via Windows 7 Fail – F-Secure Weblog : News from the Lab.

Okay, I get annoyed with Windows’ design on a regular basis, but I don’t know that defaulting to showing file extensions for known file types is the right answer.

I guess the real problem is that Windows 7, like every other Microsoft-designed Operating System, relies on the extension to determine filetype/action, including whether to attempt to execute the code in the file or not.  Until the GUI file managers appeared in the *nix OSes, this was a limitation of *nix–if a file was not explicitly executable for the user, an error would be returned.

Today, Nautilus and Konqueror have mimetypes registered in their file managers, just like web browsers do.  However, they still rely on the “execute” permission bit being set on a file–which is not default behavior on a downloaded file (rusty Linux brain cells showing).  To execute the file, one of two things have to happen:  You either have to set execute permissions on the file or run the file as root/sudo/admin user.  Of course, execute permissions can still be stored in an archive file (.tar, .bz2, .zip), so an executable file can still appear on your system without you knowingly setting it to execute.

Back to Windows…  The default behavior of “Hide extensions for known file types” is user friendly for users who don’t want to know the legacy of file extensions and their uses.  However, in the absence of a useful non-administrative mode and explicit execute permissions, this opens the door for some really simple ways to dupe the user.  Fixing this problem goes beyond not hiding extensions or showing annoying “Are you sure you want to do this?” pop-ups.