.appref-ms file extension = Executable file may contain viruses or other malicious code
Categories
(Firefox :: File Handling, defect)
Tracking
()
People
(Reporter: Puf, Assigned: mak)
References
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main116+] [adv-ESR115.1+] [adv-ESR102.14+])
Attachments
(6 files, 2 obsolete files)
|
170.57 KB,
video/mp4
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-esr102+
|
Details | Review |
|
167 bytes,
text/plain
|
Details |
Firefox Version: [115.0] + [116.0a1]
Operating System: [Windows 10]
.appref-ms = ClickOnce application reference. Basically a .lnk for ClickOnce apps.
An appref-ms file can be created that will act similar to an LNK or shortcut file that will contain the URL of the deployment manifest and some other pieces of information.
Chrome Browser & Microsoft Edge :
file_types {
ClickOnce application reference. Basically a .lnk for ClickOnce apps.
extension: "appref-ms"
uma_value: 144
ping_setting: FULL_PING
platform_settings {
platform: PLATFORM_TYPE_WINDOWS
danger_level: ALLOW_ON_USER_GESTURE
auto_open_hint: DISALLOW_AUTO_OPEN
}
}
This File is Already Blocklisted in Chrome & Edge Browsers
it's better to Add Popop Warning [ Executable files may contain viruses or other malicious code that could harm your computer]
To .appref-ms file To Keep Safe System from malicious file/code
| Reporter | ||
Comment 1•1 year ago
|
||
| Reporter | ||
Comment 2•1 year ago
|
||
Step To Reproduce:
- Create .appref-ms File.
- Download Using Firefox Browser
- Open File [No Warning]
Comment 3•1 year ago
|
||
I haven't tested this myself, but I do see ".appref-ms" in ApplicationReputationService::kBinaryFileExtensions. I'm not sure if that's supposed to be sufficient or what.
Updated•1 year ago
|
Comment 4•1 year ago
|
||
(It looks like that got added in bug 1291472.)
| Reporter | ||
Comment 5•1 year ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #3)
I haven't tested this myself, but I do see ".appref-ms" in ApplicationReputationService::kBinaryFileExtensions. I'm not sure if that's supposed to be sufficient or what.
But There Is No Popop Warning [ Executable files may contain viruses or other malicious code that could harm your computer] For this File ".appref-ms". I Have Attached POC Video Please Check Out Once
| Reporter | ||
Comment 6•1 year ago
|
||
I Have Done Testing in Both Latest Beta Version & nightly (64-bit)
There is [ No Warning]
https://youtu.be/4FtVwiuBtx4 = Video Black Hat Explanation on Click Once Appref-ms Abuse
Comment 7•1 year ago
|
||
(It looks like that got added in bug 1291472.)
That was for SafeBrowsing "application reputation" checking, but that doesn't necessarily block all files with that extension. It would only block "known bad ones" which isn't going to happen for a one-off attack.
It needs to be added to the executable list in nsLocalFileCommon.cpp
How hard would it be to set up some kind of auto-update or at least alerting for when Chrome updates their list?
| Assignee | ||
Comment 8•1 year ago
|
||
Chrome has marked a lot of files as DISALLOW_AUTO_OPEN that we don't consider executable. But yes, it's a good idea to have a notification, we should speak with Marco Castelluccio and see if some automated tool could be setup. For now we can use third party tools to monitor their source page.
This addition was made quite in the past anyway (2016), I'm not sure why at the time it was only added to apprep.
| Assignee | ||
Comment 9•1 year ago
|
||
Updated•1 year ago
|
Comment 10•1 year ago
|
||
Pushed by mak77@bonardo.net: https://hg.mozilla.org/integration/autoland/rev/3a49d8ea5a2f r=mtigley,Gijs
| Assignee | ||
Comment 11•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D182711
| Assignee | ||
Comment 12•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D182711
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Comment 13•1 year ago
|
||
Comment on attachment 9342694 [details]
Bug 1840777.
Beta/Release Uplift Approval Request
- User impact if declined: sec-moderate
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Try downloading a appref-ms file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): just adding an extension to a list
- String changes made/needed:
- Is Android affected?: Yes
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Comment 14•1 year ago
|
||
| Assignee | ||
Updated•1 year ago
|
| Assignee | ||
Comment 15•1 year ago
|
||
Apart from ESR115 (looks like lando is broken yet, so waiting), Is it worth uplifting to ESR102?
