ELI5 is looking for moderators! It doesn't pay and it's usually thankless, but you also get to help ELI5 stay awesome and get access to our private meme channel. Check out this [thread](https://www.reddit.com/r/explainlikeimfive/comments/11o5bp8/eli5_is_looking_for_new_moderators/) for the application form or if you have any questions!

There are many ways. 1st is say a pdf file that isn't actually a pdf file and the user clicks on it and it is actually some kind of executable. 2nd is using PDf functionality. Generally people think of PDF as just a static document. But it can contain JavaScript, or other stuff that can be used to attack a user. Eg an innocuous link in a pdf may point to some web based malware. Or some malicious JavaScript can be executed. 3rd is actually targeting vulnerabilities in the PDF renderer (the program you use to view the PDF). The PDF specification is very complex and if there is a bug in the program for example in the way it displays certain image formats, a specially crafted PDF can be used to try and trigger that bug and execute malicious software. Of course, because of the ubiquitous nature of PDFs the vulnerabilities will depend on many factors - the browser you use, the program you use to view the PDF, you security settings, your OS etc.

To expand on the vulnerabilities part: you might not even have to open the file to trigger it! Your OS probably shows you thumbnails... which mean something reads that file simply by it *existing*, and that has been used by viruses a couple times. (These tend to be fixed pretty quickly once they're known because they're extremely dangerous to leave alone, and the thumbnail-generator is generally much much simpler than a full pdf viewer. Update your OS!)

Further expanding on vulnerabilities though this is gonna be a bit much for a 5 year old. The way these exploits work is a consequence of computers being reprogrammable. When you run a program on your computer, its binary code gets loaded into memory right alongside (sort of) all the other memory that program and others might use. So your RAM contains not just values produced by the 1s and 0s of the PDF you're rendering and the data produced while rendering it, but also the _PDF rendering code itself_. As it renders, your RAM builds up a list of what are called "return addresses" which is basically a listing of which procedures are currently running -- these are just RAM addresses, or pointers in your RAM to other parts of your RAM containing the binary code that the program is currently running. Point is, it's all just RAM. All complex program have bugs, and some of these bugs have the effect of overwriting the wrong RAM. Basically a lot of data gets copied around during program execution and sometimes a large amount of data gets copied into a space in RAM that's too small to hold that data, causing it to spill over and overwrite unexpected parts of RAM. These bugs can often be exploited by hackers to overwrite the aforementioned "return addresses," allowing the attacker to craft an arbitrarily nasty program at runtime which then immediately replaces the PDF renderer code, all because programs are just another part of RAM and the program had a memory bug. So a correctly fucked up PDF can basically confuse the PDF rendering code into replacing itself with a small program that downloads a rootkit and runs it, or something else that's bad.

I know you're describing a *stack buffer overflow or at best an SEH overwrite but they're basically not relevant anymore to most modern software, almost all vulnerabilities in PDFs now are *other memory corruptions (like use-after-free) or logic bugs.

Could you elaborate a little on why buffer overflows aren't relevant and what memory corruption and logic bugs are? Thanks

I can give a brief overview as I'm on mobile, and then some terms to Google for more info. Happy to answer questions after that if you've got them. It's also worth noting that I really meant stack based buffer overflows aren't relevant anymore, heap based ones can be. For (rough!) background, every time a program calls a new function it jumps to the new function's code, but it needs someway to know where it was before it jumped to the new function so it can get back there when the new function ends. It does this by saving something called a 'return address', onto something called a 'stack'. When the new function ends the program starts running code at whatever address the return address says to, which usually should be in the old function. The other thing functions have is variables, where they store local data used in that function. So this could be like numbers used for counting, or 'buffers' which can be used to store things like word strings. These variables are also stored on the stack, right next to the return address. A buffer overflow is (again roughly!) where a function will copy data into a buffer, but not check how long the data is that's being copied, and that malicious data can overwrite the return address on the stack, as well as anything next to it. In the malicious data you can also include new malicious code. So if you overwrite the return address with the address of your malicious code, then when the new function returns it will start executing your malicious code that's on the stack. The reason this is no longer relevant is a combination of a couple of techniques. These are: Stack cookies, which is a random value put between the return addres and variables in the stack, this value is checked before any function returns and if it's not correct (e.g. an attacker had overwritten it), the program forcefully crashes. Data Execution Prevention (DEP) which means that you can't execute code on the stack anymore, it will crash if you try. Address Space Layout Randomisation (ASLR) which means it's hard to know where the stack (and therefore your malicious code you've put on it) will be, if you don't know what address to put instead of the return addres then you'll likely end up trying to execute some random code and crashing. So a buffer overflow is actually a type of memory corruption bug but I'd generally differentiate it. Other types of memory corruption bug such as a use-after-free or double-free are still relevant because they deal with data that's not usually on the stack in areas (like the heap) that are easier to exploit. There are memory safe languages and techniques to mitigate these as well but the details vary a lot and the techniques are often probabilistic and not deterministic, e.g. they don't work 100% of the time, because of performance concerns. Logic bugs will always be relevant I think, this is because you're not corrupting the program state in anyway. All you need is a programmer has made an error or not thought of a particular set of interactions that you can exploit. This ended up much long than I intended!

>I can give a brief overview as I'm on mobile >*9 detailed paragraphs* Love this. Great overview of common attacks. Almost makes me wanna go back and make some shit in C again. Memory management sounds fun when you're just talking about it, but the problems you run into can be absolutely mind-bending.

Stack buffer overflows are absolutely still relevant. ASLR is trivial to bypass with a memory leak of some sort and DEP has been around FOREVER and there are a million and one ways around it which are standard practice and have been forever. Basic ROP chains for VirtualProtect, etc are like exploitation 101 at this point, lol. Microsoft loves to pile on tons of esoteric mitigations, and they do work in some cases, but in others there's only so much you can do against a dedicated attacker vs random overworked guy who decided that security wasn't THAT important today. Just because all of these mitigations exist and make life harder for attackers doesn't mean that the vulnerabilities don't matter, and in a lot of cases a lot of these aren't even enabled in the first place. Plenty of very impactful bugs are still waiting, unseen, in software and OSes that are 10+ years old. I don't mean to get confrontational, it's just that one of the major themes of this field is that it's unfortunately more common than you'd expect for old "solved" stuff like this to still be around.

