this post was submitted on 10 Jul 2024
325 points (98.8% liked)

Technology

59378 readers
2745 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
all 40 comments
sorted by: hot top controversial new old
[–] conciselyverbose@sh.itjust.works 81 points 4 months ago (6 children)

The fact that Windows hasn't solved the "fake extension" scam is wild. You can't make people not click stuff, obviously. But you absolutely could identify double extensions clearly intended to confuse people and give some kind of "this isn't a PDF" warning.

[–] 01189998819991197253@infosec.pub 46 points 4 months ago* (last edited 4 months ago)

They're too busy finding new ways to inject telemetry and ads into your os, and degrade your experience. It takes a lot of resources to do this.

Edit: 'to' to 'too'. I blame fatigue.

[–] mememuseum@lemmy.world 43 points 4 months ago (2 children)

It's so dumb that Windows hides file extensions by default. They could just flip a toggle.

[–] Plopp@lemmy.world 32 points 4 months ago (2 children)

But don't you understand how confusing and scary those cryptic three letter strings are to normal people?? 😱

[–] Cort@lemmy.world 5 points 4 months ago (1 children)

Administrator Plopp, what do I do if it has a 4 letter extension? That .jpeg is a virus right?

-sincerely, The dumbest user you know

[–] Plopp@lemmy.world 3 points 4 months ago

Oh shit. Yes. I need you to press Ctrl+Alt+Del while pulling the power cord or else the virus will steal your RAM and upload your printer to a criminal server in the cloud!

[–] sturmblast@lemmy.world 3 points 4 months ago (1 children)

It's not the 90's anymore. There's no excuse for not having basic understanding of the tools you use in life.

[–] Plopp@lemmy.world 4 points 4 months ago

Where have you been for the past decade? The trend is the exact opposite. Dumb everything down until there's nothing left to understand, in the name of "usability".

[–] undefined@links.hackliberty.org 1 points 4 months ago

File extensions are soo MS-DOS/Windows. What a dumb operating system.

[–] TimeSquirrel@kbin.melroy.org 27 points 4 months ago* (last edited 4 months ago) (3 children)

Shit, I remember having to wipe my boss's computer back in '03 because he clicked on an attachment called something along the lines of "bigtiddies.mpeg.exe" or some shit.

[–] Fizz@lemmy.nz 25 points 4 months ago* (last edited 4 months ago) (2 children)

Me getting a virus on my computer after running sex.exe from limewire. Luckily it was only mildly annoying (as far as I know). A picture of a golfer would pop up and he would swing then the computer would shutdown. Happened once every few days and I kept using the PC for years with that on it.

[–] Godort@lemm.ee 15 points 4 months ago (1 children)

I miss when viruses were fun instead of extortionate

[–] Fizz@lemmy.nz 5 points 4 months ago

Back then there was eo much less to gain. The most important thing on the family computer was my Runescape account. I doubt whoever made the virus could even hack my runescape account because I lost access to it almost every week due to a very weak password and me telling all the kids at school my username and password.

[–] demonsword@lemmy.world 2 points 4 months ago

Shit, I remember having to wipe my boss’s computer back in '03 because he clicked on an attachment called something along the lines of “bigtiddies.mpeg.exe” or some shit.

I could almost hear The Office theme song playing while I was reading that

[–] sturmblast@lemmy.world 1 points 4 months ago

That was a very common tactic back in the day.

[–] sturmblast@lemmy.world 6 points 4 months ago

When MS chose to hide file extensions by default I fucking lost my mind because of the malware\virus implications... idiots.

[–] LodeMike@lemmy.today 5 points 4 months ago

They're incompetent

[–] lazynooblet@lazysoci.al 2 points 4 months ago (3 children)

I don't think it would help. Even without the extension it would still say:

not-malicious.pdf (Application)

We are trained to see file extensions and understand them, but the masses aren't. There is a column that translates the hidden extension into its corresponding type already.

[–] conciselyverbose@sh.itjust.works 8 points 4 months ago (1 children)

I'm suggesting an actual popup on double extensioned files that forces you to acknowledge that you know it's lying about the file type.

The only legitimate use for multiple extensions is compression, pretty much, and it's easy enough to distinguish those.

[–] AnyOldName3@lemmy.world 5 points 4 months ago (1 children)

That would be annoying for people who work on files with a double extension for legitimate reasons, e.g. .tar.gz, and (this can't be stressed strongly enough) Windows users do not pay attention to warning popups, so it wouldn't actually help. Despite it being eighteen years since Windows Vista released, and therefore vanishing unlikely that any given software was written assuming that Windows didn't have a permissions system, it's still most people's first troubleshooting step to try and run things as admin, and you still get loads of people (including ones who should know better, e.g. ones who also use Linux and would never log in as root) who disable UAC as one of the first things they do when setting up a windows install, and end up running everything as the equivalent of root just to suppress the mildly annoying pop-up when something asks for elevated permissions.

