Swapping convenience for computer security

by  Alan Zisman (c) 2009 First published in Business in Vancouver June 2-8, 2009; issue 1023

High Tech Office column


One of the reasons last winter’s Downadup (a.k.a. Conficker) worm was able to spread quickly to an estimated 12 million computers was because it was able to spread, not only through online sources, but via infected USB flash memory drives as well. To do that, it made use of a pair of features baked into Windows known as autorun and autoplay.

You’ve probably seen these features, even if you didn’t know their names. Insert a Microsoft Office install disc into a Windows system and the setup program starts up – that’s autorun. Plug in your memory stick and a window may pop up asking what you want to do with it – load a photo album program or explore the files on the stick – that’s autoplay.

The problem is that it’s easy for malware authors to fake out these features so that, for instance, though you might think you’ve picked an option to explore the files on a memory stick, you instead run a program that infects your computer.

Some good news. With its recent Windows 7 release candidate, Microsoft has killed off autorun – at least in Windows 7. Promised updates will neuter the feature in XP and Vista as well. A step backward in convenience, perhaps, but a step forward for security.

You probably shouldn’t wait for Microsoft to turn autorun off for you, however. Check the company’s KnowlegeBase article 967715 (Google “967715”) for instructions, including links for patches needed by various versions of Windows.

While Microsoft is making it harder for malware authors to exploit long-available autorun vulnerabilities, the Windows 7 release candidate ignores another long-standing way to infect Windows systems. Security company F-Secure has pointed out that even this latest most-secure version of Windows continues a practice that Microsoft began with the venerable Windows 95: hiding standard file extensions by default.

A little background. Way back then, users of most Windows applications had to pay attention that files created with say, Microsoft Word, had names ending in “.doc,” photo image filenames ended with “.jpg,” webpage files had names ending with “.htm” and so on. Change that three-letter file extension, and the document would no longer automatically open in the right application. The Mac imposed no such limitations on its users.

Microsoft’s solution: make Windows look more Mac-like by hiding file extensions. That way, users wouldn’t need to pay any attention to them.

Malware authors, however, paid attention. They created infection-bearing files like one widely e-mailed in 2001 claiming to be a photo of Russian tennis star Anna Kournikova. The e-mail attachment appeared to be named Anna.jpg, but was actually Anna.jpg.exe.

Windows hid the last three letters that would have shown that it was an “executible” file that, in this case, infected users’ computers.

This one’s easier to turn off than the autorun default. Users of XP (or earlier Windows versions) should open My Computer, click on tools, then folder options. Go to the view tab and remove the checkmark beside: hide extensions for known file types.

Vista and Windows 7 testers have extra hoops to jump, because those systems hide the menus in My Computer. Open the control panel, switch to classic view, then open the folder options item. From there, it’s the same.

As with Microsoft’s neutering autorun, doing this trades convenience for security – putting users back to the early 1990s where they can mangle those three-letter file extensions. But now malware authors won’t be able to trick you with faux photos promising racy shots of tennis players.

There’s always a tradeoff between security and convenience – in the physical world extra locks require extra keys as well as on our computers.

Microsoft has traditionally designed Windows putting convenience ahead of security; slowly, it’s moving more toward security. •