First published: 31st March 2007
Windows Vista, like earlier versions of Windows, has the “Hide extensions for known file types” option on by default. This “feature” has been widely exploited by malware authors who use double–extensions to trick incautious users into executing suspicious files.
The flaw originated when DOS was first designed, and eight–letter filenames were given a three–letter “extension” that could indicate what type of executable they were. Applications began defining their own extensions for their data files, and Windows used these to decide what action to take when the file was double–clicked. This oddity became dangerous when Windows 95 allowed long filenames (with more than one “.”), and also hid the extensions for known filetypes, to be “user friendly”. Apparently, Microsoft still has not noticed the contradiction of intentionally putting information about the file type into a file’s name, but then intentionally hiding that part of the name.
So, your new operating system contains a design “feature” from a quarter of a century ago, which became a dangerous flaw twelve years ago.