Udostępnij za pośrednictwem


Chrome is fixing the file download bug…

I just noticed that Ryan Naraine has written that Google’s fixed the file download bug in Chrome.  This is awesome, but there’s one aspect of the fix that concerns me.

According to the changelog:

This CL adds prompting for dangerous types of files (executable) when they are automatically downloaded.

When I read this, my first thought was: “I wonder how they determine if a file is ‘dangerous’?”

One of the things that we’ve learned over time is that there are relatively few files that aren’t “dangerous”.  Sure there are the obvious files (.exe, .dll, .com, .bat, etc) but there are lots of other file types that can contain executable content.  For instance most word processors and spreadsheets support some form of scripting language, that means that most documents downloaded can contain executable content.

Even if you ignore the files that contain things that are clearly identifiable as “code”, you’ve still got problems.  After all, just about every single file format out there has had readers who have had bugs that would have allowed remote code execution.

It’s unfortunate, but given the history of the past couple of years, I can’t see how ANY content that was downloaded from the internet could be considered “safe”.

IMHO Google’s change is a good start, but I’m worried that that it doesn’t go far enough.

Comments

  • Anonymous
    October 20, 2008
    the part that bothers me is "automatically" !!!

  • Anonymous
    October 21, 2008
    asf, you're right.  Under no circumstances should a file be "automatically downloaded".  

  • Anonymous
    October 21, 2008
    The comment has been removed

  • Anonymous
    October 21, 2008
    Plain text files and pure HTML (sans Javascript, etc) should be safe.  Everything else, all bets are off.  (This is one of two reasons that I force all my incoming mail to plain text, the other being that people who send HTML email usually have tastes in fonts, colors, and graphics that clash with mine.)

  • Anonymous
    October 21, 2008
    Norman: Do those browsers drop their content in locations that the user can see, or are they dropped in a temp directory? Monica: Maybe - These days, I'm not sure that even plain text and HTML are safe.

  • Anonymous
    October 21, 2008
    The comment has been removed

  • Anonymous
    October 22, 2008
    Norman: If the files are dropped in a temp directory, then the chances of the user accidentally accessing the files are very close to non-existant. The risk here is when a browser can drop files on (for example) the user's desktop without the user explicitly chosing to drop the files on the desktop. OE (and Outlook) have their own HTML rendering engine - one that is intentionally neutered to remove support for most active content type (like scripting).

  • Anonymous
    October 22, 2008
    "The risk here is when a browser can drop files on (for example) the user's desktop without the user explicitly chosing to drop the files on the desktop." I guess you mean because the user might be tempted to double-click the file, and then it will be presumed to have the user's permissions instead of recognized internet restricted permissions.  OK. "OE (and Outlook) have their own HTML rendering engine - one that is intentionally neutered to remove support for most active content type (like scripting)." It is good that they are neutered, but I wonder if it's good for them to have their own engine.  This likely does explain why OE (and maybe Outlook) have their own bugs, confusing some of their UI after rendering HTML.

  • Anonymous
    October 22, 2008
    The comment has been removed

  • Anonymous
    October 23, 2008
    The comment has been removed

  • Anonymous
    October 23, 2008
    ** just to add: downloading things automatically is maybe its own issue.

  • Anonymous
    October 23, 2008
    This is a perfect example of "blame it on the user" security.

  • Anonymous
    October 23, 2008
    "For instance on media files, explorer will attempt to parse the file to retrieve thumbnail information." Oh, then I'm more at risk than I was aware of too.  I put Explorer in details view and tell it to apply the view to all folders, and then make an exception for Control Panel because that's one place where I got used to icons.  In Windows XP these settings usually stick.  But even in details view, Explorer sometimes pops up a tooltip containing information that must have come from parsing a file. Now Vista is less secure than XP, by design, because the behaviour of Explorer that keeps changing back to icon view or thumbnail view is no longer a bug that happens several times a week, it's by design and happens all the time.