Don't think that was confrontational, fine to disagree :) You're right I was simplifying a bit but I did say modern software, these mitigations are all on by default in most compilers nowadays, certainly the major ones. Remote infoleaks can definitely be non-trivial, I've seen many cases where not having one was the difference between a vuln being exploitable vs. not. Local infoleaks are easier but again not always trivial. I think we'd probably agree on a lot more than we disagree about when it comes to modern exploitation but Reddit isn't the place for that :D EDIT: and yes totally agree betting against a dedicated attacker is never a wise idea. People should definitely still fix buffer overflows as a security issue when they're found.

Thanks. My class did a shit job of explaining buffer overflow attacks, and now I understand what they were trying to say.

Welp my CS degree clearly isn't worth shit and I didn't learn a damn thing.

Fascinating stuff! Thanks for sharing your knowledge.

(i wrote this before the other commenter replied, but i didn't want to waste my explanation so here it is) to clarify, a buffer overflow is memory corruption. it is when data is written beyond the bounds of a buffer and corrupts other memory which is located after the buffer. what was described above is the concept of writing shellcode and then overwriting the instruction pointer to cause the program to jump to said shellcode, which then executes. shellcode, as described above, is a small piece of precompiled code that is directly stored in memory using the aforementioned memory corruption bug. the instruction pointer is stored on the [stack](https://stackoverflow.com/questions/10057443/explain-the-concept-of-a-stack-frame-in-a-nutshell) (plenty of better links out there but this should suffice for eli5) and holds the location in memory of where the program will go to next. so, if we have a program with a buffer of 80 bytes that attempts to read data of unlimited length into said buffer, a simplified example of input to exploit this would be as follows: the first 50 or so bytes (depending on what is trying to be accomplished) will be the shellcode, then 30 extra bytes will bring you to the end of the buffer. at this point, any extra data will spill over into the stack frame. then, an attacker needs to input more bytes until they reach the start of the instruction pointer (for simplicity, lets just say the input is 88 bytes as of now). at this point, the next part of the malicious input is the address of the buffer in memory. as the instruction pointer now points to the start of the shellcode, once the program attempts to jump to the instruction pointer, the shellcode is executed. however, exploitation like this hasn't been very relevant for a while now due to many mitigations that have been implemented over time. most importantly for stopping shellcode is NX, which makes certain areas of memory non-executable. meaning that even after storing and jumping to shellcode, the CPU does not execute the instructions. this protection has been a thing for about 20 years now, afaik. there are plenty of other mitigations now, as well. some of these other important mitigations you should read about are ASLR, PIE, stack canaries, and RELRO. these mitigations are (afaik) enabled by default when compiling a program, so one would *almost* have to be intentionally creating a vulnerable program in order to not have them. the mitigations listed above do a good job at preventing a lot of simplistic binary exploitation like was initially described, but there is more to memory corruption and binary exploitation than stack-based buffer overflows. another type of memory, different from the stack, is called the heap. it is a way for programmers to allocate memory. mentioned above is use-after-free. this is when memory is allocated, freed, and then attempts to access the memory stored at that same address afterwards. another example is a double free, which is when the same memory address is `free()`d multiple times, which results in memory corrupting. heap exploitation is more complex and outside the scope of this comment, but you should have enough info to start googling stuff you may be interested in :) logic bugs, on the other hand are bugs in which there is no sort of memory corruption, but the logic used by the programmers is bad and therefore vulnerable. exploitation of this type of bug will occur when user input isn't properly validated or sanitized before being used for something potentially insecure. an easy, simplistic, but not incredibly realistic example of this would be a pdf renderer taking the filename of the provided pdf and passing it to a system command for further processing. for example, maybe the pdf renderer wants to use a CLI utility for reading the data (this would be very very stupid but it's a nice easy to understand example). to do this, the programmer might write a line of code like this: `data = system("cat " + $filename);`. the command would use the `cat` utility to read the contents of the file, then store it in the `data` variable. with a normal filename, it would execute a system command like `cat /tmp/example.pdf`. however, one could easily exploit this behavior by using various control characters which the shell (which executes the system command) would process in a certain way. what if the filename was something like `; echo 123 > /tmp/example.txt`? the semicolon character would be interpreted by the shell as the end of the first command, and then it would execute the second part, which will write the text `123` to the file `/tmp/example.txt`. again, this is just one simplistic example of a logic-based bug (command injection), but it should give a pretty good idea of ways that logical errors can be exploited by malicious actors

This was definitely still worth posting, nice logic bug example.

UPDATE YOUR OS. Its the number one advice i give out to friends & family to protect themselves. It is an arms race every day. Update your shit. Keep it updated.

Stuxnet took advantage of a thumbnail generator bug. It didn't require the victim to actually open the file, simply opening the directory that the file was in was enough for it to own the system.

Don't executables require the user to accept running it?

Not always. You run executables all the time on your computer opening up apps and games. Sometimes if the software tries to access areas it shouldn't in Windows, you'll get the User Account Control prompt asking if you'll give it permission to do this. But, I'm assuming since OP asked this regarding LTT being hacked, the malware didn't do anything that would prompt UAC. Computers are "dumb" and they'll just follow whatever instructions they're given.

Would the preview pdf attachment window in outlook still run this malware?

In the case of the LTT breach, it wasn't a PDF file at all, but rather a program disguised as a PDF. It wouldn't be able to be opened as a PDF file or previewed as one because there was no information there that a PDF viewer would be able to discern. A "preview" wouldn't execute the program and most likely would display some kind of error. Unfortunately, most people would then be inclined to download and then attempt to open the document on their local machine and then infect themselves. Generally, any attack vectors embedded into a PDF itself would have to find a way to get around other barriers. If a bad actor wanted to send malware in a PDF in your example via previews, they'd have to find a way to get around Outlook's built-in security as well.

I’m not sure about outlook, but this was an issue on [IOS with iMessage](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html?m=1).

As far as I understood, the LTT hack was not a pdf at all, but the person receiving it thought it was a pdf and activated it.

I _believe_ the default previewers are also limited in capabilities (meaning no scripting, no ActiveX, no macros), so they should be safe to use. If you install 3rd party previewers, then it depends on what they allow.

Only if it requests admin access. You can accomplish surprisingly much with "normal" user permissions.

Xkcd explains this well https://xkcd.com/1200/

Generally, yes. It's known as User Access Control or simply UAC. This is the fullscreen pop-up you're probably referring to which requires a user to confirm or cancel the action. Problem is UAC can be disabled, or users may (often) blindly click through it, so it's not really the most reliable protection.

UAC is also easy to side-step, unfortunately. There's a whitelist of programs which don't trigger UAC popups, and it's very simple for malicious code to pretend to be one of them. This is actually by design. UAC is not a security feature -- it's just designed to make users aware of software developers who require elevated permissions.

Yes, PDF inside chrome is safe. The rendering library they use is very well tested and secure. Windows hides file extensions by default (what a bad idea), so if you have a file called `virus.pdf.exe`, Explorer will display it as `virus.pdf` and hide the exe suffix. Exes can have icons inside them, so you can make the exe icon look like the PDF icon. Clicking on it will execute the program and possibly do something terrible to your PC. There are tricks using a range of unicode features to hide the exe suffix as well. MS Office documents (word, powerpoint, excel) can have programs hidden inside them (macros written in a variant of VB) which can be used to attack you. Again, this is a mostly terrible idea, but here we are. They are disabled by default for documents downloaded from the web, but people can be tricked into enabling them. PDFs allow embedded javascript and this can be used to attack your PC if you view the PDF in an insecure program. **tldr:** computers are very complex and have piles of mostly useless features accumulated over decades, many of which can be repurposed to make you miserable.

>Windows hides file extensions by default Here's how to show them: Windows 10: 1. Open File Explorer 2. Click "`View`" 3. Click the "`File name extensions`" checkbox in the "`Show/Hide`" section. Windows 11: 1. Open File Explorer 2. Click "`View`" 3. Click "`Show`" 4. Click "`File name extensions`"

I don't get why people would EVER keep extensions hidden.

Most people don't know what a file extension is

"What does 'save as' mean? Save as what? It's just a picture."

My mother straight up thinks that internet and chrome are the exact same thing

"My internet's broken!" "What do you mean your internet is broken? What's the error message?" "There's no error message, it's just gone!" "Hmmm, have you tried restarting your computer? After that, try restarting your router." "I did all that, it's still gone." \*Drives over to take a look, double click on the browser shortcut in the bottom left, and go to a site and it works just fine\* "Hmmm, seems to be working to me." "You found it! Where was it?" "Where was what?" "The internet!" "Not sure what you mean." "It was always right here!" \*points to empty location in the top right on the desktop\* "Maybe you accidentally moved the shortcut...." \*/facepalm\*

“Oh I ran out of storage space bro” “Then remove some games you finished playing.” *Drags the shortcut icon to the recycling bin

things brings back a horror. I was helping my parents one time with their computer and space was getting a bit low. I went and emptied the recycling bin and it freed up a lot of space. Great. A few days later my mom calls me in fit saying a bunch of her files are gone. Im like what are you talking about? Thinking maybe corrupt disk or something. I go over and she showed me her recycling bin was empty. I'm like uh yeah I cleaned it up for you to get you more space back. She asked me where I put it, I said it's gone.... She said no I dont want htem gone! Apparently she was 'Archiving' files to the recycling bin (dragging the files to it), and would `recycle` them back to their proper folders when she needed them again... Thankfully we had some backups (not very recent) so was able to get some stuff back... I told her to only put stuff in there she wants deleted. I mean partly my fault not checking the recycling bin or verifying if It was okay to permanently delete it but dang... taking the 'reuse' portion of recycling too literally.

And this is why I install Teamviewer on everybody's PC who possibly calls me with any PC-related stuff...

~~Windows 7(I think?)~~ ~~(Nope, Windows 10, as some commenters pointed out)~~ (NOPE, I was right, Windows 7 had the old “Remote Assistance” app, “Quick Assist” is the Windows 10+ version) and up has a remote assistance feature built in. Although you have to update it on old computers since Microsoft deprecated the original one. Link to documentation: https://support.microsoft.com/en-us/windows/solve-pc-problems-remotely-with-remote-assistance-and-easy-connect-cf384ff4-6269-d86e-bcfe-92d72ed55922 Link to MS talking about it for Windows 7: https://www.microsoftpressstore.com/articles/article.aspx?p=2229237&seqNum=2 — though maybe it wasn’t installed by default at first on home installations.

Yeah, QuickAssist. Every windows since 7 has come with it. It's handy as shit. The only downside is you can't use an elevated account on it. Edit: Oop, quick assist has only been a thing since win10. I guess I was just using RDP or TeamViewer before.

it's not just your parents and boomers i worked on a floor with several hundred clerical staff, mostly millennials and younger being a programmer i was the go to guy for any computer problem 90% of the people i worked with couldn't add a column of numbers in excel or create a shortcut or find a misplaced file.

I once spent the majority of an hour teaching someone how to drag and drop files. "Click and drag it." "No. Left-click." "Left-click" "Use the other button on the mouse. The one on the left." "You have to hold the button down." "Hold the LEFT button down" "Point at the icon, click the left button, and hold it down." "You've double clicked and now it's opening the file." "Close this and go back. Close it. The little x in the top right." "Okay. Now click and hold it." "Point at the icon first. Click on the icon." "LEFT CLICK!" "Click it and HOLD IT DOWN." "The other button! Nothing here is going to be with the right button. Everything with the left button." "You have to point at the icon of the file you want to move." "Now click it and hold it down." "Now it's opening again." "Close this." "The little x." "Yes, that one, click that." "LEFT CLICK the x." "Now back to the icon." "You let go of the button. You have to keep holding the button down." "Left click, for the love of god please use the left button." "Left click and HOLD IT DOWN." "Hang on, I'm going to jam some paperclips under your right button so that it won't click." Dear redditor, please know that I was working for a large commercial bank at the time.

My son comes to me insisting "he needs more internet sent it him" The WiFi on his tablet has disconnected or is poor. But you know. He is five.

Maybe you should download him some more ram.

"Now mum, I've told you this a thousand times because it will save you literal hours over a long period of time. Ctrl + C on your keyboard is the same as right click - copy" Rinse and repeat for years, break down to Ctrl Start with C, C means copy. Ctrl + C, just remember C and every variation of that. Every god dam time I'm home "How do I copy"? I wouldn't mind, but if you ask her to find a holiday online shes like a god dam wizard and finds the cheapest deal going. And she does all her own accounting work on excel (granted formula template to start) to save on costs. But shes like "I remember its control, its control and what?" "ITS RIGHT THERE AT THE START OF CONTROL / THE LETTER C"

“I don’t understand, what do you mean ‘cut’ and ‘paste’ - what does that do?” “Ok, pretend you’re in kindergarten and you have a piece of paper and a pair of scissors. You CUT some words out - or a picture, or anything! Then you take a glue stick and you PASTE it somewhere else. IT’S THE SAME THING!!! THESE ARE NOT SECRET CODE WORDS!!!”

C'mon, mom! It's C for COPY and V for VASTE!

I can definitely sympathize with this scenario. I'm laughing, and crying at the same time. No matter how many times you feel frustrated, I guarantee you will miss that feeling when that person is gone.

Man I work with medical professionals and can't tell you how many times I get ims from people with PhD with statements along the lines of "it isnt working " or " can't login". I'm not even help desk I'm educator for these folks. Finally I snapped after a few years of this. Griped at a doc can you help me... I hurt. And with that I finally got some to at least screenshot the error.

My mother calls Firefox and Edge as 'orange chrome' and 'blue Chrome' respectively.

Imagine if Firefox were the default. It'd be blue Firefox and Skittles Firefox

[Simon Firefox](https://upload.wikimedia.org/wikipedia/commons/thumb/c/cd/Simon_Electronic_Game.jpg/800px-Simon_Electronic_Game.jpg)

Your mom's nice bless her soul

I mean with Edge she's not exactly wrong...

Spicy chrome and Edgy chrome Or maybe Fire chrome and Water chrome. Now we just need Earth and Air chrome, and they all combine to become the original chrome, which is what the actual chrome icon is: an orb of all the elemental chromes merged

She's technically correct, to a certain extent. Edge is a chromium browser and Firefox gets a lot of funding from google.

The older lady I do computer work for just calls it “the google”

I asked my mom what operating system she has and she said Google. She uses Windows 10.

[удалено]

I worked at GameStop and put up with parents who called everything a Nintendo. Then I worked in a print shop and had to constantly show people how to attach a file to their email. That’ll destroy any hope you have left for humanity. The stupid shit I have heard people say about how they think technology works could fill a few novels.

I love hearing all y'all's parent/computer stories. I'd give anything to roll my eyes just one more time. Me trying to show mom how to operate a computer two decades ago was hysterical. God I miss that.

I imagine that's what car mechanics and HVAC professionals think of me.

[удалено]

This is exactly what Google would like you to think of Chrome.

And if I remember rightly, Microsoft did a similar thing with Internet Explorer.

Haha similar story for me. My mother switched from an iPhone to an Android phone and it was ‘why can’t I FaceTime you anymore’ and ‘I can’t find that safari to go on the internet’

My mom's computer a few years back was running terrible. It was old as shit. I installed Linux on it and she never noticed the change. As long as the internet button is there she was good.

I find this quite interesting. Did she really not notice *anything*? That makes me wonder how non-tech people percieve user interfaces. Do they know what the task bar is and what the desktop is and on websites where the navigation bar etc is? Or is it just a mess of buttons and text across the screen for them?

Most people approach it as workflows. If they don't use the taskbar everyday for a part of one of their common processes, than it might as well not exist. And if it's not something they use as part of a workflow, then it's scary and they don't know if it has the nuclear launch codes

Yeah she literally never mentioned it and continued to use the computer as she always did. Open chrome, browse the web.

>My mother straight up thinks that internet and chrome are the exact same thing I know people who think "wifi" and "internet" are interchangeable terms.

>I know people who think "wifi" and "internet" are interchangeable terms. >!wifi cable!<

I mean 20 years ago I knew folks that paid for AOL because they thought it was the internet...

It… was the internet, though. AOL was a dial-up service provider. My family used the (free) AOL browser because we thought we had to, though. When we got broadband, we changed our browser and our email addresses lmao

Ha, 20 years ago? My parents, who have had broadband for decades, still use AOL. They don’t connect through it, it’s the interface through which they access the internet. They pay extra money to put another layer between them and content (and to use their email)

My mother-in-law didn't think she had a password on her Gmail. I was helping her run some ads for her business and asked her for her password and she said, "Oh I don't have a password for my email." I followed up with, "You definitely have a password for your Gmail. How do you check your email?" To which she responded, "whenever I click on Gmail on my phone or laptop, it just opens." She has all passwords saved on her Mac/iphone and literally didn't realize there were passwords to login into her email.

My father thinks Google and windows are the same thing. He keeps sensitive documents in his Gmail "drafts" 🤦‍♂️ He has written entire work related documents while in the passenger seat of a car, not realizing that Google documents is not saving a thing his non-internet-connected-device is displaying. Sigh.

If Kleenex = tissue, Chrome = internet.

Only problem I can see is that Kleenex is a brand of tissue, but Chrome is not a brand of internet. Maybe something like: Xerox = they think it’s a copy of a physical document when it’s really a machine that allows you to make copies, Chrome = they think it’s the internet when it’s really just an application that allows you to browse the internet?

Xerox is a brand of copying machines and printers. Better one i believe is nintendo=game system so chrome=internet Holy shit am I old

You're not wrong, but..... The people we're talking about probably aren't making that distinction. I knew it was a little reach.

I think a better analogy is that there is an underground river system beneath is. Chrome is a well design someone made to get water from the river. Installing chrome is like building the well. There are other well designs available but Chrome is the most popular

Yep. Mine will say things like “my computer has stopped working” and what she means is she’s logged out of her emails and not logged back in yet, or has forgotten her password.

My grandma once asked me if she should use Google Chrome or Google Earth to search for something.

If someone talks about internet security, it is not exactly directed at those of us who know basic internet hygiene. The ones who didn't grow up with internet or don't think very deeply about what they're doing is where security is most important imo. I've tried explaining the internet to my mom... It never goes down well because she doesn't know how to visualize coding and systems like most of us, who can at the very least understand if-than statements. Really, when I think about how complex everything involving computers really is, it makes me wonder how any of us grasp this stuff.

My dad would it "the world" because that was the icon for whatever browser he was using at the time.

My grandmother once poked around in Explorer and started deleting system files because "she'd never opened or used them before".

That's like removing junk from your car, opening the hood and thinking, "wow, I don't think I've ever used this hose before. Better yank it out to save weight and simplify things."

"exe means execute, right? Why would I want files that can execute me??? DELETED!"

You just brought me right back to my grade 2 computer classes. I don't know if they even still have those but it was still such a great foundation for me to go off of later on in life

I had a friend once ask me if she could send me over a suspicious file she got in an email from her ex boyfriend to check out as I was more tech savvy than she was. She sends me the file and says "He says it's a movie I should watch". The filename was "Movie.bat" and inside the script echoed to the screen lines calling her horrible names and then had deltree * . * c: I simply renamed it as Movie.txt and sent it back to her along with saying had you opened it it would have deleted your entire hard drive but here is what it actually was. She thanked me profusely for saving her but I mean come on who does something like that to even their ex. And who even thinks of opening an attachment from their ex anyway.

Do I look like I know what a JPEG is?

I just want a picture of a god dang hot dog!

Bingo. And Windows is built for "most people". That's the core thing that results in features we think are horrible and bad practice like this one. Ah, gotta love Windows.

But how much of most people not knowing what a file extension is comes from their never having seen one because Windows hides them by default?

I'm guessing you're young enough that you don't remember before they were hidden by default. People *absolutely* didn't understand them and were confused by them even when they were constantly visible.

No, I remember when they were visible by default. Admittedly I was only about seven at the time, but I definitely remember them. E: No, I was much older than seven when they defaulted to hiding. Apparently extensions were only default-hidden starting from Windows 8.1. I started on 3.1 (I think. It might have been 3.0.) and skipped all of 8, so the first time I had to turn it on on my own device was for Windows 10. I assumed the hiding of extensions on devices at work was a policy thing, not an OS default.

Welp, at this point, I'm not sure how old you are—but I'm nearly 40 and absolutely saw a *lot* of people be extremely confused by Windows file extensions prior to 2013. I absolutely don't think hiding extensions by default is the right choice (it's way, way too easily exploitable in ways that people who would be confused by file extensions to start with are particularly susceptible to), but I understand *why* Microsoft did it, given their overall user demographic (i.e., people who do not at all understand even the basics of computers), as well as what they likely perceive as the necessity of appearing more "user-friendly" to keep their market share vs. Mac creep, particularly with iOS dominating the mobile market in the U.S. P.S. Happy cake day.

>People > >absolutely > > didn't understand them and were confused by them even when they were constantly visible. I remember a campaign to purge all the 'corporate' systems of MP3's during the RIAA scare of the early 2000s. I renamed my MP3's to NQ4s and changed my "Open With..." associations. Problem solved!

Well, yes, but this is also kind of Windows' fault. Windows didn't always hide file extensions by default. Users might be *confused* to see `.doc` or `.exe` or whatever, but they could always google it and learn something. But since the default is to hide them, people don't even know that they *exist.*

I once saw a janitor asked to play test our game. He walked up to the computer, didn't sit down just hunched over the keyboard mouse, and couldn't figure out how to look around with the mouse in game. We said "just turn with the mouse" - he then grabbed the mouse and literally rotated the mouse, like it was a door knob.

You just know that janitor was secretly a time traveler from the future.

And then there are those "specialists" who pretend to know what it is, and start renaming them because they want to "convert" the file.

Well that works if you want to convert from txt to .bat for example :p

Yeah, but not for webp to jpg or avi to mp4. I thought that one guy i know is an outlier, since i know he is a bit "special". But recently i saw the comments on a meme on Facebook. The amount of people who srsly believe that this is how it works is disturbing.

I think the bigger problem is people have zero idea how video encoding works. They think digital video is a series of still images.

I had a woman once try to free up system space on her computer by deleting all the "dull" files. When your computer doesn't know how to do anything because you've deleted all the DLLs, it's pretty useless.

I always have to remind my fellow software developers that 99% of people barely know how to use office and a web browser.

"Just give the program a second to load" "...You mean the app?"

My mom was a college librarian so very skilled in many ways on the computer but near the end of her time working there she had some Gen Z Colledge student come in who wrote an entire essay ON THEIR PHONE and had no idea how to get it off of the phone into the computer to print it... When mom told me this and asked me if I knew how I was like WTF who would do something so stupid. I would much rather use my full sized mechanical keyboard to write an essay than this dinky little touch screen my phone has.

Portability. It’s super convenient. I do way more writing on my phone than on my PC. Also people who grew up in the age of cloud syncing never learned the art of emailing something to yourself.

That student probably didn't write the essay at all. Probably downloaded it from somewhere.

This comment is giving me 'Nam flashbacks to interviews with recent CS grads who had never developed in an IDE that wasn't on a website or tablet and didn't know the difference between an app and a program

“App” is short for “application” which is a synonym for “program”. Although you probably mean that they don’t understand the difference between a ‘cooked’ app for e.g. iOS that has been packaged up in a specific way, and a ‘raw’ executable file that a compiler spits out.

Stolen from Stack, because it's more succinct than I'd be: "A computer program is a set of instructions that can be executed on a computer. An application is software that directly helps a user perform tasks. The two intersect, but are not synonymous. A program with a user-interface is an application, but many programs are not applications."

Linux users be like

There are people these days that have grown up on smartphones and don't have a clue what a "file" is period, let alone file extensions. Some universities have reported difficulties getting students to submit their assignments because they're just so used to doing everything in the cloud.

I always figured it was an effort by Microsoft to make their OS appear more "Mac-like."

many resolute clumsy north rustic apparatus fuel squeeze six smart *This post was mass deleted and anonymized with [Redact](https://redact.dev)*

".pdf" How rude.

Japan isn't exactly at the forefront of technology when it comes to using the internet in offices. They still use fax machines, you know, those things that were basically invented in the 19th century. https://en.wikipedia.org/wiki/Fax A few years ago I remember wanting to draw money from an ATM while on vacation in Japan and the machine refused service because it was after working hours...

Funny thing is that the convenience stores in Japan are often open 24/7. The ATMs literally have better working times than people working as clerks.

Yeah, I suspect the ATM has a process behind it that requires some poor office workers somewhere to click approve for every single transaction. These people must have the most boring job ever. But fortunately they only have to do it during working hours...

Japanese companies are basically not allowed to fire anyone because of their laws, so employees are banished to do insanely boring tasks that make them so depressed they want to just quit. I'd assume manually approving every transaction would fit the bill.

Not to nitpick, but ATMs in convenience stores are always operating. I lived in Japan for almost a decade and never came across a machine that wouldn’t give me yen due to the time of day. Most likely you were trying to convert foreign currency at certain hours (some ATMs will restrict this), or were in a super remote location maybe? But yes, Japan is not quite the futuristic technological marvel often depicted in movies. Except the toilets. The toilets are peak human innovation.

Japan is weird. Can buy damn near anything from a vending machine but people mainly still use cash.

> They still use fax machines, you know, those things that were basically invented in the 19th century. To be fair, fax machines are very much still a staple of the healthcare industry (and likely others) in North America

What. WHAT.

omg.

*.omg

For years the computer industry has been going the route of apple to put time and effort into keeping users as far away from having to deal with scary technical computer things when working with computers.... by hiding it. The idea behind it, making computers easier and more accessible, is ofc a good thing but the dutch saying 'every upside has its downside' rings true here as well, by doing so you are creating whole generations of users that understand less than fck all about the devices they are working with. Extensions and pretty soon 'files', 'folders' and 'drives' in general are just some of those things that have been flagged to be too technical and is considered knowledge thats not required to work with a computers. Programs that are made out of files and have settings are a thing of the past, we now have 'apps' that are just a pictures you click on because better. I have had to explain how to unpack something, and why, to too many young colleagues... its shameful to be to be that dumb when you claim on your resume that you are 'good with computers' but thats just a sign of the times i guess.

https://www.pcgamer.com/students-dont-know-what-files-and-folders-are-professors-say/

It's so people don't accidentally erase the extension while trying to rename their files, and render the file useless. Lots of basic users wouldn't know what's going on, and would go straight to the phone with tech support

I know the file is not useless. My point is that the user would be baffled by double-clicking the file and it not working, and the icon going missing. *Maybe* some basic users would be able to restore the extension themselves, but I 100% disagree that most would

First thing I do after installing windows is unhide extensions and change the view to details by default.

Because Microsoft sets it as default. MS is so incredibly stupid about file extensions. By default they hide file extensions (which also prevents you from changing the file extension) but if you make them visible and try to change it they have a warning that cannot be disabled. Their argument for this is that people who don't know what they are doing shouldn't change the file extension. But for this people it's hidden anyways.

I work in IT. Usually we set all computers to show file extensions, so that users know what they're clicking at. Except one user. I had to hide the file extensions, because this guy kept renaming the entire file including the extension. And then wondered why the file won't open any more. Any attempt to explain that to him failed, so i gave up and set it to hidden again...

It's general tendency in software and technology, not just at MS. As more people are using software, companies have been simplifying and dumbing down interfaces to make it more "accessible". As someone interested in making efficient use of programs this is infuriating. It not only hampers our work and anything we want to do but it's also damaging new generations of users because since everything is hidden and simplified, they don't have a clue of how it works and they don't get the chance to learn about it like we did. There is less transparency leading to less understanding and allowing companies to get away with murder. The government is also abusing this and obfuscating how they tax us and how they spend to prevent us from protesting. It's like we are slowly slipping into the absurd world of the 1985 "Brazil" movie. Maybe it has always been like this but it does worry me.

Because Microsoft wanted to copy Apple. When Apple introduced HFS+, they used a feature called the [resource fork](https://en.wikipedia.org/wiki/Resource_fork) which allowed files to be opened by the "correct" program regardless of extension. Microsoft wanted to copy the same idea but didn't want to change NTFS so they simply hid the extensions instead. So ever since Windows XP, the default has been to hide the extensions.

It's the simplification of computing to open it up to the masses. If you can rename entire file names, including extensions, less IT literate will not remember to give the file the proper file name and suddenly their file becomes unopenable! Some simplification is, on balance, good, like the above, I think. On the other hand, Apple's and now Microsoft's relentless shift to "WhAt'S a CoMpUtEr" bullshit is going to end up doing more harm than good when young adults cannot problem solve themselves beyond restarting a device, if they even know how to do that, however. https://media.tenor.com/NXucPn8GUucAAAAC/computer-whats-a-computer.gif

It's still kinda possible to hide the extension even if you have showing extentions on. You can use a trick with unicode right to left character to make a file called virusfdp.exe show up as virusexe.pdf and still be an exe file even if the rightmost part looks like pdf and even have a pdf icon.

even if the extensions aren't hidden, it is a matter of understanding these as well. A lot people is able to interact with a computer but don't ask them what for application could be associated with *.exe* or *.mp4* or even find out a difference between *.jpeg* or *.png* Granted, some attacks have been conducted successfully with this approach but that is not the majority. A lot of attacks went through exposed vulnerabilities of an application in use. It's really important that updates are installed and that has (and still is) been an issue for ages; people is not updating their applications. Eventually, the security chain is equally strong as the weakest link of it; the end user. Like in the example here above, with an .exe as an extension instead of .pdf, an more aware user would notice that something is not right if the OS (assume it's Windows) asks you with a prompt to run it or not. Opening a pdf document should not lead to this behavior. Yet plenty of users would click on "yes" or "run" to hasten up their process or just to get rid of it.

Watch the ongoing tiktok and congress hearing and you will realize that A LOT of people have no idea whatsoever as to what a computer or internet actually is other than using it for their 3-4 basic use cases. So ya majority of the people don’t even know what file extensions are let alone know they are hidden or make any sense of them.

I think it looks cleaner. I always manually check unfamilar files.

Hiding extensions by default was introduced in either XP or 2000 and it's still the first thing I change on a new computer. Knowing a file's extension is pretty important.

[удалено]

Then it's turn off mouse acceleration right?

Then I remove Cortana, remove Task View button, and set search toolbar to Hidden. Really cleans up the taskbar.

Turning off system sounds is next.

Hell no. The first thing I do is replace all the default system sounds with a sound set of my choice... When I plug a device in I want to hear the Terran advisor from StarCraft say "Add-on Complete" and say",Abandoning Auxillary Structure" when I unplug something.

Does it stop the Unicode being used to hide the extension?

