Video Screencast Help
Security Response

Run Installer, Run!

Created: 06 Dec 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:43:57 GMT
Andrea Lelli's picture
0 0 Votes
Login to vote

Given the choice when browsing, I woulddownload and save an executable file rather than directly run it. Freewill has always been a hot topic in philosophy and when it comes to Webbrowser security the topic suddenly gets hot as well! I was recentlybrowsing a well known adware vendor Web site when I decided to downloada game and try it. As usual I came across a normal download page:

image1_lrg.jpeg
Figure 1: The standard Web download interface

After clicking “continue” I was prompted with the usual “FileDownload” message box from Internet Explorer, but it actually took me awhile to realize something was missing:

image2_lrg.jpeg
Figure 2: File download box missing the “Save” option

I could either only "Run" the setup or eventually cancel thedownload operation. Where did the “Save” button go? Normally you wouldexpect this sort of file download box:

image3.jpeg
Figure 3: The standard file download message box

Well, that is a neat trick. I used Internet Explorer 6 for this testand then I also checked Internet Explorer 7, Firefox, Opera, andSafari. Good to know that the latter three are not affected by thisproblem—they always prompt the user to save the executable file ratherthan execute it. In particular, the Web site does not allow thedownload if you use Opera or Safari. For Firefox you are asked to savethe file using the standard file download box, but the Web site takescare of giving you exact instructions on how to run the setup as soonas you finish the download:


Figure 4: Instructions on how to run the file if Firefox is used

Now of course the question is, how does it work? Why am I not askedto save the file when I use IE? The answer is very simple and lies inthe very first lines of the html page:

image5.jpeg
Figure 5: The meta tag responsible for the missing save button

The responsible party is the above highlighted meta tag named"DownloadOptions," whose content property is set to “nosave”. Thisproperty will cause the browser not to show the Save button in thedownload box, but only the Run and Cancel buttons. There also existsthe “noopen” property that will only show the Save and Cancel buttons,not the Run button. All the documentation regarding these propertiescan be found in MSDN: http://msdn2.microsoft.com/en-us/library/ms533689.aspx

This is an example of yet another functionality that can be used totrick users into running something rather than downloading it and ofcourse the target audience are the more distracted or inexperiencedusers. Luckily, Windows will mark the downloaded file with aZone.Identifier alternate data stream, so when it is run you still havea second warning (and the Web site of course will provide youinstructions about running it in a more straight forward way):


Figure 6: The second prompt for the file to be run and the Web site instructions

So, at least there is a two-layer barrier before the code isactually executed. Always watch out and be sure your free will isrespected!