File extensions and their role in security

Introduction

Files are not all created equal, and in a Windows system this becomes an important point in maintaining the security of your computer. This matter applies to two very specific areas of computer use the most, email and peer to peer file sharing. First a breakdown of file extensions and the important differences in types of files.

File Extensions

File extensions are the last part of a file name, following the last period in a file name. These can be hidden by Windows for registered file types, which means Windows has a defined way to handle that kind of file automatically. To be sure all file extensions are showing, go to Start>>Settings(>>Control Panel) then Folder Options, View tab, then uncheck "Hide file extensions for known file types". This is a must for the most security in Windows. A common tactic has become to fake a file extension by 'stacking' them, by placing a period in a file name followed by letters for a file extension that would not necessarily be hidden. As an example:

thismonthsnews.doc with extensions hidden could be

thismonthsnews.doc.exe

Windows does not recognize or use stacked extensions, so most of the time you will not see such a file extension used. Windows ignores anything but the letters after the last period in the name. UNIX and UNIX-like systems do use it, most notably for archives with the .tar.gz extension.

File Types

How a file extension is handled by Windows is most important to determining how safe a file is to handle. There are two primary types of files, with the difference being critical to how securely you can handle each.

Executable files
These files are basically able to function as their own software, handled directly by the Windows' core, the kernel. These files can perform functions on their own once run by Windows. They are basically a set of instructions the kernel can send to your processor, which can make things happen with or without the user's interaction. These files normally do not need any other program to run, Windows alone can handle them.

Data files
These files are just information stored in a self contained object on your system. These could be images, text, program settings, numbers, anything that doesn't have to actively perform a function. Data files need to be parsed, or broken into their parts to a form you or the program that needs them can understand. They are not loaded like software that can perform functions on their own, so they are unable to do anything when simply viewed with an appropriate program.

As is so often the case, there are exceptions and grey areas, but these can be fairly well encompassed.

One file type that is really data but Windows can load as if it were an executable file is .dll files. DLL stands for Dynamic Link Library, which is a way to store data so it can be randomly accessed. Some of this data can be commands that Windows can perform just as if they were coming from a program. For this reason a DLL is able to be handled like a program that Windows can call on or accept commands from. How it does this is defined by how the DLL is registered.

Another grey area are files that are sets of instructions that are handled by Windows or another program, and are registered to be automatically handled by Windows or said program. These are sometimes known as scripts. These files are otherwise not properly loadable software, and can not remain running once executed as commands. Some files can contain such instructions for special features, but may not be a required part of the file. Some commonly seen files types that fall into this category are: .inf, .pif, .doc, .dat, .bat.

Now that we understand the basic file types, we can move on to their importance in the activities of email and peer to peer sharing.

E-Mail

One of the most common things you hear about security with email has to do with attachments. Very often people simply tell you, don't open them at all. Others say only open them from people you know. Neither is completely true. You may receive something you actually need as an attachment, but the key to handling them securely is knowing what the attachment is and determining if it was really sent intentionally by the other person.

First of all, good email behavior would be to include a subject and message for an email with an attachment that defines what it is and is uniquely identifiable to the recipient. One of the most common tactics used by virus writers is to make generic sets of subjects that their email borne virus can use when it generates infected emails. This is how they socially engineer or trick people into opening the email and execute, or allow to be executed, the virus. People are not always so responsible in how they email though, so they may not include such characteristic things in the email which would clarify if the email and attachment were genuine. If you receive such an email with an attachment, it's best not to open it until you have contacted the sender to confirm that they did in fact intend to send you such an attachment.

Another important tactic to securing your email against exploitation from attachments is to block the ability of scripting in the email itself from running the attachment automatically, when the email is opened or previewed in some way. Outlook and Outlook Express both are very bad about running scripts in emails automatically, and to turn off this ability usually means turning it off for Internet Explorer as well, which may interfere with some desired functions for that program. Other mail clients can have scripting managed more effectively or just turned off completely, and the function in most of those is turned off by default.

Finally, once you have an attachment, you can look at the file type to help determine if it's safe to handle. If someone intends to send you data, like a text document or picture, it's relatively simple to determine if the attachment is anything like that at all. As an example:

If someone sends an attachment with the message claiming it's a report to read, and the attachment name is

annualreport.exe

that is not going to be a simple text file. Unless you have been told the report will be in a presentation program that can run on it's own, not viewed in a word processor or text editor, it's more than likely that file is a virus or other malicious software sent by either a virus on the sender's computer or a malicious sender. If the attachment is

annualreport.doc

being that is a document file format, parsed by word processors and text editors, that's far less likely to be malicious. In this case however, a .doc file can have scripting in it, so running a virus scan on the file before opening would be wise, unless you open the file in something that does not support such scripting. If the attachment was named

annualreport.txt

That file type is not made to handle any scripting and is likely to be completely safe. The only way on a Windows machine a .txt file is going to harm you is if you installed some software that is default to open .txt and look for instructions to run. This is very unlikely. It never hurts to virus scan though.

File-Type Safety Chart

Below is a chart of common file types with their probable danger on a normal Windows install.

Peer to Peer file sharing

File sharing has become very popular, even though some use it for illegal means. The discussion of it's use is only partly important to it's importance in system security. When used legally file sharing can still create security issues however, so this is will help determine how to safely handle files obtained via file sharing.

As detailed already, the file type is the most important thing to consider when handling files you get from a file sharing system. As stated above you can determine largely what can be taken nearly at face value. However there are a few other considerations with file sharing.

The two main types of files are shared on peer to peer, or P2P, systems. In all cases you would want to virus scan the files you get from P2P. The dangers presented by the files may help you decide what you wish to trade in on P2P however.

Data Files

Some of the most common data files shared on P2P are .mp3, .mpg, and .jpg. Being these are data files they will not automatically be handled as programs and one would think they are immediately safe to handle. This is not precisely the case, especially when dealing with P2P. Although the chance of being compromised is much lower, there are a few key ways such a file could be used to exploit your system.

Parsed files would normally either render what you intend, or simply not work. The exception to this is when a flaw exists in the software used to parse the file which might allow undesireable functions when the file is parsed. This has been possible with MP3 files in particular. To be safest not only would you run a virus scan, but keep your programs updated. If an exploit is discovered the software makers can patch it, and the updates will protect you. Some artists have actually used this by distributing corrupted files, which when played would effect other files. It's more likely a tactic to be used with popular files, especially well copyright protected ones (a good reason not to try to steal).

Update: More recently a JPEG parsing file has been found to have a system level exploit. Read more about it at http://www.microsoft.com/security/bulletins/200409_jpeg.mspx.
This shows again how a data file can cause active damage, and the importance of checking for updates.

Executable Files

P2P can now share any file type, including executables. Some free software can actually be shared this way, although a great deal of it is pirated software. Because these files can perform actions of their own, intentional or not, legal or not, it is the least safe item to trade in on P2P. Virus scanning here is a MUST. One thing to keep in mind is that pirated software, especially when 'cracked' to work without registration or activation, is very prone to security problems. This is how most file sharers get infections on their systems. This is illegal, and HelpBytes do not condone these downloads but simply ask if you are going to do it anyway, scan first.