In association with heise online

25 September 2007, 11:37

Deceptive file names under Vista

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Attackers can use Unicode character codes under Windows Vista to conceal filenames and filename extensions. A demonstration by Max Ried makes an executable screen-saver file (.scr) look like a harmless image (.jpg).

Win XP displays full file name
Windows XP displays the filename correctly.
Vista supports the spoofed file name
Under Windows Vista, the 7Zip File Manager shows the faked filename extension.
XP desktop displays full file name
Everything is handled correctly, even on the Desktop, under Windows XP.

Vista's desktop shows spoofed file name
On the Vista Desktop, the executable file can only be recognized by the icon--but that can be changed too.

The falsified display of the filename is due to the inclusion of Unicode control characters that change the direction of writing. These are required for the Arabic-speaking region, for example, where writing runs from right to left. Unicode recognizes the control characters (PDF) right-to-left override (RLO, 202E) and left-to-right override (LRO, 202D) to switch the writing direction.

Under Windows Vista, and possibly other operating systems too, these special characters are permitted in filenames; not so under Windows XP. Attackers can fool Vista users by concealing harmful executable code with these characters. The usual tips on guarding against mischievous attacks, such as not to run executable E-mail attachments, are of no assistance.

This is yet another example of supposedly harmless files, such as documents, images, mp3 files or even playlists, potentially carrying damaging code that exploits holes in the associated software, and users should avoid files, even of these types, that come from unknown or untrustworthy sources. All the same, Microsoft ought to think about issuing a patch that prohibits the use of these special characters, at least in file names--there can be no good reason to use them there.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit