I just noticed that Ryan Naraine has written that Google’s fixed the file download bug in Chrome. This is awesome, but there’s one aspect of the fix that concerns me.
According to the changelog:
This CL adds prompting for dangerous types of files (executable) when they are automatically downloaded.
When I read this, my first thought was: “I wonder how they determine if a file is ‘dangerous’?”
One of the things that we’ve learned over time is that there are relatively few files that aren’t “dangerous”. Sure there are the obvious files (.exe, .dll, .com, .bat, etc) but there are lots of other file types that can contain executable content. For instance most word processors and spreadsheets support some form of scripting language, that means that most documents downloaded can contain executable content.
Even if you ignore the files that contain things that are clearly identifiable as “code”, you’ve still got problems. After all, just about every single file format out there has had readers who have had bugs that would have allowed remote code execution.
It’s unfortunate, but given the history of the past couple of years, I can’t see how ANY content that was downloaded from the internet could be considered “safe”.
IMHO Google’s change is a good start, but I’m worried that that it doesn’t go far enough.
the part that bothers me is "automatically" !!!
asf, you're right. Under no circumstances should a file be "automatically downloaded".
I've used some browsers that automatically download JavaScript, Flash, and various other files when they explore the internet.
Plain text files and pure HTML (sans Javascript, etc) should be safe. Everything else, all bets are off. (This is one of two reasons that I force all my incoming mail to plain text, the other being that people who send HTML email usually have tastes in fonts, colors, and graphics that clash with mine.)
Norman: Do those browsers drop their content in locations that the user can see, or are they dropped in a temp directory?
Monica: Maybe - These days, I'm not sure that even plain text and HTML are safe.
"Do those browsers drop their content in locations that the user can see, or are they dropped in a temp directory?"
Yes and yes.
Since most users don't look at their temp directories we could say that the answers are usually no and yes. But then it starts to sound like security through obscurity. Even though the user doesn't see and double click those files, they still usually get executed. JavaScript and Flash are usually safe, but not safer than plain text.
"These days, I'm not sure that even plain text and HTML are safe."
Good thinking.
Plain text can be dangerous if opened by vim. I suppose there could be ways to persuade Internet Explorer to send plain text to Media Player and interpret it with a different meaning from plain text. But I do confess to opening some txt attachments in Notepad.
I've seen at least two kinds of HTML confuse Outlook Express, one kind with embedded Trojans and one without.
An indirect danger is that the icon for a shell scrap object looks like the icon for a text file, combined with the fact that the shell doesn't display the .shs extension. Create a file on your desktop named x.txt.shs, take a look at it, and imagine what kind of contents it could have.
Norman: If the files are dropped in a temp directory, then the chances of the user accidentally accessing the files are very close to non-existant.
The risk here is when a browser can drop files on (for example) the user's desktop without the user explicitly chosing to drop the files on the desktop.
OE (and Outlook) have their own HTML rendering engine - one that is intentionally neutered to remove support for most active content type (like scripting).
"The risk here is when a browser can drop files on (for example) the user's desktop without the user explicitly chosing to drop the files on the desktop."
I guess you mean because the user might be tempted to double-click the file, and then it will be presumed to have the user's permissions instead of recognized internet restricted permissions. OK.
"OE (and Outlook) have their own HTML rendering engine - one that is intentionally neutered to remove support for most active content type (like scripting)."
It is good that they are neutered, but I wonder if it's good for them to have their own engine. This likely does explain why OE (and maybe Outlook) have their own bugs, confusing some of their UI after rendering HTML.
Norman, actually the problem's worse than that. For instance on media files, explorer will attempt to parse the file to retrieve thumbnail information.
If the file is authored with a buggy codec, then you might get remote code execution just by looking at your desktop.
There are other issues. Search the web for safari carpet bomb for details.
>For instance on media files, explorer will attempt to parse the
>file to retrieve thumbnail information. If the file is authored with
>a buggy codec, then you might get remote code execution just
>by looking at your desktop.
For this and the other problems, you're saying it's these other apps that are not safe, not the files themselves (obviously the files aren't going to execute themselves). How's the browser to know what other, arbitrary programs will do with them?
IE, notably, marks pretty much everything it downloads as 'risky', and then the user learns that opening pretty much anything they download requires an extra click. If they learn that JPEGs are 'risky', they've read and understood more than the typical user, and they're learning something that's not all that helpful.
What would be nice, is if Explorer and the other actually risky apps used managed code in a reduced-privilege sandbox to handle codecs and the like. The browser still doesn't know what they do, but at least the user will be better served.
** just to add:
downloading things automatically is maybe its own issue.
This is a perfect example of "blame it on the user" security.
"For instance on media files, explorer will attempt to parse the file to retrieve thumbnail information."
Oh, then I'm more at risk than I was aware of too. I put Explorer in details view and tell it to apply the view to all folders, and then make an exception for Control Panel because that's one place where I got used to icons. In Windows XP these settings usually stick. But even in details view, Explorer sometimes pops up a tooltip containing information that must have come from parsing a file.
Now Vista is less secure than XP, by design, because the behaviour of Explorer that keeps changing back to icon view or thumbnail view is no longer a bug that happens several times a week, it's by design and happens all the time.