Share via

Security prompt on downloaded files in XP SP2

  • Article

In a response to my first blog entry on IE in XP SP2, Tom Gilder notices another new security prompt on downloaded files for XP SP2:

Also, whilst on the subject of XP SP2, if you download a signed EXE to the desktop and run it, it gives you a security dialog. But if you do the same with an unsigned EXE, it runs it without a prompt - is this a bug?
...
Er, actually, ignore that - now seems to be working again. But if you save an EXE locally and then click open on the completed download dialog, it never shows any of the security warnings, now that surely is a bug? :)

This functionality is similar to the prompt that is shown when you immediately run an executable from the download prompt in IE. If you are using NTFS, downloaded files will now be marked with information about the zone the file originated from. The shell team did some work to extend ShellExecute so that it will prompt when you later run a file that was downloaded and saved from the internet. As with the secondary download prompt, this is defense in depth and should be used to verify the publisher of the executable, but it is not a security prompt that you can rely on to always protect you from running dangerous files. For example, you could download a .cmd file from a web site that formats your hard drive or erases all of your personal files, and you may not get the secondary prompt.

So regarding the first potential issue, my guess is that in one case the file was saved to an NTFS partition and in the other case it was either saved onto a FAT32 partition or was copied in a way that caused it to lose the zone information. If this is not the case, please drop me an email or file a bug report through the standard channels. The second issue certainly was a bug. It has been fixed but did not make the RC1 build.

I'm interested in hearing peoples opinions on the value of this feature and how we could make it more useful (and secure) in the future.

Comments

  • Anonymous
    March 21, 2004
    Slightly off this topic, but a couple of questions on a change of handling of Res: resources.

    1/. 2 years ago during the IE6 SP1 beta, access to Res: resources became disallowed to content served from the Internet Zone.

    XP SP2 RC1 now allows this access.

    2/. We have a Res: resource which navigates part of its content to file://, and that action is now disallowed as a result of LMZ lockdown. This is a pain, and is proving hard to work around.

    Any comments of the deliberate (or otherwise) nature of these changes, and whether or not they will find their way into the release, would be welcome, thanks.
  • Anonymous
    March 21, 2004
    Thanks :)

    I didn't originally copy the EXE to a non-NTFS partition, so I'm not sure quite how it lost the zone data. I can't seem to replicate it at all now, but I'll get back to you if I do...
  • Anonymous
    March 22, 2004
    The comment has been removed
  • Anonymous
    March 22, 2004
    The comment has been removed
  • Anonymous
    March 22, 2004
    The comment has been removed
  • Anonymous
    May 25, 2004
    Anyone see issues with inability to complete a download of an .exe download. For some reason it remains stuck at 99% and never downloads either in save mode or run mode