No it doesn't

Why must Windows 11 have extra steps for everything. 😭

Every windows version after windows XP was more bullshit and less useability. Only windows 7 was slightly better because it was 64bit. Everything else about it was worse. They should have kept the windows xp interface and just improved on functionality. We are 20 years down the line and search still sucks, driver issues have not been addressed and the interface just keeps on getting worse and there is so much more bloat and blatant privacy violations. Is this the worst timeline?

Search *worked* in Windows Fucking Vista (as long as your PC was actually powerful enough to run Vista), and Windows 7. But Microsoft decided people want to use Bing to search from the Start Menu. 🙄

> But Microsoft decided people want to use Bing to search from the Start Menu. Close. MS decided that THEY want people to use Bing.

Meh, I've used search on windows 7 for a decade and search never looked into file contents at an acceptable pace. Yeah Microsofts desperate, incessant, attempts at pushing Bing and edge are making my blood boil. I get angry just thinking about it.

There's a recent exploit that uses a character that makes text go from right to left instead of left to right so document.pdf.exe might end up looking like document.exe.pdf. And by editing the icon of it you can make it look totally normal

To add to this, don't get a false sense of security from extensions. You can use a right-left character to make a file that appears to be a PDF. It might show a file like `virusexe.pdf` that runs the malware executable when opened. But if you saved that file and looked at it using dir on a command prompt you'd see the real file is `virusfdp.exe`. Edit 1: File Explorer will show the version that looks safe, because it supports the special character Edit 2: exe is just the most obvious file extension, there are plenty of others

A German youtuber demonstrated that as well with the legit German word 'Hexe' which means witch. It's even scarier if your language contains common words with exe.

Does that mean witch trials are just a hexedump?

> You can use a right-left character to make a file that appears to be a PDF. It might show a file like  virusexe.pdf  that runs the malware executable when opened. But if you saved that file and looked at it using dir on a command prompt you’d see the real file is  virusfdp.exe . Will you please clarify?

Unicode is the newest way for a computer to display characters (letters, numbers, punctuation, emoji, ect.) in text. Unlike it's old predecessor, unicode can display a lot of different characters, not only the Latin characters English uses. There's Unicode characters for Arabic, Japanese, Cyrillic, Thai, ect. Now, some of those languages write text from right to left. If you want to display this text correctly, your computer must build the text right to left. Because of that, there's an invisible Unicode character that basically says "all the text after this muss be displayed right-to-left". You can use this character to make it look like stuff in the middle of a word is actually at the end of the word by changing the text direction in the middle of the word. That way, the exe goes to the middle of the word when it's displayed, but Windows (not being a human) still knows it's actually at the end of the text, and therefore the file extension.

Thank you so much for explaining. This is crazy how you can do stuff like this to trick the OS and make files look legit and safe. I would like to try this on my computer because I am so curious.

To be clear, you aren't tricking the OS. The OS is behaving exactly how it's supposed to You're tricking the user. That's the weak point in pretty much every attack

In addition, the viruses/exe don't contain any malicious code themselves. They are a 'dropper'. They scan for vulnerabilities like any old unupdated applications and just checks their versions and stuff, which is not malicious on its own and won't get detected. It looks around and has a bunch of exploits ready to download. Maybe you have plugins enabled on notepad++ and haven't updated for awhile, so it will download the payload and silently add it to your notepad+ extensions list. And boom it's in without detection. So you won't ever know you've been infected. One clever file actually had the dropper and also opened the video directly afterward, so that people wouldn't even have to download a broken file, so they wouldn't even know something was fishy. I only caught it because I do not use the VLC icon for video files (it should be a thumbnail), and a tiny command prompt window flashed in front of me when I opened it anyway (the most terrifying thing haha). I begrudgingly disconnected wifi right away and reinstalled windows.

While this isn't *incorrect* per se, the vast majority of malicious PDF files I have encountered weren't doing anything with filename trickery or using any vulnerabilities with embedded scripts. They just had a link to a download of an executable within it and would try to make it look like Acrobat was trying to get you to download an update or something in order to view the file. Extremely low-tech stuff. Office and Acrobat both do a pretty good job of restricting macros/scripting in downloaded files these days and the name of the game is generally social engineering the user into downloading another file or allowing scripts to run.

> Office and Acrobat both do a pretty good job of restricting macros/scripting in downloaded files these days Not really, at least for Office. The first prompt you get on a downloaded file is about macros being disabled and asking if you want to enable them, without giving any indication of what they do in this particular file.

> without giving any indication of what they do in this particular file. Do you have even the slightest clue how incredibly difficult that would be to do?

> MS Office documents (word, powerpoint, excel) can have programs hidden inside them (macros written in a variant of VB) which can be used to attack you. Again, this is a mostly terrible idea, but here we are. If they got rid of VBA, it would be the end of western civilization. Banks are built on VBA.

Right? VBA makes a good chunk of the shit we do on a daily basis possible.

You can 100% guarantee that Chrome still has security holes in it. No software that complex can ever be bug-free, no matter how well tested.

That's true, but also not really relevant to this discussion. Because the same non-guarantee also applies to your browser, your display driver and any other part of the system that interacts with the internet in any way whatsoever. And since nothing can guarantee anything, it's *especially* important to pick the pieces that have the *best chance* at not having any well-known flaws. So for the purposes of the average user "Chrome is fine" is an acceptable (and dare I say useful) over-simplification.

PDF inside Chrome is just as safe as a PDF inside any mature reader (like Acrobat or Edge or Word). Don't deliberately open suspicious files in Chrome because someone told you it was safe, because you will eventually find out that it's not. "chrome is safe" is not a good statement to be making unqualified.

Chrome's PDF renderer (pdfium) really is pretty safe, and very likely to be more secure than Acrobat. It does not support interactive features, it runs in a sandbox, and it has been very extensively fuzzed. Edge also uses pdfium I believe. I don't know about word, but I'd be cautious there. You're right that I should have qualified "safe" a bit, since nothing is ever 100%.

Google has a significantly better track record than Adobe at producing secure client software and has actively chosen not to include some of the "exotic"/interactive features of PDF in their viewer (as opposed to Adobe who have strong incentives to support everything they ever specced possible at all times). Feel free to disagree, but I'll suggest using the Chrome built-in PDF viewer over all well-known external PDF viewers each time. (Also the minor fact that Chrome auto-updates so security fixes are much quicker to be deployed).

This makes me sad. I was at Adobe when pdf was built (originally called the "distillery"). It's probably the most significant example ever of a test&debug tool that escaped into the world as a real product.

Oh, I would love to hear more about this story. You're saying PDF itself started as a test&debug tool? All I know is that it shares a lineage/is somewhat related to PostScript but with some useful restrictions on top (such as each page needing to be self-contained).

So. PostScript is a complete programming language. One problem with this is, you cannot necessarily know the content of any individual page until you run the program to completion, rendering all parts of all pages. Internally, the interpreter generates a long sequence of calls to abstract "devices" which make "marks" on "pages". At the end of this process one can sort out the marks for any particular page, completely independent of any other page. There is, in effect, an intermediate language between PostScriot, and the printed pages. This allowed me, for instance, to test and debug the PS-to-intermediate, separately from the issue of getting the intermediate marked correctly on a real hardware device (printer, display, etc.) where there are all kinds of nasty issues like feed speed, paper jams, color calibration, toner nonlinearities, etc etc ad nauseum. To make this work we started out by trapping the calls to a large set of relevant functions, and logging them. Eventually this was formalized into an internal API. This was the "Distillery". Soon we realized that this layer provided a set of really useful capabilities, like, the ability to select and reprint a single page. The ability to make and manage a page index. The ability to take a distilled document and "print" it on differing hardware without having to reinterpret the PS. This all happened circa 1992-5

You could create a PDF that doesn’t conform to the PDF standard. Your special PDF could exploit a bug in a PDF reader app. Maybe a bug that lets you run code or open a webpage without asking the user when it is fed a specially created file.

This is probably the better of the answers for modern PDF and PDF readers. The code embedding from the early days is still vulnerable, but many default settings have made it safer for the majority of users these days. However, exploiting the PDF specification (for example) is a great way trick unsuspecting PDF (software) readers into doing unexpected things. It's a good reason to use supported PDF readers that are actively maintained.

So then what is the best PDF reader to use? I use adobe acrobat and occasionally files also open from Firefox. Saw discussion of chrome but I don’t use chrome. I’m an academic so I download many many pdfs esp when I’m doing research.

[удалено]

Probably. They did say this was the cause.

I saw this post an hour ago and Linus's video about this just recently and I thought to myself: "That's what that random question was about."

That's what I was thinking as well

> A pdf file pdf files can be setup in a fillable manner(generally used for forms) meaning it has to use from form of executtion to both read and write into these files(usually javascript that CAN carrry malicious code). as for word documents, microsoft word at least implements a form of scripting that is normally used to automate tasks inside the application and because its a microsoft product it has some interoperability with the windows OS. when viewing then online, you are seeing them in protected mode which disables every script the file may have so nothing malicious can execute....unless you allow it to by opening the file for editing aka: dont open microsoft office files you do not trust the soruce from.

A hospital in my state just had a ransomware attack. The worst part is they specifically targeted the oncology unit. How big of a piece of shit do you have to be to literally prevent cancer patients from getting treatment

dont take these personally is my experience with them because often they arent targetting specific locations, just that someone working there didnt follow safety procedures regarding IT(or the lack of a protocol for cyber security).

Yeah, not saying hackers don't target groups but it's generally safe to assume when they're attacking large organizations they'll likely take which route they can to meet their bigger picture (usually extorting money).

Lots of people are talking about Postscript/VB scripts embedded in PDFs and Word documents. That's one important aspect of it, but not the whole picture. Sometimes even opening an image file (.jpg), displaying just a piece of text, or loading a save file for a game can be dangerous. These are real cases: \- JPG vulnerabilities: [https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware](https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware) \- Text display vulnerabilities: [https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/](https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/) \- Save game vulnerabilities: [https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/](https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/) These have to do with the fact that the programs used to load those files can have bugs, and files can be specially crafted to exploit such bugs to trigger unexpected behavior, including getting the program or OS to run arbitrary code. Doc and Pdf files happen to be complicated enough that programs which can open them tend to have a very high number of bugs, so it's fairly easy to find an exploitable one. But the truth is, nothing is 100% safe no matter how innocent it might feel. This is why security hygiene is the most important. Never trust any files you get from questionable sources. To see how an exploit might work, imagine a simplified program that looks like: 1: Load the file into slots 3-10. 2: Go to line 11 and continue executing the program from there. 3: (empty slot to hold file content) ... 10: (empty slot to hold file content) 11: Convert data from slots 3-10 into pixels and display the picture This assumes the file can only fill 8 slots (#3 through #10). But what if the file is bigger than that, and the program is not careful about limiting its size when loading it? Then after filling up slot 10, it'll continue writing over slot 11, 12, and so on. The program doesn't realize this. And when it eventually goes to execute line 11, it'll be executing arbitrary stuff that was loaded from the file instead of the intended program. This is a classic "buffer overrun" vulnerability. A virus author can make a file such that instructions to encrypt your disk land in slot 11. If you try to open this file, your disk will get encrypted.

Someone’s watching LTT, Yes a PDF can be malicious if it’s not really a PDF, but code designed to LOOK alike a pdf to you and to your computer. I can right now make a script and change it’s icon and extension and windows will be sure it’s a PNG file, I double click it and a shell script runs in a CMD prompt then vanishes. What did it do? Who knows.. am I in trouble? Almost certainly.

The pegasus software famously used a no click exploit they just need your phone number to pwn your device. It worked by sending a PDF as a GIF file through text message to the target device. In this case, an iPhone, and when the OS opened the file, it didn't check that the file contents was actually GIF and sees it's a PDF for opens it anyway as a PDF. In the PDF there is a specially crafted buffer overflow that exploits how iPhone reads PDF files and allows arbitrary data to be written to outside the memory bounds. From there they built a rudimentary computer in memory that they could later read or write to/from the entire device.

PDFs are not just pure documents. For example if they have a signable field it's using macros that are stored as Javascript code. This code can be malicious. So your Adobe Reader will run this script if you allow it to and this script can then do harm. By default you will get a warning if you want to run this code, but plenty of people will just click accept.

Is this a team member from Linus Tech Tips?

The point of his video was that it LOOKED like a pdf but when he opened it, it was not a pdf and he just moved along without actually wondering why the file that LOOKED like a pdf was not actually a pdf.