Hold your horses, this isn’t a flaw per se. There isn’t a massive hole in Windows 7 that allows the execution of malicious code. Instead, there’s a legacy feature that has been around ever since Windows 98 (maybe even 95, but that I do not know for sure) that is used by virus writers to fool users into executing their viruses.
The feature I am talking about is the ability to hide the extension for known file types. This comes enabled by default on XP and Vista and it was not addressed in Windows 7. Basically, as Adrian over at ZDNet reports, with this feature enabled, a file with ‘double extension’ can easily be fooled for its fake extention. For example, a file named Report.txt.exe will automatically have the ‘.exe’ extension hidden, and to the eyes of the less computer-savvy it can easily be mistaken for an innocent Report.txt file. Moreso when the creator of the virus is careful enough to add an innocent notepad icon to the malevolent application.
To be perfectly honest, I agree with Adrian. This is a feature that I disable right after I install Windows. More often than not I find myself having to change the extension of a file, and it’s impossible to do so with this feature enabled and without resorting to the command line.
This feature is dangerous and it has been the gateway for many viruses to spread. Adrian also suggests adding some sort of overlay to the icons of executable files that aren’t digitally signed – this is an incredibly good idea. Maybe something glarey as the icons of running applications on the new Windows 7 start bar. If properly done, this could be flashey and would cause a good impression on end-users, both visually and safety-wise. Personally, I would remove the feature altogether and leave it off – and please, without the possibility of working around it on the registry – but that’s just my two pennies worth of opinion.
Have a good one.