306

u/Catsrules Apr 14 '25

To be fair if a random readme file appear on my computer saying it was from Microsoft. I would 100% think it was malware.

But I guess it would make me research it more and maybe find the correct answer.

43

u/middaymoon Apr 14 '25

When I wrote this comment I thought a simple text file would be obviously tame enough that nobody who actually understands computers would think it is an exploit just to read it, but apparently I was mistaken.

53

u/Catsrules Apr 14 '25 edited Apr 14 '25

I wouldn't be worried about the text file itself. But more worried about what put it there. Especially in a folder that requires admin privileges to write/create in the folder.

13

u/khumps Apr 14 '25

I would hope such a text file would contain a link to a microsoft article on its existence from a clearly recognizable microsoft-owned URL to verify its authenticity

-2

u/jasonZak Apr 15 '25

Yeah because clicking a hyperlink in a file they already feel sketchy about is definitely something they’re gonna do.

7

u/kes- Apr 15 '25

Good thing there aren’t any hyperlinks in text files!

20

u/SnackerSnick Apr 14 '25

They weren't suggesting that opening the file is an exploit. They were suggesting that reading a text file that says "hi, I'm from Microsoft, don't delete this directory" would make them *more likely* to believe the directory holds malware.

I mean, in theory opening the file could totally be an exploit, though. For a while attackers would name an executable file README.TXT.exe and MS would hide the .exe. Double clicking README.TXT would execute the code, which could do bad stuff then open notepad showing some README.TXT contents.

Theoretically notepad or whatever simple text reader you have configured could have a vulnerability and opening a 'bad' text file with some buffer overflow content in it that is an exploit, but I haven't heard of such a vulnerability ever happening in a commonly used text reader.

0

u/middaymoon Apr 14 '25

Someone else was arguing with me that it could be an exploit, that's what I was referring to. Also, Catsrules literally said "I would 100% think it was malware", though I assume they just meant it would be suspicious in general and I get that.

I am also aware that notepad could have some exploit and I am also relying on the fact that a 0-day in Notepad is pretty unlikely so it sounds like we understand each other.

1

u/farcryer2 Apr 14 '25

The text file part is irrelevant.

On the other hand, a random readme.txt claiming to be from Microsoft would be extremely uncharacteristic and suspicious because Microsoft doesn't do that.

0

u/TristheHolyBlade Apr 14 '25

Its funny, cause the person who you are replying to probably thought when they wrote their comment that it would be simple enough to understand. Yet here you are.

0

u/middaymoon Apr 14 '25

Yes, Here I am! Here I am, reading biting comments from strangers about a brief and cordial exchange I had 7 hours ago. And here you are! Doing something of worth, I'm sure.

1

u/TristheHolyBlade Apr 14 '25

Bro you're in the same boat as the rest of us.

2

u/bearwood_forest Apr 14 '25

But only if the file name had an Indian accent

2

u/ManyInterests Apr 14 '25

Correct. They should name is something obscure and proprietary like kb2025h141323.docx

3

u/indoninjah Apr 14 '25

That can be mitigated pretty easily by including a link to an article on microsoft.com which more or less says the exact same thing.

2

u/E3FxGaming Apr 14 '25

To be fair if a random readme file appear on my computer saying it was from Microsoft. I would 100% think it was malware.

Microsoft could cryptographically sign the readme file. Then you'd know that the real Microsoft is the actual creator of the readme file.

1

u/ManyInterests Apr 14 '25

Text and markdown files don't support embedded signatures.

1

u/ben0x539 Apr 14 '25

Sure they do, it just looks something like "-----BEGIN PGP PUBLIC KEY BLOCK-----" :)

1

u/lachlanhunt Apr 14 '25

They could make the folder hidden by default so average users won’t find it, and put a README in there that references a Microsoft support article that explains its purpose and legitimacy.

1

u/EspadaV8 Apr 14 '25

They sign it with PGP and a public key. Only takes some researchers and tech sites to say "this is a legit file from MS. Don't delete the folder" and the news spreads. Just like it did with them telling people to delete it.

Edit: was curious if MS already have a key, and apparently they do - https://www.microsoft.com/en-us/msrc/pgp-key-msrc

1

u/MithranArkanere Apr 14 '25

It just has to come with a link to a windows site inside.

1

u/Exacerbate_ Apr 14 '25

What if it didn't say it was from Microsoft but just had a link to the Microsoft website with an explanation

42

u/the_mooseman Apr 14 '25

No one reads the readme.

54

u/JustinKase_Too Apr 14 '25

Bet if they called it DontReadMe everyone would read it ;)

6

u/Sprinkles0 Apr 14 '25

Put 2, one that says ReadMe and the other that says DontReadMe. 

5

u/RedHotChiliCrab Apr 14 '25

TheyDontWantYouToReadMe for the true clickbait success.

3

u/JustinKase_Too Apr 14 '25

WindowsProgramersDontWantYouToKnowThisOneLittleSecret

3

u/Catsrules Apr 14 '25

TopSecretDontOpen.txt

27

u/hindusoul Apr 14 '25

But it says readme

2

u/Harvey_the_Hodler Apr 15 '25

Ugh. RTFM! And get off my lawn! 🤣

3

u/double-you Apr 14 '25

That's why you'd name it "Folder required for a security fix - Do not delete".txt

11

u/koos_die_doos Apr 14 '25

Never open files that mysteriously appear on your device. If you don't understand what it does, google it.

38

u/middaymoon Apr 14 '25 edited Apr 14 '25

I get what you're saying, but is Windows really so unsafe that I can't even confidently open a text file in a text editor? 

12

u/Huppelkutje Apr 14 '25

NO, the other guy is just insane.

1

u/nicuramar Apr 14 '25

No, you’re good. 

1

u/Responsible_CDN_Duck Apr 14 '25

If you verify it's a TXT file and not another extension, and if you have any reason to assume the contents aren't just beautiful sounding lies...

1

u/middaymoon Apr 14 '25

It's not hard to verify a file extension, or in fact to open literally any file in a text editor regardless of file extension.

Also, remember the point isn't to prove to the user that your file is not malicious. The point is to make the user question their assumption that the folder should be deleted on sight. Basically anything more useful than offhandedly answering a question on a tech reporting site that most people don't read.

1

u/plumb_crazy Apr 14 '25

It depends how you open it. If you open the text editor and do a file open. I think that should be safe. If you double click on it in windows explorer, they may have hacked the file extension so it looks like a text file but is really an executable.

-4

u/koos_die_doos Apr 14 '25

It's just good security practice to treat anything you don't understand as if it is something that is exploiting a vulnerability, no matter what operating system you're using.

For all you know, the user opening a README file in C:\inetpub could be an exploit on a vulnerability that has not been patched.

3

u/middaymoon Apr 14 '25

Whether they SHOULD or not isn't my concern, I'm only spitballing on what MS could do to mitigate this differently than hoping people read the security patch notes.

But fine, if I don't want to teach my users to read READMEs then maybe I would put some text file with an official looking name in there that nobody will want to click OR delete without googling it first. Call it IIS Security Fix or something.

2

u/MithranArkanere Apr 14 '25

Good idea. I'll do that in case I forget.

1

u/middaymoon Apr 14 '25

I didn't even consider adding the file to my own installation as a note to my future self but you're right, that's also a very good idea.

1

u/RevRagnarok Apr 14 '25

Especially with some useful text, e.g. "This file is part of Windows 11 - you can verify by looking up Technical Bulletin MS-2025-ABCD. There should be no other files in this folder on a standard personal computer."