Tony Schreiner's WebLog

Developer - IE | Windows | Graphics. Fighting complexity for 10 years and counting.

This Blog

Syndication

Search

Links

Security prompt on downloaded files in XP SP2

In a response to my first blog entry on IE in XP SP2, Tom Gilder notices another new security prompt on downloaded files for XP SP2:

Also, whilst on the subject of XP SP2, if you download a signed EXE to the desktop and run it, it gives you a security dialog. But if you do the same with an unsigned EXE, it runs it without a prompt - is this a bug?
...
Er, actually, ignore that - now seems to be working again. But if you save an EXE locally and then click open on the completed download dialog, it never shows any of the security warnings, now that surely is a bug? :)

This functionality is similar to the prompt that is shown when you immediately run an executable from the download prompt in IE. If you are using NTFS, downloaded files will now be marked with information about the zone the file originated from. The shell team did some work to extend ShellExecute so that it will prompt when you later run a file that was downloaded and saved from the internet. As with the secondary download prompt, this is defense in depth and should be used to verify the publisher of the executable, but it is not a security prompt that you can rely on to always protect you from running dangerous files. For example, you could download a .cmd file from a web site that formats your hard drive or erases all of your personal files, and you may not get the secondary prompt.

So regarding the first potential issue, my guess is that in one case the file was saved to an NTFS partition and in the other case it was either saved onto a FAT32 partition or was copied in a way that caused it to lose the zone information. If this is not the case, please drop me an email or file a bug report through the standard channels. The second issue certainly was a bug. It has been fixed but did not make the RC1 build.

I'm interested in hearing peoples opinions on the value of this feature and how we could make it more useful (and secure) in the future.

Published Sunday, March 21, 2004 8:50 PM by tonyschr

Filed under: Internet Explorer

Comments

# re: Security prompt on downloaded files in XP SP2 @ Monday, March 22, 2004 3:36 AM

Slightly off this topic, but a couple of questions on a change of handling of Res: resources.

1/. 2 years ago during the IE6 SP1 beta, access to Res: resources became disallowed to content served from the Internet Zone.

XP SP2 RC1 now allows this access.

2/. We have a Res: resource which navigates part of its content to file://, and that action is now disallowed as a result of LMZ lockdown. This is a pain, and is proving hard to work around.

Any comments of the deliberate (or otherwise) nature of these changes, and whether or not they will find their way into the release, would be welcome, thanks.

Jerry Mead

# re: Security prompt on downloaded files in XP SP2 @ Monday, March 22, 2004 4:26 AM

Thanks :)

I didn't originally copy the EXE to a non-NTFS partition, so I'm not sure quite how it lost the zone data. I can't seem to replicate it at all now, but I'll get back to you if I do...

Tom Gilder

# re: Security prompt on downloaded files in XP SP2 @ Monday, March 22, 2004 12:48 PM

Wrong thread again, sorry, but just a question about the the blocking of AX control downloads to first-time visitors.

Our controls are often scripted on_load the document, with 'defer' allowing the control time to download if necessary before the on_load function runs.

In RC1, the blocking of a control download doesn't appear to respect 'defer', so it's possible for a user to have hit the Info Bar's options and then have a script error come up as the on_load function fires. The two together create a messy modal lockup.

In general the Information Bar operation appears to be nicely thought out, but perhaps it's still 'tweakable' for a slightly better user experience?

A repro can be found here:

http://www.win-os.com/samples/sample1.htm

where we're testing 'RC1 compatibility' builds of our product ScriptX.

Jerry

Jerry Mead

# re: Security prompt on downloaded files in XP SP2 @ Monday, March 22, 2004 9:57 PM

Jerry, regarding the first issue, have you read http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx and related documentation yet? You may be able to get away with adding a "mark of the web" to the files in the local machine zone to accomplish what you need. Also note that these security mitigations are only in effect for the iexplore.exe and explorer.exe processes by default, so content hosted in an HTA or custom application should not be affected.

Regarding the second issue, I'll investigate this more tomorrow. In general, for blocking ActiveX controls the behavior is the same as if the user chose "No" on the Authenticode dialog in XP SP1. We're doing some tweaking to address some common site compatibility issues, but of course we cannot fix everything sites do without defeating the purpose of the security mitigations.

Of course, anything that can be described as a "messy modal lockup" is another matter, and I'm currently investigating the issue with the Information Bar menu and modal dialogs.

Tony Schreiner

# Nice catch Tony & Tom @ Monday, March 22, 2004 11:28 PM

Just for record - I've reported (Betaplace Track ID 264345067) similar behaivior for QFE fixes and service-packs.

It's pretty useless for QFE hotfixes (Q123456.exe like) to verify digital signature for itself.
In case if QFE will be altered by some evil person - this kind of verification is useless, and even more - make users rely on it.

I've spend 4 more emails to PM from WinSE team to clarify that this kind of security verification must be using already pre-installed program on user system, but not a using just 5 minutes ago downloaded EXE file.

Instead of storing internet zone info for service pack and hotfixes files - it was prety simple to replace *.EXE file extention (and format) to *.QFE (or something like this).

IMHO, Microsoft must not rely on users validate signature for file by looking in IE properties or rely on self-validating EXEs.
Microsoft make some kind of Windows Patch wizard consolidating patch detection, delivery, validity checking, installing, checking install status and repair if needed.

Something that will consolidate:
MBSA, Windows Update, Office Update, Microsoft Security center, QChain, QfeCheck, SigVerif, ServicePacks.

# re: Security prompt on downloaded files in XP SP2 @ Tuesday, May 25, 2004 9:17 PM

Anyone see issues with inability to complete a download of an .exe download. For some reason it remains stuck at 99% and never downloads either in save mode or run mode

maunakeaone

New Comments to this post are disabled