Closed Bug 239160 Opened 20 years ago Closed 20 years ago

Under windows there are file extensions to be regarded as dangerous windows executables.

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mmalarm2000-bugzilla, Assigned: dougt)

Details

(Keywords: fixed1.4.3, fixed1.7, Whiteboard: [sg:fix]fixed-aviary1.0)

Attachments

(1 file)

Updating executable list
2.30 KB, patch
darin.moz
: review+
dveditz
: superreview+
caillon
: approval1.4.3+
dveditz
: approval1.7+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316

boris zbarsky 2004-03-29 12:52 pst wrote in
http://bugzilla.mozilla.org/show_bug.cgi?id=191460#c38
> file a separate bug on extending this list, please.

Please see http://bugzilla.mozilla.org/show_bug.cgi?id=191460#c33 -> d)
extension list

Under windows there are file extensions to be regarded as dangerous windows
executables. In mailnews it should be taken special care of these attachments.

There are not enough extensions, which are reagarded as dangerous windows
executables.
(Nslocalfile::isexecutable)
http://bugzilla.mozilla.org/attachment.cgi?id=145018&action=view

This bug relates to http://bugzilla.mozilla.org/show_bug.cgi?id=191460#18 and
the following comments.

More competent people then I am should review this bug :-)

Reproducible: Always
Steps to Reproduce:

Actual Results:  
At the moment
.pif,.cmd,.js,.vbs,.lnk,.reg,.wsf,.hta,.scr
are regarded as executables.

Expected Results:  
I recommend to check the following executables:

??_ {?? 001 002 386 3GR ACM ADT
AP? ASD ASP AX? BAT BIN BO? CC? CDR CHM CLA CMD CNV CO? CP? CSC D?B DAT DEV DIF
DL? DO? DRV EE? EML EX? FMT FO? GMS GZ? HDI HLP HT? IM? IN? JS? LIB MB? MD? MHT
MOD MPD MPP MPT MRC MS? NWS OB? OC? OL? OLE OTM OV?
 PCI PD? PHP PIF PLG POT PP? PRC QLB QPW QTC REG RTF SCR SH? SIS SMM SYS TD0 TGZ
TLB TSP VB? VS? VWP VXD WBK WIZ WP? WRI WS? X32 XL? XML XSL XTP XX? ZL?
> EML XML XSL 

why??

> TGZ

??

(in the future, please give links to other bugs in the form "bug 191460 comment
38" or "bug 191460")
To xpcom and ccing security people and the like.  This is not a mailnews issue.

Note that the list of extensions Mozilla considers executable also includes
"exe", "bat", and "com".

Also note that that list at the end of comment 0 comes from a virus checker and
is far too restrictive for our purposes (eg .mht, .tgz, .doc, etc would all
match it).
Assignee: sspitzer → dougt
Status: UNCONFIRMED → NEW
Component: Attachments → XPCOM
Ever confirmed: true
Product: MailNews → Browser
Summary: (MailNews) Under windows there are file extensions to be regarded as dangerous windows executables. In MailNews it should be taken special care of these attachments. → Under windows there are file extensions to be regarded as dangerous windows executables.
OK guys, thanks a lot for bringing this bug and bug 191460 on the right way.

As Boris pointed out the extension list is coming from a virus checker but these
guys also know what they do so I didn't want to shorten the list. And I don't
know all extensions - it's an impressive list anyway.

I don't know the discussions behind the decisions what Mozilla regards as an
executable. But maybe most of these extensions should be handled with care. The
present wave of virusmail and wormmails combined with spam tactics really need
attention.

That said I'll go back to my user life and think about bug 191460 comment 33 b)
"mime type */*" c) "GUI for dangerous extensions" and e) "show attachments in
mail and list" and when to do the RFEs.

Thanks for your engagement!

Markus
drivers (386, sys, vxd, drv, ...) aren't executable and shouldn't be black listed.
same for overlays (ov?, ...) 

the list is still missing .pl(s)

it's blacklisting powerpoint, wordprocessor (rtf, wp?), and help (chm, hlp)
files, i'm not sure what people will say to that (i'm in favor, the rest of the
world should be opposed)

please do me a favor and find all the bugs where i've provided lists? i have
better things to do with my time than read someone else's bogus list.
(In reply to comment #4)
> please do me a favor and find all the bugs where i've provided lists?
bug 158623 comment 9

Yeah, the reporter's list is unusable (the list is about extensions of
infectable file types). But I wonder why no-one looks at %PATHEXT% on NT-based
Windows. On my box this is 
PATHEXT =.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH.
So if I look at
http://lxr.mozilla.org/seamonkey/source/xpcom/io/nsLocalFileWin.cpp#1857
I see the following missing extensions:

.VBE, .JSE   VBScript Encoded Script/JScript Encoded Script
.WSH         Windows Scripting Host (Settings)

more executable extensions from Windows scripting

.WSC, .SCT   Windows Scripting Component, Scriptlet
.VB          same as .vbs
.PLS         PerlScript with WSH (rarely)
.PL          Perl script (rarely)
.SCF         Windows Explorer Command
 http://computercops.biz/article1021.html

And very important (these extensions are used by ITW viruses): Scrap Files

.SHS         Shell Scrap Object
.SHB         Windows shortcut/DocShortcut
 http://www.pc-help.org/security/scrap.htm
 http://support.microsoft.com/support/kb/articles/Q138/2/75.asp

Even if you have "show always file extension on" in Windows you don't see per
default the extension for Scrap files, .LNK, .PIF in Windows Explorer.


thanks, i think i've mentioned the types you listed in some other bug as well as
pathext - bug 209392 comment 1

the one problem with pathext, is that at least on my boxes pathext only mentions
.pl in cmd sessions (because i have some stuff which i import into my
environment after cmd starts), so while a mozilla lucky enough to be started
from cmd would find out that perl is dangerous, that same mozilla started from
explorer would almost certainly miss out.

a note to self: bat files and similar critters have editing and printing verbs,
so you can't use them.

perhaps we could use ObjType\EditFlags.  (Not to be confused w/
ObjType\Command\Verb\EditFlags)

evil stuff here tends to be marked
0x 3? ?? ?? ??
documents tend to be marked
0x ?? ?? 01 ?? / 0x??01????
for better or for worse, that includes windows installer packages/patches
fwiw pif/dll/drv/vxd/lnk's are (as are precompiled setup information critters - pnf)
0x 01 ?? ?? ??/ 0x??????01
reg is
0x ?? 10 ?? ??
Anyway, i scanned through my laptop and desktop and this approach seemed
reasonable. - I had MSOffice2000 or so here at sometime.

I think for the time being, i'd refuse to launch anything which isn't marked as
a document (scf files aren't marked)

note that powerpoint and excel objects seem to be marked as 0x00000000. as i've
stated earlier, i don't mind refusing to run them, they're fairly good carriers
for infection.

unfortunately, icalendar is 0x00000000.

There's also a NoOpen flag which we should probably honor.

hrm, bug 52454 was supposed to use editflags. and did for a single version
(1.21), bug 82584 undid that work. *sigh*

FTA_OpenIsSafe (0x00010000)
    Indicates that the file class's open verb can be safely invoked for
downloaded files. 

FTA_AlwaysUnsafe (0x00020000)
    Prevents the "Never ask me" check box from being enabled. The user can
override this attribute through the File Type dialog box.

The installer or first run code could /try/ to offer to wallpaper over the
problem described in bug 82584 ("It seems your computer has or had an insecure
version of msoffice, in order to try to protect you from some viruses, we'd like
to tighted some security settings. [Tighten] [Keep Risky Settings]")
Okay, lets go through the list...

XLS DOC DOT PPT PPS -> Everything linked to Open Office on my system so why
dangerous?

XML HTM -> Linked to Mozilla

On the other side: Why don't you include "LNK"? It's not impossible to create a
LNK to C:\windows\system32\cmd.exe /c ftp ..... & start ....
and very much systems are installed on "C:\windows"!

What I want to say with that is that it depends on the system which file is
dangerous. Each file can be dangerous if it's opened with the wrong helper
application. Unfortunately all Microsoft-Systems are dangerous by default. Very
much users use "Word" to open DOC and "Excel" to open XLS. They also use
"Windows Media Player" to play WAV MID MP3 ASF so why don't block these, too?

The feature which opens with the system default uses the settings of Windows (!)
These are changed very often. Many applications link with files without the
knowledge of the user! The chooses to open $FILE with $APPLICATION and chooses
that mozilla shouldn't ask again. Some days later $APPLICATION2 registers for
this file type. Now this application is also used automatically for all $FILEs
the user clicks in Mozilla!

That it's dangerous to use the Windows internal list can be seen that there were
several security related bugs depending on this feature and I'm sure we get more
of that. The goal of mozilla is that it's security is on every system the same.
This windows-only feature makes it a bit less secure on windows. Do you really
think this feature can be made secure or would it be better to remove it completely?
Microsoft has a list of file extensions they consider dangerous.  This is the
list IE uses, and probably in this case it's The Right Thing to copy Microsoft,
or at least have our list be a superset of theirs.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;291369

The extensions on their list that aren't in bug 191460 comment 33 are:

    .bas .isp .lnk .pcd .url .ad .crt .sct

Another MS page recommends blocking any filename with a squiggly-bracket in it
and if the filename ends with a dot, looking for an extension before the dot:

   
http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse12.mspx
Who is going to decide now which extensions are added to the extended dangerous
extension list?
Remember?: http://bugzilla.mozilla.org/attachment.cgi?id=145018&action=view

Markus
is a list update 1.7 material?
Group: security
Flags: blocking1.7?
Group: security
Until now only .scr is added to the sourcecode.

MSI (Windows Installer) should be added to the dangerous list.
Flags: blocking1.7? → blocking1.7+
msi comes in an assortment of extensions
msi (windows installer package)
msp (windows installer patch)

...
FYI: another overview for potential harmful extensions can be found on
http://www.icdatamaster.com/harmful.html
Time is short for 1.7 and so we can't spend forever trying to get every possible
extension on the list. A first step would be a patch adding those extensions in
comment 8 (and possibly comment 14) to the list. Then this would need to land on
the trunk to get some exposure. Who can help us with a patch here?
I have updated the list of extensions which are considered executable to match
that of what Microsoft does for IE.  (see
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291369)
Attachment #148138 - Flags: superreview?(dveditz)
Attachment #148138 - Flags: review?(darin)
Attachment #148138 - Flags: approval1.7?
Comment on attachment 148138 [details] [diff] [review]
Updating executable list

chofmann asked me tolook at this cuz time is short - sr=bienvenu, if you need
it...
Comment on attachment 148138 [details] [diff] [review]
Updating executable list

r=darin
Attachment #148138 - Flags: review?(darin) → review+
Comment on attachment 148138 [details] [diff] [review]
Updating executable list

sr=dveditz
a=dveditz for 1.7
Attachment #148138 - Flags: superreview?(dveditz)
Attachment #148138 - Flags: superreview+
Attachment #148138 - Flags: approval1.7?
Attachment #148138 - Flags: approval1.7+
checked in on branch:

Checking in nsLocalFileWin.cpp;
/cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v  <--  nsLocalFileWin.cpp
new revision: 1.115.2.1; previous revision: 1.115
done


checked in on trunk:

Checking in io/nsLocalFileWin.cpp;
/cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v  <--  nsLocalFileWin.cpp
new revision: 1.119; previous revision: 1.118
done

Do we have agreement that we can close this bug, or are there other precautions
we can take?
(In reply to comment #8)
>     http://support.microsoft.com/default.aspx?scid=kb;EN-US;291369
[...] 
> Another MS page recommends blocking any filename with a squiggly-bracket in it
> and if the filename ends with a dot, looking for an extension before the dot:
>
http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse12.mspx

I am curious why the MS office document extensions which might contain macros
aren't in the MS list. Only marketing? Is Visio more dangerous than doc files?
IMHO the MS office document extensions should be in the Mozilla patch.
> IMHO the MS office document extensions should be in the Mozilla patch.

That would break one of the most common document formats people launch from web
browsers (probably right behind PDF).
(In reply to comment #20)
 
> Do we have agreement that we can close this bug, or are there other precautions
> we can take?

Please check with Builds later than 2004-05-10 20:37 PDT against the link in
http://bugzilla.mozilla.org/attachment.cgi?id=144854&action=view
(attachment from bug 191460) I will start downloading soon :-)
No real virus at hand right now, but I remember that Mozilla saved the virus to
TMP while or before asking what to do with the file. If this behaviour is still
the same then I think we still have a security problem here. If it is so, is it
a new bug or is somebody working on that?
(In reply to comment #24)
> No real virus at hand right now, but I remember that Mozilla saved the virus to
> TMP while or before asking what to do with the file. If this behaviour is still
> the same then I think we still have a security problem here. If it is so, is it
> a new bug or is somebody working on that?

That is Bug 69938.
(In reply to comment #23)
> http://bugzilla.mozilla.org/attachment.cgi?id=144854&action=view
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040512
Just clicking on the link above opens the inline attachment message.scr which is
marked [Content-Type: image/png; name="message.scr"] and after a while W2K asks
me what to do with mail. I am astonished. What is happening here?
(In reply to comment #25)
> That is Bug 69938.
Maybe offtopic, maybe not, but possible harmful files should not be
pre-downloaded to TMP.
Where are we with this patch? It missed 1.7RC2 :-(
Closing bug FIXED, if we find other extensions please open new bugs.
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
Adding Jon Granrose to CC list to help round up QA resources for verification
Comment on attachment 148138 [details] [diff] [review]
Updating executable list

a=blizzard for the 1.4 branch
Attachment #148138 - Flags: approval1.4.3+
Whiteboard: fixed-aviary1.0 → [sg:fix]fixed-aviary1.0
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: