[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] Browser Security Handbook by Google
From: Bil Corry <bil () corry ! biz>
Date: 2008-12-12 4:38:09
Message-ID: 4941EAB1.309 () corry ! biz
[Download RAW message or body]
Bryan Hughes wrote on 12/11/2008 8:32 PM:
> I couldn't see any references to browser security when loading local
> content (from a filesystem, attachment or embedded in a document,
> etc).
It's talked about here:
http://code.google.com/p/browsersec/wiki/Part2#Downloads_and_Content-Disposition
For example:
-----
Recent versions of Microsoft Internet Explorer mitigate the risk by storing \
mark-of-the-web and ADS Zone.Identifier tags on all saved content; the same practice \
is followed by Chrome. These tags are later honored by Internet Explorer, Windows \
Explorer, and a handful of other Microsoft applications to either restrict the \
permissions for downloaded files (so that they are treated as if originating from an \
unspecified Internet site, rather than local disk), or display security warnings and \
request a confirmation prior to displaying the data. Any benefit of these mechanisms \
is lost if the data is stored or opened using a third-party browser, or sent to any \
other application that does not carry out additional checks, however.
-----
Write Michal (the author) if you have specific suggestions for improving the handbook \
and/or adding additional tests. I wrote him earlier today with some feedback and he \
replied promptly to my suggestions.
> I have noticed that clicking on html documents (that contains script)
> from a filesystem such as windows, IE7 pops up the usual "To help
> protect your security, Internet Explorer has restricted this webpage
> from running scripts or ActiveX controls that could access your
> computer" message. Which prevents the script running until I allow
> it.
>
> However when I click the same file which is an attachment in an
> email, a standard "Opening Mail Attachment" pop up box appears that
> is the same for any attached file that is opened from an email
> message. If you open it from the popup then IE doesn't perform the
> check above and lets the scripts run.
>
> And even more concerning, is that if I embed the same file in a word
> document and when I click on it, I get no pop up box about opening
> the file and IE lets the scripts run free!
>
> Can anyone explain why IE7 is behaving differently depending on how
> and where the html file is being run from?
I don't know for certain, but my guess is IE runs the downloaded file in the Internet \
zone, and the attachment and Word document are run within the Local (trusted) zone.
- Bil
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic