Closed Bug 450271 Opened 17 years ago Closed 14 years ago

User file-extension choice overruled, allowing trojan execution

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: carlp-mozilla, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 (I am filing this as requested by Mozilla staff.) The download File / Save As dialog box disappointed me by naming the executable file incorrectly IMO. In the form I directed that it be named "whatever.exe.off" instead of "whatever.exe" to guard against accidental execution. (In that particular case, I hadn't chosen to download the file- I knew it to be either a virus or trojan payload. But the browser redid the hazardous choice, saving the file as "whatever.exe.off.exe" We must be very careful not to save files as executables when the user doesn't expect it! Dropping executables in the wrong directory can get them to be run automatically, soon or at reboot. Never add a executable suffix without the users' knowledge! I assume the MIME type was used to add the "correct" suffix, contradicting the suffix I chose. Reproducible: Always Steps to Reproduce: 1. Go to http://download.nullsoft.com/winamp/client/winamp5541_full_emusic-7plus_en-us.exe (This is a legitimate executable that demonstrates the problem, but you can also demonstrate it by going to a malware/Trojan laden website.) 2. "You have chosen to open foo.exe-- what should firefox do?" SAVE FILE 3. Enter filename "Foo.off" (since you want to run antivirus on it before there is any chance it will executed by some process on your computer.) EXPECTED. File saved as "foo.off". ACTUAL 4. Observe the file was saved as "Foo.off.exe" Actual Results: 4. Observe the file was saved as "Foo.off.exe" which could be executed, putting my security at risk. (I encountered the problem on a real malware site, but demonstrated it with more reliable legitimate site.) Expected Results: File saved with the name and extension I chose for it. Not an extension that puts my computer at risk for Trojan attack. This was observed in a very actively spreading Trojan attack. We should fix the obvious bugs that help Trojans spread faster.
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE. Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.