Swapping
convenience for computer security
by
Alan Zisman (c) 2009 First published in
Business
in Vancouver June 2-8, 2009; issue 1023
High Tech Office column
One
of the reasons last winter’s Downadup (a.k.a. Conficker) worm was able
to spread quickly to an estimated 12 million computers was because it
was able to spread, not only through online sources, but via infected
USB flash memory drives as well. To do that, it made use of a pair of
features baked into Windows known as autorun and autoplay.
You’ve
probably seen these features, even if you didn’t know their names.
Insert a Microsoft Office install disc into a Windows system and the
setup program starts up – that’s autorun. Plug in your memory stick and
a window may pop up asking what you want to do with it – load a photo
album program or explore the files on the stick – that’s autoplay.
The
problem is that it’s easy for malware authors to fake out these
features so that, for instance, though you might think you’ve picked an
option to explore the files on a memory stick, you instead run a
program that infects your computer.
Some good news. With its
recent Windows 7 release candidate, Microsoft has killed off autorun –
at least in Windows 7. Promised updates will neuter the feature in XP
and Vista as well. A step backward in convenience, perhaps, but a step
forward for security.
You probably shouldn’t wait for Microsoft
to turn autorun off for you, however. Check the company’s KnowlegeBase
article 967715 (Google “967715”) for instructions, including links for
patches needed by various versions of Windows.
While Microsoft
is making it harder for malware authors to exploit long-available
autorun vulnerabilities, the Windows 7 release candidate ignores
another long-standing way to infect Windows systems. Security company
F-Secure has pointed out that even this latest most-secure version of
Windows continues a practice that Microsoft began with the venerable
Windows 95: hiding standard file extensions by default.
A little
background. Way back then, users of most Windows applications had to
pay attention that files created with say, Microsoft Word, had names
ending in “.doc,” photo image filenames ended with “.jpg,” webpage
files had names ending with “.htm” and so on. Change that three-letter
file extension, and the document would no longer automatically open in
the right application. The Mac imposed no such limitations on its users.
Microsoft’s
solution: make Windows look more Mac-like by hiding file extensions.
That way, users wouldn’t need to pay any attention to them.
Malware
authors, however, paid attention. They created infection-bearing files
like one widely e-mailed in 2001 claiming to be a photo of Russian
tennis star Anna Kournikova. The e-mail attachment appeared to be named
Anna.jpg, but was actually Anna.jpg.exe.
Windows hid the last
three letters that would have shown that it was an “executible” file
that, in this case, infected users’ computers.
This one’s easier
to turn off than the autorun default. Users of XP (or earlier Windows
versions) should open My Computer, click on tools, then folder options.
Go to the view tab and remove the checkmark beside: hide extensions for
known file types.
Vista and Windows 7 testers have extra hoops
to jump, because those systems hide the menus in My Computer. Open the
control panel, switch to classic view, then open the folder options
item. From there, it’s the same.
As with Microsoft’s neutering
autorun, doing this trades convenience for security – putting users
back to the early 1990s where they can mangle those three-letter file
extensions. But now malware authors won’t be able to trick you with
faux photos promising racy shots of tennis players.
There’s
always a tradeoff between security and convenience – in the physical
world extra locks require extra keys as well as on our computers.
Microsoft has traditionally designed Windows putting convenience ahead
of security; slowly, it’s moving more toward security. •