Closed Bug 492456 Opened 16 years ago Closed 16 years ago

Warn about executable files being downloaded and run in Linux

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 477532

People

(Reporter: scott, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10 From Launchpad: https://bugs.edge.launchpad.net/ubuntu/+source/wine/+bug/213868 "Once, I accidentally ran an .exe file in Mozilla Firefox when I was browsing porno, I thought it was a video clip." The user opened the .exe with Wine. It would be nice if Linux builds of Firefox had some of the same executable file detection and warning that Windows builds do, especially when handlers for those executables (in this case Wine) are installed. Other possibilities include Java for .jar files. Reproducible: Always Steps to Reproduce: 1. Download .exe file 2. Observe open with dialog (or double click on download manager) 3. Run program easily Actual Results: Very easy running of the possibly malicious file. Expected Results: The same thing that happens on Windows - a warning that I should only run executable files from sites I trust, for instance. There is a similar warning here: https://bugs.edge.launchpad.net/ubuntu/+source/wine/+bug/355005: "While I am understanding of the chain of events leading to the EXE download (there is nothing Firefox can do about me going to a malicious website), there are a number of problems (I have attached a screenshot so you can see what I mean): 1) The Dialog box marks "Open with wine" as default, 2) It does not have a countdown timer! So any page that asks you to fill in a text box and hit enter, could cause you to run an arbitrary .EXE using wine by initiating the download at exactly the right time. 3) The "Use this as default" box is greyed out, so I am not only unable to remove wine as my default, but I cannot tell it to always save these files to disk, or *something* that does not involve immediately compromising my user account. All of these together mean not only that I am vulnerable to accidentally clicking the wrong button when trying to cancel out of this malicious webpage, but that I am unable to prevent this from happening in the future. I believe this is a critical bug for anybody who has both Firefox and Wine installed on the same system, as it leads to arbitrary code execution under circumstances that are not too much of a stretch."
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.