April 22, 2008
Welcome
Welcome to my blog. I don't really blog per se, but you might find some interesting things over at my website.
April 21, 2008
Removing 'Security Warning' on files downloaded with Firefox 3.0
First, the workaround:
To remove the 'Security Warning' dialog that comes up when launching a file downloaded with Firefox 3.0, set the browser.download.manager.scanWhenDone preference in about:config to false. To read about why this dialog is used, what causes it to be shown, and how this workaround was discovered, read on.
Now, the story:
One of the new features of Windows XP SP2 was an enhanced security mode for downloads. When a program used one of the new APIs to save a file, Windows would automatically initiate a virus scan with the any installed antivirus software (provided that the antivirus software also used the new APIs). The new save API also flagged the download as having come from the internet, and when launched, if the download was not digitally signed, Windows would present the user with a warning box.
Prior to version 3.0, Firefox users were not invited to this party because Firefox did not use these APIs. In contrast, Microsoft updated its Internet Explorer browser in SP2 to use these new APIs so that IE users would be protected from the potentially 'dangerous' files they were downloading. In practice, however, the only software that was ever digitally signed was Microsoft's own programs. This meant that Windows would consider any other download potentially dangerous, and would annoy (or perhaps frighten) the user with the above dialog box.
Windows Vista took this mechanism a step further. In addition to downloaded applications (.exe files and scripts), Windows Vista also alerts the user with the following (somewhat cryptic) dialog if they attempt to extract files from an archive such as a .zip file:
What's worse, is that 'No' is the default action, so simply hitting enter will cancel the extraction operation. In Windows Vista, the security settings are also inherited for all files extracted from the archive. This means that if the user extracts a setup application from a .zip file they downloaded and then runs it, they will not only encounter the above dialog during extraction, but will also be shown the 'Security Warning' dialog when they try to run setup. The user could, of course, clear the 'Always ask' checkbox, or click the 'Unblock' button in the file's properties window. This would prevent Windows from bothering the user about this particular file, but there was no obvious way to stop Windows from doing this to every other file that was downloaded.
In seeking to disable this functionality, one might discover that there is a setting hidden within the Internet Options control panel's Security tab which can control the new behavior. To access it, the user would have to select the Internet Zone, and then choose "Custom" to access the list of security preferences. Changing the value of the "Launching applications and unsafe files" preference to "Enable" removes these prompts, but as the dialog box notes, is considered 'unsafe'. This setting also has the disadvantage of being a system-wide change, which is overkill if the user only wants to return Firefox's download behavior to its pre-3.0 state.
Returning to the search, one might wonder, "How does Windows know that a file has come from the internet?". A little investigation turns up the answer. On Mac OS X, downloaded files are flagged with an extended attribute, which the operating system reads and uses to determine whether it should take certain actions. As it turns out, a similar system is used in Windows. Windows does not support extended attributes in its NTFS filesystem, but it does support what are known as alternate data streams (ADS). These are hidden pieces of data that can be attached to any file stored on an NTFS-formatted drive. Using my NTFSADS tool for viewing alternate data streams, we can see what data streams are attached to a file that was just downloaded with Firefox 3.0:
A quick search for information about Zone.Identifier shows that this is an ADS that is added to files saved from the internet by Internet Explorer or Outlook. It seems that Firefox 3.0 is now doing this as well. Additionally, researching the contents of this ADS entry turns up that Zone ID 3 corresponds to the Internet Zone. This same link also gives some more information on how this ADS is added to the file:
“AES-participating applications call the Save method of IAttachmentExecute interface to add a Zone.Identifier alternate data stream to store the zone from which the file came.”
A search for this interface in the Firefox 3.0 code come up with a reference to bug 408153 which changed the save mechanism to use the IAttachmentExecute.Save method to save downloaded files so that they would be scanned by the installed antivirus software. This is what is responsible for attaching this Zone.Identifier ADS and ultimately causing the security warnings.
Reading through the comments turns up another bug, bug 412204 which contains a patch that adds an about:config preference to disable the new save behavior. Bingo! Looking at the patch, we can see that the new preference is named 'browser.download.manager.scanWhenDone'. After visiting about:config and setting this preference to false, I downloaded a .exe file and verified that Windows no longer displays its security warning. Checking out the file with NTFSADS shows no alternate data streams.
Mystery solved!
--Brandon
November 05, 2006
Testing Word 2007 Blog Integration
It seems that Word 2007 has direct support for posting blog entries through services such as Windows Live Spaces and Blogger. While Windows Live Spaces is not surprising, is the inclusion of Blogger (a Google service) a sign that things are changing at Microsoft? What is more, they have also added support for any blog service that supports either ATOM or MetaWebLog API. After some digging, it turns out that blog.case.edu does use the MetaWebLog API, so I'm giving it a test.
If anyone else is interested in trying this out, simply tell Word 2007 to make a New Blog Post (Office Menu -> New -> Blog post). A wizard will come up asking if you'd like to register with a Blog service – tell it yes, and then for the provider, specify 'Other'. Enter your Case ID and password, make sure 'MetaWebLog' is selected as the API, and enter http://blog.case.edu/mt/mt-xmlrpc.cgi as the Blog Post URL. If you'd like to have Word automatically upload images to your Filer space, it's really quite simple. When prompted for your Image Provider's information, select 'My own server' from the list, enter https://filer.case.edu/dav/abc123 as the Upload URL (use your own Case ID instead of abc123), and http://filer.case.edu/abc123 as the Source URL (again use your own Case ID here). Finish the wizard and you should be good to go.
What is interesting is that this is a great example of how powerful web services can be. Once your account is set up, you can 'Open Existing' to open any blog posts you've made (even ones you didn't make through Word) for revision or just to look over. You can insert category and tag info into your post (caveat: this was the only thing I haven't been able to get working so far – seems like a bug). Word even has some integration with image hosting providers (none are preloaded yet, though it does support WebDAV interfaces such as Filer). All this works because the MetaWebLog API provides a list of functions to any API client (in this case, Word). These functions are standardized though a number of RFCs so that anyone can make an interoperable blog client or host as long as they abide by the contracts set forth in the RFC documents. Word and the blog.case.edu server then communicate by transferring XML documents which represent the client's requests and the server's responses. Again these XML documents follow a standardized schema which must be adhered to in order for clients and servers to communicate successfully.
The surprise is that the folks at Microsoft have not created their own 'better' schema and API, nor have they 'embraced-and-extended' the existing ones. Instead they have put their ego in check to produce a very impressive, interoperable piece of software. It seems that in the past year or so we've really seen a breath of fresh air at Microsoft, and hopefully we can look forward to more cool, interoperable products in the future.