Closed Bug 1805986 Opened 3 years ago Closed 7 months ago

Mark-Of-The-Web not applied to attachments saved with drag & drop (Windows)

Categories

(Thunderbird :: OS Integration, defect, P3)

Product:
Thunderbird
Component:
OS Integration
Version:
Thunderbird 102
Platform:
Unspecified
Windows
Type:
defect

Tracking

(thunderbird_esr128 wontfix, thunderbird136 wontfix)

Status:
RESOLVED FIXED
Milestone:
137 Branch
Tracking Flags:
Tracking Status
thunderbird_esr128 --- wontfix
thunderbird136 --- wontfix

People

(Reporter: pfiatde, Assigned: mkmelin)

References

(Regressed 1 open bug)

Details

(Whiteboard: [security])

Attachments

(4 files)

MOTW.png
64.56 KB, image/png
Details
Testcase 1: markOfTheWeb.eml
1.81 KB, text/plain
Details
Bug 1805986 - Mark-Of-The-Web not applied to attachments saved with drag & drop. r=babolivier
48 bytes, text/x-phabricator-request
Details | Review
Bug 1805986 - Remove nsIMessenger.saveAttachment(). r=babolivier
48 bytes, text/x-phabricator-request
Details | Review
Attached image MOTW.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

Steps to reproduce:

The MotW for a file is not applied when using the Drag&Drop function of Thunderbird.
I thought, this might get fixed by this bug 1746139, but the problem consists.

Steps to reproduce:
Generate a file with MotW:
Set-Content -Path '.\WithMotW.txt' -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'

Send the file per mail and use the "Save As" dialoge and another time Drag&Drop.

Actual results:

The Drag&Drop version of the file, does not getting the motw applied, the one saved via the dialog does.

Expected results:

Both files should have the MotW applied to prevent malicious files from executing by users.
If needed some information about MotW can be found here:
https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/

I am not sure, if this is above the bar to trade this as a security issue, as the impact is not that high.
If not, please feel free to remove the security flag.

OS: Unspecified → Windows

(I don't think this needs to be hidden.)
For "downloads" this happens in https://searchfox.org/mozilla-central/rev/b4de9fa6fe3fb425129093c3deb1dae0686f7a2b/toolkit/components/downloads/DownloadIntegration.sys.mjs#448

Group: mail-core-security

Thanks Matthias for reporting this!

Tested and confirmed for TB 102.6.1 (64-bit), Win10.

STR (on Windows)

  1. View random message with random attachment filename.ext in message reader (e.g. testcase 1 attached here).
  2. Select attachment > Save as... > filename-save-as.ext.
  3. For comparison: Drag attachment filename.ext to local OS folder.
  4. Right-click on each downloaded file in Windows Explorer > Properties.
  5. Check if the Security section shows the following MotW warning: This file came from another computer and might be blocked to help protect this computer.

Actual

  • attachment downloaded via Save as... has mark of the web (MotW) - OK
  • attachment downloaded via drag and drop does not have MotW - this bug

Expected

  • attachment downloaded via drag and drop should also have MotW
  • iow, adding MotW should not depend on method of downloading.

(In reply to Matthias Zoellner from comment #0)

Steps to reproduce:
Generate a file with MotW:
Set-Content -Path '.\WithMotW.txt' -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'

Yes, that's in Windows Powershell, if you want to create a file with MotW locally. I've tried that and it works. Nice. Fwiw, it's not necessary to generate a file with MotW as an attachment for testing this bug, as the MotW doesn't survive attaching anyway. So any email message with a regular attachment can do - see testcase 1 attached.

Send the file per mail and use the "Save As" dialogue and another time Drag&Drop.

Even though the security impact of this is arguably pretty limited, as MotW can be worked around by users and attackers, it does add a layer of security which alerts the user that the retrieved attachment is a file from the internet, which may be crucial depending on file type.

Imho, we should try to fix this asap, which may be less hard than it looks with the respective toolkit code identified by Magnus (mkmelin) in comment 2 - thank you!

Severity: -- → S2
Component: Untriaged → OS Integration
Priority: -- → P3
Summary: Mark-Of-The-Web not applied with Drag&Drop (Windows) → Mark-Of-The-Web not applied to attachments saved with drag & drop (Windows)
Whiteboard: [security]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 1839394
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED

Depends on D235140

Remove the last usage of this. (Message | Attachments | <attachment> | Save as...

status-thunderbird136: --- → wontfix
status-thunderbird_esr128: --- → wontfix
Keywords: checkin-needed-tb
Target Milestone: --- → 137 Branch

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/b2c9ee16aabb
Mark-Of-The-Web not applied to attachments saved with drag & drop. r=babolivier
https://hg.mozilla.org/comm-central/rev/f70720b80e28
Remove nsIMessenger.saveAttachment(). r=babolivier

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
Regressions: 1958549
Regressions: 1963099
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: