Closed Bug 271277 Opened 20 years ago Closed 20 years ago

Firefox 1.0 loads infected exe file to harddisc

Categories

(Toolkit :: Downloads API, defect)

Product:
Toolkit
Component:
Downloads API
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: a.schilder, Assigned: bugs)

References

(
URL
)

Details

(Whiteboard: INVALID [sg:nse]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0

When loading the page (beware to do this) 

http://advanced.crack-cd.com/Advanced_Archive_Password_Recovery_v2.20..html

firefox directly loads an exe file to the harddisc, infected with the trojan
"TR/Dldr.INService.I". I'm using Windows XP SP2 with the newest updates.

Reproducible: Always
Steps to Reproduce:
1. install av
2. load url
3. look on your harddisc
Actual Results:  
I got a message from my av program. I checked it and the infected file was
really there, without doing anything except loading the url.

Expected Results:  
Do NOT load and save the exe-file.
Whiteboard: INVALID [sg:nse]
Group: security
Firefox doesn't automatically save any EXEs to disk for me.  I do get prompted
to download an EXE, but I'd have to click the "ok" button to actually save it. 
This is the expected behavior.  The server suggested that the browser prompt the
user to download an executable, and Firefox does exactly that.  It was your
choice to download the malicious program.

There is another situation I've come across that sets off my anti-virus
software: javascript / iframe exploits in web pages.  When I visit a page
containing one, the browser saves it into the cache.  At this point, trojans
still can't run... however, anti-virus applications will warn you that the
mozilla cache file contains a virus/trojan and Norton quarantines the cache
file.  Again, this is expected behavior.

Achim: did the EXE actually get downloaded without any interaction on your part,
or did you click OK / press enter?  Was the trojan in your mozilla cache, or
actually an separate EXE file?
(In reply to comment #1)
> Firefox doesn't automatically save any EXEs to disk for me.

Oh, it does save them to the temporary folder, with a random name... but it
still ends in EXE, so I could potentially run it accidentally.
There are two exe files - one saved in the current users temporary folder
(mozilla cache folder?) and another one offered for download. There was no
interaction from me.

As you added it's still an exe file and could be run. That's not the behaviour I
expect, imho it's a potential security risk.
Assignee: bugs → bryner
Component: Web Site → Build Config
QA Contact: asa
Assignee: bryner → bugs
Component: Build Config → Download Manager
QA Contact: asa → bmo
Given that various people in the security group have already looked at this and
decided that it wasn't a security bug (and has a big INVALID in the status wb),
I'm going to go ahead and invalidate this for the following reasons:

a) Said infected file will not be downloaded to user visible location
b) Is saved only in cache, which clears out after some time
c) If you download untrusted exes from random websites and then manage to browse
to your cache to run it, you have no one but yourself to blame
d) Firefox is not a virus scanner
e) Firefox makes a reasonable attempt to protect you from this by *never*
allowing executables to automatically run in its clean install state.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
(In reply to comment #4)

I think you are right, usually it would not be a problem, but the invisibly
downloaded file could be run by another program:

a) First you download a harmless freeware tool
b) Then you visit a website and your browser downloads the infected 
   file to the cache
c) At least you run your tool, which checks your temp folder 
   and runs the exe file... good bye.

I think this should be handled as a bug.
why should a application run a random .exe file (the filename is random) in your
temp folder ?
I could be also that this freeware application contains a backdoor/virus/worm
that is run after you run it.

I know that is looks dangerous if you have a Worm on your HDD but it isn't
dangerous if you think about it.

There is also this case:
You go to a website and you get a save as dialog for an .exe file.
Mozilla already downloads the file in the background while the save as dialog is
open. If this file is small and you have a fast connection, the file is already
in your Mozilla cache Folder before you can select cancel.
That is the same thing but it's not dangerous because such files are never
executed and they will be deleted by Mozilla.

BTW: If you select a location instead of pressing cancel, it will be moved to
the selected location. This is the reason why you get a wrong speed calculation
in the download dialog in the first few secounds of a download (to high because
of the predownload)
(In reply to comment #6)
> I know that is looks dangerous if you have a Worm on your HDD but it isn't
> dangerous if you think about it.

It is if I'm not careful, or decide to run it to see what it is.  It really
shouldn't have a .exe extension.
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.