Closed Bug 82584 Opened 24 years ago Closed 24 years ago

Security problem: Opening *.doc files instead of file save with no warning or dialog with default MSWindows+MSOffice settings

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Platform:
x86
Windows ME
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.2

People

(Reporter: piskozub, Assigned: law)

References

Details

(Whiteboard: fix in hand)

Attachments

(1 file)

Patch to remove code that unchecks "always ask me" based on Win32 registry setting.
1.51 KB, patch
Details | Diff | Splinter Review
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:0.9+) Gecko/20010524 BuildID: 20010514 In recent Win32 Mozilla builds the default action when cliking a file link is not saving it to the disk but something called in the dialog "Default action" (no explanation). Actually for most file types that means opening them with an application (a mime controlled action, I presume). In today's build there is no such dialog but the "default action" is taken with no warning. Luckily, for the *.exe files now the default is a save. However there are some file types which are opened with no warnong or dialog. They include the inherently unsafe *.doc files. Reproducible: Always Steps to Reproduce: 0. Install Microsoft Word 1. Click on a link to any *.doc file 2. See the file open in Word with no warning 3. Use an anti-virus utility to check the damage :-( Actual Results: File is opened by the default mime indicated application with no warning Expected Results: A dialog to choose save or opening should open. Preferably with save as the default (bug 79631) Additional remarks: The same problem may happen wth some other file types
Keywords: 4xp, nsbeta1
I meant bug 80557 mentioning Save instead of Open as the preffered action.
Reassigning to law. I think we've covered this, but Bill can confirm that we are now doing the right thing.
Assignee: mstoltz → law
We're *supposed* to be doing what's *arguably* the right thing. And that is: opening the .doc file automatically if and only if the user has un-checked the "always ask me" box in their helper app preferences entry for application/ms-word, or, un-checked the "confirm open after download" checkbox in their Windows "file type" settings. We should never automatically open a .doc file except in those two situations. If you haven't unchecked one of those two boxes, then that's a bug. I think MS Office unchecks that Windows checkbox on behalf of the user. But if you have a problem with that, I'm not sure it's our bug :-).
I did not un-checked this setting (I'm not crazy). MSOffice97 could have done that. I'll check that tomorrow (I do not have Office at home). But that is still a poor excuse for us; this should be at least relnoted as the behaviour is clearly different from Netscape 4.*. Actually it is different even to IE5.5, too. IE asks whether I want to save or open a file even if I un-check the "Confirm open after download" setting. I checked with *.reg and *.vbs files (as I mentioned, I do not have Office here). Mozilla opens both with its browser - why do not stick to Microsoft default actions here? Generally, I believe we are right not sticking to the mime defaults of Windows with *.vbs (luckily!) but wrong sticking to it with Word documents. It seems Mozilla is overzealous in sticking to this Windows setting.
OK. MS Office has unchecked the "Confirm open after download" setting. After checking it back, Mozilla gives me the "Use default action"/"Use different action" choice (however uninformative that is). Anyway, I believe that sticking to this Windows registry checking in the case of Word documents is plainly stupid. I use Mozilla because I want to be safe from all the Microsoft obsession of opening any executable or script infested file with anything that moves. I do hope we will never open Visual Basic Scripts or any kind of ActiveCrap with Mozilla. I am deeply convinced that from the security standpoint - whatever is the IE standard behavior - Mozilla should never open a *.doc file without asking. The fact that Office changes the setting behind the user's back makes that even more important. Think how easy it is to infect the computer. All you need is any link with the URL covered by a JavaScript (very popular lately) to entice even a computer guru into opening a Word file. We do not need Guninski (http://www.guninski.com) to find this kind of insecurity. The vulnerability report will begin with "The default Windows setting after installing MS Office together with the default Mozilla settings make the browser open any Microsoft word document without...". The buletin will be placated around on all security Web pages. The kind of publicity we really do not want... So, I stick to this being a security bug. You are free to make it INVALID, but take the responsibility for the *bad* publicity. And for all the poor guys who will get Word viruses using Mozilla :-(
Summary: Security problem: Opening *.doc files instead of file save with no warning or dialog → Security problem: Opening *.doc files instead of file save with no warning or dialog with default MSWindows+MSOffice settings
nav triage: yes we need to clean up the behaviour here.
Keywords: nsbeta1nsbeta1+
Priority: -- → P1
Target Milestone: --- → mozilla0.9.2
OK, I need further guidance here. Is this bug a call to make an explicit check for files with extension .doc? Files with MIME type application/msword? Both? Do we care about .xls (or any other file types)? Do we need to give the user a way to say (at some point) that, yes, Mozilla, I really do mean for *you* to not confirm open after download, too? I can't ETA this till I know more.
Whiteboard: no eta
Bill, I think that what we talked about in our helper apps meeting was that we should recreate 4.x behavior - i.e. we should not honor the OS registry settings if they say automatically open, but we should give them the unknown content type dialog and give them the option of de-selecting the "always ask me" checkbox, and obviously remember this decision. Ccing Sol to get his input.
I believe we should treat *.doc files exactly as we treat *.exe files presently. Just save tham to disk *unless* user sets a Helper Application setting for them.
After some thought, I can accept the 4xp behavior Todd wrote about. Otherwise would be inconsistent with the 4xp keyword I added to this bug.
OK, so basically we ignore the OS "always ask me" setting and require users to tell us directly. That sounds plausible. Is it OK to enable users to explicitly bypass this by pre-populating their helper app prefs? I.e., should the "always ask me" setting only appear on the helper app dialog or is it OK to put in the prefs, too?
Bill: I think it's OK to allow the user to change the "always ask me" setting in the preferences dialog, as long as "always ask me" is default checked. I say this because - whether through the helper app dialog or the prefs - the user is taking an affirmative action in saying "I don't need this protection." If the user opts out of being protected, I'm OK with that.
Set eta (very simple fix) and cc:ing Samir in case I don't get to this one.
Whiteboard: no eta → time:.5days
Keywords: patch, review
Whiteboard: time:.5days → fix in hand
sr=mscott
r=sgehani
a= asa@mozilla.org for checkin to the trunk. (on behalf of drivers)
Blocks: 83989
Fix checked in.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Just talked to mscott. The new dialog & stuff will show up in a few more days. Pushing this off until Friday.
Marking VERIFIED FIXED on: -MacOS91 2001-07-09-03-0.9.2 -LinRH62 2001-07-09-04-0.9.2 -Win98SE 2001-07-09-05-0.9.2
Status: RESOLVED → VERIFIED
Marking VERIFIED FIXED on: -MacOS91 2001-07-13-08-trunk -LinRH62 2001-07-13-08-trunk -Win98SE 2001-07-13-07-trunk
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: