Removing 'Security Warning' on files downloaded with Firefox 3.0

First, the workaround:

To remove the 'Security Warning' dialog that comes up when launching a file downloaded with Firefox 3.0, set the browser.download.manager.scanWhenDone preference in about:config to false. To read about why this dialog is used, what causes it to be shown, and how this workaround was discovered, read on.

Now, the story:

One of the new features of Windows XP SP2 was an enhanced security mode for downloads. When a program used one of the new APIs to save a file, Windows would automatically initiate a virus scan with the any installed antivirus software (provided that the antivirus software also used the new APIs). The new save API also flagged the download as having come from the internet, and when launched, if the download was not digitally signed, Windows would present the user with a warning box.

warning.png

Prior to version 3.0, Firefox users were not invited to this party because Firefox did not use these APIs. In contrast, Microsoft updated its Internet Explorer browser in SP2 to use these new APIs so that IE users would be protected from the potentially 'dangerous' files they were downloading. In practice, however, the only software that was ever digitally signed was Microsoft's own programs. This meant that Windows would consider any other download potentially dangerous, and would annoy (or perhaps frighten) the user with the above dialog box.

Windows Vista took this mechanism a step further. In addition to downloaded applications (.exe files and scripts), Windows Vista also alerts the user with the following (somewhat cryptic) dialog if they attempt to extract files from an archive such as a .zip file:

copy.png

What's worse, is that 'No' is the default action, so simply hitting enter will cancel the extraction operation. In Windows Vista, the security settings are also inherited for all files extracted from the archive. This means that if the user extracts a setup application from a .zip file they downloaded and then runs it, they will not only encounter the above dialog during extraction, but will also be shown the 'Security Warning' dialog when they try to run setup. The user could, of course, clear the 'Always ask' checkbox, or click the 'Unblock' button in the file's properties window. This would prevent Windows from bothering the user about this particular file, but there was no obvious way to stop Windows from doing this to every other file that was downloaded.

props.png

In seeking to disable this functionality, one might discover that there is a setting hidden within the Internet Options control panel's Security tab which can control the new behavior. To access it, the user would have to select the Internet Zone, and then choose "Custom" to access the list of security preferences. Changing the value of the "Launching applications and unsafe files" preference to "Enable" removes these prompts, but as the dialog box notes, is considered 'unsafe'. This setting also has the disadvantage of being a system-wide change, which is overkill if the user only wants to return Firefox's download behavior to its pre-3.0 state.

inetsec.png

Returning to the search, one might wonder, "How does Windows know that a file has come from the internet?". A little investigation turns up the answer. On Mac OS X, downloaded files are flagged with an extended attribute, which the operating system reads and uses to determine whether it should take certain actions. As it turns out, a similar system is used in Windows. Windows does not support extended attributes in its NTFS filesystem, but it does support what are known as alternate data streams (ADS). These are hidden pieces of data that can be attached to any file stored on an NTFS-formatted drive. Using my NTFSADS tool for viewing alternate data streams, we can see what data streams are attached to a file that was just downloaded with Firefox 3.0:

cmd.png

A quick search for information about Zone.Identifier shows that this is an ADS that is added to files saved from the internet by Internet Explorer or Outlook. It seems that Firefox 3.0 is now doing this as well. Additionally, researching the contents of this ADS entry turns up that Zone ID 3 corresponds to the Internet Zone. This same link also gives some more information on how this ADS is added to the file:

“AES-participating applications call the Save method of IAttachmentExecute interface to add a Zone.Identifier alternate data stream to store the zone from which the file came.”

A search for this interface in the Firefox 3.0 code come up with a reference to bug 408153 which changed the save mechanism to use the IAttachmentExecute.Save method to save downloaded files so that they would be scanned by the installed antivirus software. This is what is responsible for attaching this Zone.Identifier ADS and ultimately causing the security warnings.

Reading through the comments turns up another bug, bug 412204 which contains a patch that adds an about:config preference to disable the new save behavior. Bingo! Looking at the patch, we can see that the new preference is named 'browser.download.manager.scanWhenDone'. After visiting about:config and setting this preference to false, I downloaded a .exe file and verified that Windows no longer displays its security warning. Checking out the file with NTFSADS shows no alternate data streams.

Mystery solved!

--Brandon

Trackbacks

Trackback URL for this entry is: http://blog.case.edu/bes7/mt-tb.cgi/17622

Comments

Post a comment