Updated•1 year ago
|
Comment 16•1 year ago
|
||
Updated•1 year ago
|
Comment 17•1 year ago
|
||
Using Firefox 116.0b3 I don't get any notification once the .appref-ms file is downloaded and I click on the file. Using latest Nightly 117.0a1 with the fix on Windows 10 64bit the ".appref-ms" is the executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch ".appref-ms"? prompt is displayed when clicking on the downloaded file.
Here is the file I used, not mine (https://github.com/jiaminliu/HW4/blob/master/Desktop/GitHub.appref-ms) for testing purposes.
Comment on attachment 9342694 [details]
Bug 1840777.
Approved for 116.0b4
Comment 19•1 year ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/e31ceee72448
Comment 20•1 year ago
|
||
(In reply to Bogdan Maris, Desktop QA from comment #17)
Using Firefox 116.0b3 I don't get any notification once the
.appref-msfile is downloaded and I click on the file. Using latest Nightly 117.0a1 with the fix on Windows 10 64bit the".appref-ms" is the executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch ".appref-ms"?prompt is displayed when clicking on the downloaded file.
Here is the file I used, not mine (https://github.com/jiaminliu/HW4/blob/master/Desktop/GitHub.appref-ms) for testing purposes.
Also verified as fixed using beta build https://treeherder.mozilla.org/jobs?repo=mozilla-beta&revision=1dcdc0d37b33c854558ec0ef2561545b2254d192 which contains this fix.
| Assignee | ||
Comment 21•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D182711
Comment 22•1 year ago
|
||
Uplift Approval Request
- Steps to reproduce for manual QE testing: Try downloading a appref-ms file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
- Explanation of risk level: just adding an extension to a list
- Code covered by automated testing: yes
- Needs manual QE test: yes
- Is Android affected?: yes
- User impact if declined: sec-moderate
- Risk associated with taking this patch: low
- String changes made/needed: none
- Fix verified in Nightly: yes
Comment 23•1 year ago
|
||
A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)
Updated•1 year ago
|
Comment 24•1 year ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr115/rev/6d84a1a2d030
Updated•1 year ago
|
Comment 25•1 year ago
•
|
||
(In reply to Marco Bonardo [:mak] from comment #15)
Apart from ESR115 (looks like lando is broken yet, so waiting), Is it worth uplifting to ESR102?
Yes, we should. ESR-102 is supported for another 3 months and this sec-moderate fix is essentially riskless.
Comment 26•1 year ago
|
||
(In reply to Bogdan Maris, Desktop QA from comment #20)
(In reply to Bogdan Maris, Desktop QA from comment #17)
Using Firefox 116.0b3 I don't get any notification once the
.appref-msfile is downloaded and I click on the file. Using latest Nightly 117.0a1 with the fix on Windows 10 64bit the".appref-ms" is the executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch ".appref-ms"?prompt is displayed when clicking on the downloaded file.
Here is the file I used, not mine (https://github.com/jiaminliu/HW4/blob/master/Desktop/GitHub.appref-ms) for testing purposes.Also verified as fixed using beta build https://treeherder.mozilla.org/jobs?repo=mozilla-beta&revision=1dcdc0d37b33c854558ec0ef2561545b2254d192 which contains this fix.
Also verified as fixed using 115esr build https://treeherder.mozilla.org/jobs?repo=mozilla-esr115&revision=6d84a1a2d030251a166f188a6bae95bb83fcd213 which contains this fix.
| Assignee | ||
Comment 27•1 year ago
|
||
Comment 28•1 year ago
|
||
Uplift Approval Request
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Risk associated with taking this patch: low
- Is Android affected?: yes
- Explanation of risk level: just adding an extension to a list
- String changes made/needed: none
- Needs manual QE test: yes
- User impact if declined: sec-moderate
- Steps to reproduce for manual QE testing: Try downloading a appref-ms file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
Updated•1 year ago
|
Comment on attachment 9343449 [details]
Bug 1840777
Approved for 102.14esr
Updated•1 year ago
|
Updated•1 year ago
|
Comment 30•1 year ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr102/rev/ff58df5cb718
Comment 31•1 year ago
|
||
Also verified that this is fixed on esr102 https://treeherder.mozilla.org/jobs?repo=mozilla-esr102&revision=ff58df5cb71869d915e8db5b18615aa05a8e8344
Updated•1 year ago
|
Updated•1 year ago
|
Comment 32•1 year ago
|
||
Updated•7 months ago
|
Updated•7 months ago
|
Updated•2 months ago
|
Description
•