Closed Bug 239160 Opened 21 years ago Closed 21 years ago

Under windows there are file extensions to be regarded as dangerous windows executables.

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mmalarm2000-bugzilla, Assigned: dougt)

Details

(Keywords: fixed1.4.3, fixed1.7, Whiteboard: [sg:fix]fixed-aviary1.0)

Attachments

(1 file)

Updating executable list
2.30 KB, patch
darin.moz
: review+
dveditz
: superreview+
caillon
: approval1.4.3+
dveditz
: approval1.7+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316 boris zbarsky 2004-03-29 12:52 pst wrote in http://bugzilla.mozilla.org/show_bug.cgi?id=191460#c38 > file a separate bug on extending this list, please. Please see http://bugzilla.mozilla.org/show_bug.cgi?id=191460#c33 -> d) extension list Under windows there are file extensions to be regarded as dangerous windows executables. In mailnews it should be taken special care of these attachments. There are not enough extensions, which are reagarded as dangerous windows executables. (Nslocalfile::isexecutable) http://bugzilla.mozilla.org/attachment.cgi?id=145018&action=view This bug relates to http://bugzilla.mozilla.org/show_bug.cgi?id=191460#18 and the following comments. More competent people then I am should review this bug :-) Reproducible: Always Steps to Reproduce: Actual Results: At the moment .pif,.cmd,.js,.vbs,.lnk,.reg,.wsf,.hta,.scr are regarded as executables. Expected Results: I recommend to check the following executables: ??_ {?? 001 002 386 3GR ACM ADT AP? ASD ASP AX? BAT BIN BO? CC? CDR CHM CLA CMD CNV CO? CP? CSC D?B DAT DEV DIF DL? DO? DRV EE? EML EX? FMT FO? GMS GZ? HDI HLP HT? IM? IN? JS? LIB MB? MD? MHT MOD MPD MPP MPT MRC MS? NWS OB? OC? OL? OLE OTM OV? PCI PD? PHP PIF PLG POT PP? PRC QLB QPW QTC REG RTF SCR SH? SIS SMM SYS TD0 TGZ TLB TSP VB? VS? VWP VXD WBK WIZ WP? WRI WS? X32 XL? XML XSL XTP XX? ZL?
> EML XML XSL why?? > TGZ ?? (in the future, please give links to other bugs in the form "bug 191460 comment 38" or "bug 191460")
To xpcom and ccing security people and the like. This is not a mailnews issue. Note that the list of extensions Mozilla considers executable also includes "exe", "bat", and "com". Also note that that list at the end of comment 0 comes from a virus checker and is far too restrictive for our purposes (eg .mht, .tgz, .doc, etc would all match it).
Assignee: sspitzer → dougt
Status: UNCONFIRMED → NEW
Component: Attachments → XPCOM
Ever confirmed: true
Product: MailNews → Browser
Summary: (MailNews) Under windows there are file extensions to be regarded as dangerous windows executables. In MailNews it should be taken special care of these attachments. → Under windows there are file extensions to be regarded as dangerous windows executables.
OK guys, thanks a lot for bringing this bug and bug 191460 on the right way. As Boris pointed out the extension list is coming from a virus checker but these guys also know what they do so I didn't want to shorten the list. And I don't know all extensions - it's an impressive list anyway. I don't know the discussions behind the decisions what Mozilla regards as an executable. But maybe most of these extensions should be handled with care. The present wave of virusmail and wormmails combined with spam tactics really need attention. That said I'll go back to my user life and think about bug 191460 comment 33 b) "mime type */*" c) "GUI for dangerous extensions" and e) "show attachments in mail and list" and when to do the RFEs. Thanks for your engagement! Markus
drivers (386, sys, vxd, drv, ...) aren't executable and shouldn't be black listed. same for overlays (ov?, ...) the list is still missing .pl(s) it's blacklisting powerpoint, wordprocessor (rtf, wp?), and help (chm, hlp) files, i'm not sure what people will say to that (i'm in favor, the rest of the world should be opposed) please do me a favor and find all the bugs where i've provided lists? i have better things to do with my time than read someone else's bogus list.
(In reply to comment #4) > please do me a favor and find all the bugs where i've provided lists? bug 158623 comment 9 Yeah, the reporter's list is unusable (the list is about extensions of infectable file types). But I wonder why no-one looks at %PATHEXT% on NT-based Windows. On my box this is PATHEXT =.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH. So if I look at http://lxr.mozilla.org/seamonkey/source/xpcom/io/nsLocalFileWin.cpp#1857 I see the following missing extensions: .VBE, .JSE VBScript Encoded Script/JScript Encoded Script .WSH Windows Scripting Host (Settings) more executable extensions from Windows scripting .WSC, .SCT Windows Scripting Component, Scriptlet .VB same as .vbs .PLS PerlScript with WSH (rarely) .PL Perl script (rarely) .SCF Windows Explorer Command http://computercops.biz/article1021.html And very important (these extensions are used by ITW viruses): Scrap Files .SHS Shell Scrap Object .SHB Windows shortcut/DocShortcut http://www.pc-help.org/security/scrap.htm http://support.microsoft.com/support/kb/articles/Q138/2/75.asp Even if you have "show always file extension on" in Windows you don't see per default the extension for Scrap files, .LNK, .PIF in Windows Explorer.
