'Re: [WEB SECURITY] Browser Security Handbook by Google'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] Browser Security Handbook by Google
From:       Bil Corry <bil () corry ! biz>
Date:       2008-12-12 4:38:09
Message-ID: 4941EAB1.309 () corry ! biz
[Download RAW message or body]

Bryan Hughes wrote on 12/11/2008 8:32 PM: 
> I couldn't see any references to browser security when loading local
> content (from a filesystem, attachment or embedded in a document,
> etc).

It's talked about here:

	http://code.google.com/p/browsersec/wiki/Part2#Downloads_and_Content-Disposition

For example:

-----
Recent versions of Microsoft Internet Explorer mitigate the risk by storing \
mark-of-the-web and ADS Zone.Identifier tags on all saved content; the same practice \
is followed by Chrome. These tags are later honored by Internet Explorer, Windows \
Explorer, and a handful of other Microsoft applications to either restrict the \
permissions for downloaded files (so that they are treated as if originating from an \
unspecified Internet site, rather than local disk), or display security warnings and \
request a confirmation prior to displaying the data. Any benefit of these mechanisms \
is lost if the data is stored or opened using a third-party browser, or sent to any \
                other application that does not carry out additional checks, however.
-----

Write Michal (the author) if you have specific suggestions for improving the handbook \
and/or adding additional tests.  I wrote him earlier today with some feedback and he \
replied promptly to my suggestions.


> I have noticed that clicking on html documents (that contains script)
> from a filesystem such as windows, IE7 pops up the usual "To help
> protect your security, Internet Explorer has restricted this webpage
> from running scripts or ActiveX controls that could access your
> computer" message.  Which prevents the script running until I allow
> it.
> 
> However when I click the same file which is an attachment in an
> email, a standard "Opening Mail Attachment" pop up box appears that
> is the same for any attached file that is opened from an email
> message.  If you open it from the popup then IE doesn't perform the
> check above and lets the scripts run.
> 
> And even more concerning, is that if I embed the same file in a word
> document and when I click on it, I get no pop up box about opening
> the file and IE lets the scripts run free!
> 
> Can anyone explain why IE7 is behaving differently depending on how
> and where the html file is being run from?

I don't know for certain, but my guess is IE runs the downloaded file in the Internet \
zone, and the attachment and Word document are run within the Local (trusted) zone.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic