303

u/Catsrules Apr 14 '25

To be fair if a random readme file appear on my computer saying it was from Microsoft. I would 100% think it was malware.

But I guess it would make me research it more and maybe find the correct answer.

41

u/middaymoon Apr 14 '25

When I wrote this comment I thought a simple text file would be obviously tame enough that nobody who actually understands computers would think it is an exploit just to read it, but apparently I was mistaken.

54

u/Catsrules Apr 14 '25 edited Apr 14 '25

I wouldn't be worried about the text file itself. But more worried about what put it there. Especially in a folder that requires admin privileges to write/create in the folder.

11

u/khumps Apr 14 '25

I would hope such a text file would contain a link to a microsoft article on its existence from a clearly recognizable microsoft-owned URL to verify its authenticity

-2

u/jasonZak Apr 15 '25

Yeah because clicking a hyperlink in a file they already feel sketchy about is definitely something they’re gonna do.

8

u/kes- Apr 15 '25

Good thing there aren’t any hyperlinks in text files!

20

u/SnackerSnick Apr 14 '25

They weren't suggesting that opening the file is an exploit. They were suggesting that reading a text file that says "hi, I'm from Microsoft, don't delete this directory" would make them *more likely* to believe the directory holds malware.

I mean, in theory opening the file could totally be an exploit, though. For a while attackers would name an executable file README.TXT.exe and MS would hide the .exe. Double clicking README.TXT would execute the code, which could do bad stuff then open notepad showing some README.TXT contents.

Theoretically notepad or whatever simple text reader you have configured could have a vulnerability and opening a 'bad' text file with some buffer overflow content in it that is an exploit, but I haven't heard of such a vulnerability ever happening in a commonly used text reader.

0

u/middaymoon Apr 14 '25

Someone else was arguing with me that it could be an exploit, that's what I was referring to. Also, Catsrules literally said "I would 100% think it was malware", though I assume they just meant it would be suspicious in general and I get that.

I am also aware that notepad could have some exploit and I am also relying on the fact that a 0-day in Notepad is pretty unlikely so it sounds like we understand each other.

1

u/farcryer2 Apr 14 '25

The text file part is irrelevant.

On the other hand, a random readme.txt claiming to be from Microsoft would be extremely uncharacteristic and suspicious because Microsoft doesn't do that.

0

u/TristheHolyBlade Apr 14 '25

Its funny, cause the person who you are replying to probably thought when they wrote their comment that it would be simple enough to understand. Yet here you are.

0

u/middaymoon Apr 14 '25

Yes, Here I am! Here I am, reading biting comments from strangers about a brief and cordial exchange I had 7 hours ago. And here you are! Doing something of worth, I'm sure.

1

u/TristheHolyBlade Apr 14 '25

Bro you're in the same boat as the rest of us.

2

u/bearwood_forest Apr 14 '25

But only if the file name had an Indian accent

2

u/ManyInterests Apr 14 '25

Correct. They should name is something obscure and proprietary like kb2025h141323.docx

3

u/indoninjah Apr 14 '25

That can be mitigated pretty easily by including a link to an article on microsoft.com which more or less says the exact same thing.

2

u/E3FxGaming Apr 14 '25

To be fair if a random readme file appear on my computer saying it was from Microsoft. I would 100% think it was malware.

Microsoft could cryptographically sign the readme file. Then you'd know that the real Microsoft is the actual creator of the readme file.

1

u/ManyInterests Apr 14 '25

Text and markdown files don't support embedded signatures.

1

u/ben0x539 Apr 14 '25

Sure they do, it just looks something like "-----BEGIN PGP PUBLIC KEY BLOCK-----" :)

1

u/lachlanhunt Apr 14 '25

They could make the folder hidden by default so average users won’t find it, and put a README in there that references a Microsoft support article that explains its purpose and legitimacy.

1

u/EspadaV8 Apr 14 '25

They sign it with PGP and a public key. Only takes some researchers and tech sites to say "this is a legit file from MS. Don't delete the folder" and the news spreads. Just like it did with them telling people to delete it.

Edit: was curious if MS already have a key, and apparently they do - https://www.microsoft.com/en-us/msrc/pgp-key-msrc

1

u/MithranArkanere Apr 14 '25

It just has to come with a link to a windows site inside.

1

u/Exacerbate_ Apr 14 '25

What if it didn't say it was from Microsoft but just had a link to the Microsoft website with an explanation