I rarely get too exited about the various vunerabilities. However this one, if proven, will create some real problems. I think a couple of us experienced it a few weeks ago.

hbv2 sent the article as part of the morning update to our NewsLink page.

Here's the blood and guts:

"Microsoft's Windows Explorer and Web browser Internet Explorer can be tricked into masking dangerous files as innocent ones, a security specialist says.

Hackers can exploit the flaw so unknowing PC users may run arbitrary programs, potentially ruining their systems, according to Bulgarian bug hunter Georgi Guninski, a well-known Microsoft gadfly.

By adding a certain CLSID (Class Identifier) to a file name, Windows Explorer and IE will show any file extension designated by the file's creator, instead of showing an extension that accurately reflects what kind of file it is, Guninski says. CLSIDs consist of a string of numbers between curly brackets.

A file may appear to be an innocent ".txt" (text) file, but could in fact be an "HTA" (HTML Application) file, which can run programs on a PC. The damage occurs when someone double-clicks the file to open it. The malicious file could also be portrayed as any other file type, such as various graphics formats."

Here's the check:

"However, there's a way to identify such a masked file, a quick test shows. Windows Explorer and IE won't associate the appropriate program icon with the file. The .txt file made by Guninski for test purposes did not carry the icon for the Windows Notepad program. Also, the file's properties--displayed by right-clicking on the file name and selecting Properties from the menu--will reveal the actual file type."

Keep your gloves on.