So, your proposed popup:

  • would be annoying including for legitimate uses
  • wouldn't help as anyone who already ignores the smart screen popup that shows up when running a dodgy application will ignore the new popup, too
  • would be disabled by huge swathes of users anyway
[–] conciselyverbose@sh.itjust.works 3 points 4 months ago* (last edited 4 months ago) (1 children)

I already addressed compression. It's as entirely trivial to whitelist those cases as it is to do in the first place.

Again, I said it's not magic. But most of these cases are inattention that would be reduced meaningfully if Windows made them actually pick what file type they were opening. There's a big gap between "advanced users" who will notice that it's the only file with an extension and morons who will just skip everything no matter what it says.

[–] aniki@lemmy.zip 0 points 4 months ago* (last edited 4 months ago)

Don't bother with teh MS apologists. They are the worst.

If the operating system doesn't know the file and the type of file, it's a bad operating system.

It should be trivial to have an OS determine the file type and display a warning if the extension doesn't match.

Posix has had file for decades.

[–] MonkderDritte@feddit.de 3 points 4 months ago* (last edited 4 months ago) (1 children)

We are trained to see file extensions and understand them, but the masses aren't.

My computer-iliterate dad is on Debian XFCE since 2 years now. The first year, he thought it was the new Windows. File extensions didn't bother him in the slightest.

[–] lazynooblet@lazysoci.al 1 points 4 months ago

I don't think extensions are a "bother" at all. It's just a different way to show the info.

[–] DaneGerous@lemmy.world 1 points 4 months ago

Wouldn't it show not-malicious.pdf.exe?

[–] reddig33@lemmy.world 36 points 4 months ago* (last edited 4 months ago)

Well by all means then, let’s run our governments and banks on Windows! 🙄

[–] BigDanishGuy@sh.itjust.works 33 points 4 months ago (1 children)

If it's a zero day then Microsoft didn't know about it. If Microsoft knew about the exploit for a year it was not a zero day.

[–] echodot@feddit.uk 2 points 4 months ago (1 children)

Zero Day just means that you have zero days to fix it before it becomes a problem. Doesn't mean that you actually take zero days to fix it.

[–] BigDanishGuy@sh.itjust.works 10 points 4 months ago (2 children)

What? No it doesn't, it means that the exploit has been known for zero days, aka it's an unknown exploit.

[–] Grimy@lemmy.world 20 points 4 months ago

A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

From wiki

[–] AceBonobo@lemmy.world 7 points 4 months ago

My understanding, zero day means when the exploit was discovered it was already being used in the wild. This is different from an exploit discovered by a bounty program or by security researchers.

[–] Wooki@lemmy.world 17 points 4 months ago* (last edited 4 months ago)

Microsoft has proven time and time again security is not a priority. Cloud profit mattered more than the security of the public and public services as sunburst proved.

This should not come as a surprise.

[–] undefined@links.hackliberty.org 10 points 4 months ago
[–] Treczoks@lemmy.world 8 points 4 months ago

The three letter agencies probably knew about this, too, but either didn't tell Microsoft, or forbid them to fix it.

[–] autotldr@lemmings.world 7 points 4 months ago

This is the best summary I could come up with:


Threat actors carried out zero-day attacks that targeted Windows users with malware for more than a year before Microsoft fixed the vulnerability that made them possible, researchers said Tuesday.

The vulnerability, present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft decommissioned in 2022 after its aging code base made it increasingly susceptible to exploits.

The company fixed the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program.

The link, however, incorporated two attributes—mhtml: and !x-usc:—an “old trick” threat actors have been using for years to cause Windows to open applications such as MS Word.

“From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated,” Haifei Li, the Check Point researcher who discovered the vulnerability, wrote.

“The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application.


The original article contains 616 words, the summary contains 170 words. Saved 72%. I'm a bot and I'm open source!

[–] EpicFailGuy@lemmy.world 1 points 4 months ago (1 children)

Yall remember eternal blue? no? only me?

Yeah .. im never putting any of Micro$oft products on anything I need to be secure ... ever

[–] lud@lemm.ee 6 points 4 months ago (1 children)

Remember regreSSHion?

All software has serious security vulnerabilities.

[–] EpicFailGuy@lemmy.world 1 points 4 months ago (1 children)

RegreSSHion is overblown ... it was quickly patched and it was not reliably reproducible every time. It depended on "Luck" to have pointer fall on the right memory space in order to allow the code execution.

I think Terrapin was much much worse .... and log4j ... log4j was a DISASTER ... but point taken.

I wasn't shrilling my choice of OS tho, I think eternal blue is a lot worse than those other CVEs because the NSA KNEW about it and did not disclose it, and because Windows has a much wider user base of clueless users that easily fooled.

[–] lud@lemm.ee 1 points 4 months ago

Yeah, I just took the most recent one as an example.