thanks, i think i've mentioned the types you listed in some other bug as well as pathext - bug 209392 comment 1 the one problem with pathext, is that at least on my boxes pathext only mentions .pl in cmd sessions (because i have some stuff which i import into my environment after cmd starts), so while a mozilla lucky enough to be started from cmd would find out that perl is dangerous, that same mozilla started from explorer would almost certainly miss out. a note to self: bat files and similar critters have editing and printing verbs, so you can't use them. perhaps we could use ObjType\EditFlags. (Not to be confused w/ ObjType\Command\Verb\EditFlags) evil stuff here tends to be marked 0x 3? ?? ?? ?? documents tend to be marked 0x ?? ?? 01 ?? / 0x??01???? for better or for worse, that includes windows installer packages/patches fwiw pif/dll/drv/vxd/lnk's are (as are precompiled setup information critters - pnf) 0x 01 ?? ?? ??/ 0x??????01 reg is 0x ?? 10 ?? ?? Anyway, i scanned through my laptop and desktop and this approach seemed reasonable. - I had MSOffice2000 or so here at sometime. I think for the time being, i'd refuse to launch anything which isn't marked as a document (scf files aren't marked) note that powerpoint and excel objects seem to be marked as 0x00000000. as i've stated earlier, i don't mind refusing to run them, they're fairly good carriers for infection. unfortunately, icalendar is 0x00000000. There's also a NoOpen flag which we should probably honor. hrm, bug 52454 was supposed to use editflags. and did for a single version (1.21), bug 82584 undid that work. *sigh* FTA_OpenIsSafe (0x00010000) Indicates that the file class's open verb can be safely invoked for downloaded files. FTA_AlwaysUnsafe (0x00020000) Prevents the "Never ask me" check box from being enabled. The user can override this attribute through the File Type dialog box. The installer or first run code could /try/ to offer to wallpaper over the problem described in bug 82584 ("It seems your computer has or had an insecure version of msoffice, in order to try to protect you from some viruses, we'd like to tighted some security settings. [Tighten] [Keep Risky Settings]")
Okay, lets go through the list... XLS DOC DOT PPT PPS -> Everything linked to Open Office on my system so why dangerous? XML HTM -> Linked to Mozilla On the other side: Why don't you include "LNK"? It's not impossible to create a LNK to C:\windows\system32\cmd.exe /c ftp ..... & start .... and very much systems are installed on "C:\windows"! What I want to say with that is that it depends on the system which file is dangerous. Each file can be dangerous if it's opened with the wrong helper application. Unfortunately all Microsoft-Systems are dangerous by default. Very much users use "Word" to open DOC and "Excel" to open XLS. They also use "Windows Media Player" to play WAV MID MP3 ASF so why don't block these, too? The feature which opens with the system default uses the settings of Windows (!) These are changed very often. Many applications link with files without the knowledge of the user! The chooses to open $FILE with $APPLICATION and chooses that mozilla shouldn't ask again. Some days later $APPLICATION2 registers for this file type. Now this application is also used automatically for all $FILEs the user clicks in Mozilla! That it's dangerous to use the Windows internal list can be seen that there were several security related bugs depending on this feature and I'm sure we get more of that. The goal of mozilla is that it's security is on every system the same. This windows-only feature makes it a bit less secure on windows. Do you really think this feature can be made secure or would it be better to remove it completely?
Microsoft has a list of file extensions they consider dangerous. This is the list IE uses, and probably in this case it's The Right Thing to copy Microsoft, or at least have our list be a superset of theirs. http://support.microsoft.com/default.aspx?scid=kb;EN-US;291369 The extensions on their list that aren't in bug 191460 comment 33 are: .bas .isp .lnk .pcd .url .ad .crt .sct Another MS page recommends blocking any filename with a squiggly-bracket in it and if the filename ends with a dot, looking for an extension before the dot: http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse12.mspx
Who is going to decide now which extensions are added to the extended dangerous extension list? Remember?: http://bugzilla.mozilla.org/attachment.cgi?id=145018&action=view Markus
