attachments. There are plenty of other ways to download files from the net: 3rd party web and e-mail clients, BitTorrent and other P2P clients, chat programs etc. Also, you can't rely on such warning dialogs if the file is on a network share or an a USB drive.
A very good point.]
The good folks at F-Secure uncover the first Windows 7 security fail ... and it's a classic.
The issue in question is nothing new. In fact, it's been around for so long that I didn't even bother checking to see if it had been fixed.
You see, in Windows NT, 2000, XP and Vista, Explorer used to Hide extensions for known file types. And virus writers used this "feature" to make people mistake executables for stuff such as document files.
The trick was to rename VIRUS.EXE to VIRUS.TXT.EXE or VIRUS.JPG.EXE, and Windows would hide the .EXE part of the filename.
Additionally, virus writers would change the icon inside the executable to look like the icon of a text file or an image, and everybody would be fooled.
Surely this won't work in Windows 7.
Lets try.
Hmm. It sure looks like a text file in Explorer:
OK, the sort of person who reads ZDNet would immediately spot what's going on here, but for everyone else out there in "computerland" this sort of trickery could well go unnoticed.
Personally, the whole idea of being able to hide file extensions just doesn't make sense to me, and it's still one of the first "features" that I turn off when I install Windows. Combined with the ability to change the icon on certain potentially dangerous file types such as .EXE files, it's a very easy way to get people clicking on the wrong sorts of files.
What could Microsoft do? Maybe disable the ability to hide file extensions and add some sort of overlay image onto executables that aren't digitally signed.
[UPDATE: Just to be clear here, I'm not labeling this as a high risk, but rather as a piece of legacy from a bygone era where the risk that someone is fooled outweighs the benefits of trimming four characters off the end of a filename.]
