Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-Disclosure] Windows XP Explorer Executes Arbitrary Code in Folders
From: Tobias Weisserth (tobiasweisserth.de)
Date: Mon Jan 26 2004 - 16:14:42 CST
Am Mo, den 26.01.2004 schrieb Exibar um 21:41:
> It sure didn't look like a normal folder to me either. I could edit the
> file and such and renaming the file to having an .HTM extension makes it
> look like a "normal" html file. Certainly not like a directory at all, but
> a simple file.
That's totally not the point here.
When you look at any Windows OS the way it is being _shipped_, then the
file extensions are not visible to users _by default_. This means that
user Joe _is_ seeing a folder when he looks at the file. Of course he
can change the settings and then get the filename with the .foo
extension but that's not the way 99% of Windows users see it because
they wouldn't know how to enable this feature.
Blending out the file extension by default was meant to ease usage of
file management for users but in reality it poses a threat because the
real identity of a file can easily be hidden behind a fake extension
(foofile.jpg.vbs) or using this .folder trick. This is very effective
against the average user because quite obviously people tend to trust an
email attachment that is named foo.jpg.vbs when they only see foo.jpg.
I can totally understand why this has been described as "idiot
engineering". It may have been meant for greater ease of usage but it
_IS_ posing a grave threat to security in the hands of the average user.
Thor, I have a question. You seem to be very much into these MS matters.
Is the upcoming service pack for Windows XP changing the default
settings, thus showing the extension of files by default (Maybe you
already answered this, but suppose I'm a six year old who doesn't
understand ;-))? Will this affect both versions of Windows XP (Home and
Full-Disclosure - We believe in it.