Tuesday, August 12, 2008

File extensions and Security: Windows vs *nix

I am having an argument/discussion with a close friend about the security implications of file type detection by extension (Windows) and vice versa (*nix). Over the years, I have heard that the Windows way of doing thing is a larger security risk than *nix's ( on *nix you don't need a file extension, so you can throw any extension on there and make the user think they are clicking on something legit).

While I do think the *nix one is better, I do see why it might be a problem. My friend thinks the arguments are bogus, and I see no reason to disagree with him outside of my own gut feeling and lack of articles/statistics on the subject make it difficult to prove one or the other. Can anyone shed some light on this? Obviously, the Windows way will be much more widespread and will be considered more unsafe due to volume of use (and misuse).


  1. I think every OS that allows some sort of default implicit action to executed on an object, by say... double clicking a file icon, should do some sanity checking before doing anything. The most obvious example of that would be comparing the detected file type to the file type indicated by the extension (if it exists) and if there is a mismatch, throw a warning.

    Ultimately, unless we require people to be explicit about what they want to do with a file, there will always be a good a chance for unintended operations to take place. However, simple checks like this will go a long a way to curtailing that.

  2. Meh. The average desktop environment for Linux also opens files with a helper chosen based on the file extension. How's this any different from Windows?

  3. Gnome checks if extension and associated mime type match, and throws a warning if they don't.

  4. There is no security risk as such in a filename extension. A ".txt" will always be a text file, and when double-clicked the OS (or Desktop) will launch the text editor application with the file as an argument.
    The danger that resides in this system and that caused many havoc in the past in Windows (and still could), is that Microsoft since Windows 95 tries to hide the extension of the files by default. But most application (and even Microsoft ones) where still heavily relying on it and displaying it, this was inconsistent. With Win95, Microsoft's goal was to reach the user friendliness of Apple's OS (I recall it was called System 7 at that time), and on a Mac there was no need for file extensions at that time. So Microsoft decided to hide them. But as I said some application still used them a lot!
    The result was that some clever guys thought of using this inconsistency in the Windows ecosystem by naming files something.txt.com or something.txt.exe. By default the explorer and some few application were displaying the filename like "something.txt" because they were hiding the extension. For many user, it was then safe to open! Obviously to them, it was just a .txt file! And they got infected...

    The fault is not on the user, it is not on the use of extension neither, the fault is that Windows 95 until Windows XP (at least) are using by default to hide extensions of known file type! They should at least never hide the extensions of executables, or even not hide extensions at all!
    I do not know now the status with Windows XP SP2 (I upgraded to SP2, so it kept my settings which were not to hide them), neither do I know for Vista! But as long as Microsoft does not stop hiding the extension, there is a potential breach in the system...

  5. A .txt extension will not always be a text file. Precicely because of Windows' obsession with filename extensions, we routinely rename data being transferred between SAP/UNIX and windows systems to '.txt' so the windows WebDAV server will allow getting and putting them.

  6. This comment has been removed by the author.

  7. In response to Jon Dowland:
    "A .txt extension will not always be a text file."

    True, but what I meant was that if a file has really the .txt extension and someone double click on it, Windows will launch the default editor with the file as a parameter. If the file is not a text file, the user will find out really quickly because the editor will not display it. There is no risk here.
    The risk is when Windows hides the extension. Because then when you click on a file that seems to end in .txt or has the same icon as the .txt, it could be actually a .exe file, and then when double-clicking it, Windows might execute the file and not launch the editor.

    So if a .txt file is a text file or not does not matter, it will always be opened in an editor.
    But if Windows hides the extension of known file types, a clever guy to lure the user and make him launch a virus/trojan/younameit instead of the editor!

    Edited: as there is no edit possibilities, I deleted my previous comment, and corrected the typo mistake in this new one. Sorry for the inconvenience.