Why Microsoft?  Why?

By default, Microsoft Windows (all versions since XP to my knowledge) have the “Hide extensions for known file types” option on by default in Windows Explorer.  This can be a huge security risk, I am left to wonder why Microsoft set it that way.

How is it a security risk?  The problem exists with both downloads and email attachments.

Because file extensions are hidden, all a nefarious soul must do is add a familiar “extension” before the actual, hidden extension to potentially fool the user into thinking the file is safe.  For example a file that appears to be named “personal.pdf”, could actually be “personal.pdf.zip”, or worse, “personal.pdf.exe”.

Do you see the problem?  Because the file extension is hidden, malicious spammer can hide the true file type by adding another “.” (dot or period) and three familiar character sequences to disguise the actual file type.

Someone who is in a hurry, or not paying full attention, not on guard, may think they are opening a Word file, when in actuality, they are executing a malicious program, such as a trojan or virus.

Do yourself a favor: right now, open a Windows Explorer window (simply double click on My Computer, or Computer) and choose the Tools menu.  In the newer versions of Windows, Microsoft hid the menus too (thanks Microsoft! – sarcasm off), hit the “Alt” key, then the “T” key while holding “Alt”, then choose “Folder options…”, then click the “View” tab and scroll until you see “Hide extensions for known file types”.  Remove the check from that option and click the “OK” button.  Now the actual file type will be evident in the file name.  You’ve just eliminated one more vulnerability.