is a list update 1.7 material?
Group: security
Flags: blocking1.7?
Group: security
Until now only .scr is added to the sourcecode.
MSI (Windows Installer) should be added to the dangerous list.
Flags: blocking1.7? → blocking1.7+
msi comes in an assortment of extensions msi (windows installer package) msp (windows installer patch) ...
FYI: another overview for potential harmful extensions can be found on http://www.icdatamaster.com/harmful.html
Time is short for 1.7 and so we can't spend forever trying to get every possible extension on the list. A first step would be a patch adding those extensions in comment 8 (and possibly comment 14) to the list. Then this would need to land on the trunk to get some exposure. Who can help us with a patch here?
I have updated the list of extensions which are considered executable to match that of what Microsoft does for IE. (see http://support.microsoft.com/default.aspx?scid=kb;EN-US;291369)
Attachment #148138 - Flags: superreview?(dveditz)
Attachment #148138 - Flags: review?(darin)
Attachment #148138 - Flags: approval1.7?
Comment on attachment 148138 [details] [diff] [review] Updating executable list chofmann asked me tolook at this cuz time is short - sr=bienvenu, if you need it...
Comment on attachment 148138 [details] [diff] [review] Updating executable list r=darin
Attachment #148138 - Flags: review?(darin) → review+
Comment on attachment 148138 [details] [diff] [review] Updating executable list sr=dveditz a=dveditz for 1.7
Attachment #148138 - Flags: superreview?(dveditz)
Attachment #148138 - Flags: superreview+
Attachment #148138 - Flags: approval1.7?
Attachment #148138 - Flags: approval1.7+
checked in on branch: Checking in nsLocalFileWin.cpp; /cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v <-- nsLocalFileWin.cpp new revision: 1.115.2.1; previous revision: 1.115 done checked in on trunk: Checking in io/nsLocalFileWin.cpp; /cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v <-- nsLocalFileWin.cpp new revision: 1.119; previous revision: 1.118 done Do we have agreement that we can close this bug, or are there other precautions we can take?
(In reply to comment #8) > http://support.microsoft.com/default.aspx?scid=kb;EN-US;291369 [...] > Another MS page recommends blocking any filename with a squiggly-bracket in it > and if the filename ends with a dot, looking for an extension before the dot: > http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse12.mspx I am curious why the MS office document extensions which might contain macros aren't in the MS list. Only marketing? Is Visio more dangerous than doc files? IMHO the MS office document extensions should be in the Mozilla patch.
> IMHO the MS office document extensions should be in the Mozilla patch. That would break one of the most common document formats people launch from web browsers (probably right behind PDF).
(In reply to comment #20) > Do we have agreement that we can close this bug, or are there other precautions > we can take? Please check with Builds later than 2004-05-10 20:37 PDT against the link in http://bugzilla.mozilla.org/attachment.cgi?id=144854&action=view (attachment from bug 191460) I will start downloading soon :-)
No real virus at hand right now, but I remember that Mozilla saved the virus to TMP while or before asking what to do with the file. If this behaviour is still the same then I think we still have a security problem here. If it is so, is it a new bug or is somebody working on that?
(In reply to comment #24) > No real virus at hand right now, but I remember that Mozilla saved the virus to > TMP while or before asking what to do with the file. If this behaviour is still > the same then I think we still have a security problem here. If it is so, is it > a new bug or is somebody working on that? That is Bug 69938.
(In reply to comment #23) > http://bugzilla.mozilla.org/attachment.cgi?id=144854&action=view Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040512 Just clicking on the link above opens the inline attachment message.scr which is marked [Content-Type: image/png; name="message.scr"] and after a while W2K asks me what to do with mail. I am astonished. What is happening here?
(In reply to comment #25) > That is Bug 69938. Maybe offtopic, maybe not, but possible harmful files should not be pre-downloaded to TMP.
Where are we with this patch? It missed 1.7RC2 :-(
Closing bug FIXED, if we find other extensions please open new bugs.
Status: NEW → RESOLVED
Closed: 21 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
Adding Jon Granrose to CC list to help round up QA resources for verification
Comment on attachment 148138 [details] [diff] [review] Updating executable list a=blizzard for the 1.4 branch
Attachment #148138 - Flags: approval1.4.3+
Whiteboard: fixed-aviary1.0 → [sg:fix]fixed-aviary1.0
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: