- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
Well by all means then, let’s run our governments and banks on Windows! 🙄
Yall remember eternal blue? no? only me?
Yeah … im never putting any of Micro$oft products on anything I need to be secure … ever
Remember regreSSHion?
All software has serious security vulnerabilities.
RegreSSHion is overblown … it was quickly patched and it was not reliably reproducible every time. It depended on “Luck” to have pointer fall on the right memory space in order to allow the code execution.
I think Terrapin was much much worse … and log4j … log4j was a DISASTER … but point taken.
I wasn’t shrilling my choice of OS tho, I think eternal blue is a lot worse than those other CVEs because the NSA KNEW about it and did not disclose it, and because Windows has a much wider user base of clueless users that easily fooled.
If it’s a zero day then Microsoft didn’t know about it. If Microsoft knew about the exploit for a year it was not a zero day.
Zero Day just means that you have zero days to fix it before it becomes a problem. Doesn’t mean that you actually take zero days to fix it.
What? No it doesn’t, it means that the exploit has been known for zero days, aka it’s an unknown exploit.
A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.
From wiki
The fact that Windows hasn’t solved the “fake extension” scam is wild. You can’t make people not click stuff, obviously. But you absolutely could identify double extensions clearly intended to confuse people and give some kind of “this isn’t a PDF” warning.
Shit, I remember having to wipe my boss’s computer back in '03 because he clicked on an attachment called something along the lines of “bigtiddies.mpeg.exe” or some shit.
Shit, I remember having to wipe my boss’s computer back in '03 because he clicked on an attachment called something along the lines of “bigtiddies.mpeg.exe” or some shit.
I could almost hear The Office theme song playing while I was reading that
I don’t think it would help. Even without the extension it would still say:
not-malicious.pdf (Application)
We are trained to see file extensions and understand them, but the masses aren’t. There is a column that translates the hidden extension into its corresponding type already.
I’m suggesting an actual popup on double extensioned files that forces you to acknowledge that you know it’s lying about the file type.
The only legitimate use for multiple extensions is compression, pretty much, and it’s easy enough to distinguish those.
That would be annoying for people who work on files with a double extension for legitimate reasons, e.g.
.tar.gz, and (this can’t be stressed strongly enough) Windows users do not pay attention to warning popups, so it wouldn’t actually help. Despite it being eighteen years since Windows Vista released, and therefore vanishing unlikely that any given software was written assuming that Windows didn’t have a permissions system, it’s still most people’s first troubleshooting step to try and run things as admin, and you still get loads of people (including ones who should know better, e.g. ones who also use Linux and would never log in as root) who disable UAC as one of the first things they do when setting up a windows install, and end up running everything as the equivalent of root just to suppress the mildly annoying pop-up when something asks for elevated permissions.So, your proposed popup:
- would be annoying including for legitimate uses
- wouldn’t help as anyone who already ignores the smart screen popup that shows up when running a dodgy application will ignore the new popup, too
- would be disabled by huge swathes of users anyway
I already addressed compression. It’s as entirely trivial to whitelist those cases as it is to do in the first place.
Again, I said it’s not magic. But most of these cases are inattention that would be reduced meaningfully if Windows made them actually pick what file type they were opening. There’s a big gap between “advanced users” who will notice that it’s the only file with an extension and morons who will just skip everything no matter what it says.
Don’t bother with teh MS apologists. They are the worst.
If the operating system doesn’t know the file and the type of file, it’s a bad operating system.
It should be trivial to have an OS determine the file type and display a warning if the extension doesn’t match.
Posix has had
filefor decades.
