If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
"Open files based on content, not file extension" in SP2
While looking for a different setting in the Zone security details
of IE6 Tools Tools-Options-Security I ran across "Open files based on content, not file extension", and the option was set by default. I thought, if an EXE file on a page is named *.gif, do I want to "open"=run it as an EXE, or do I want the picture viewer to try to handle it as a GIF. Please, let the picture viewer think it is a corrupted GIF. So I clicked from Enable to Disable. I was in the trusted sites zone at the time. I got to wondering why this setting was added, and why enable was the default. Maybe there was some security reason to not change it that I did not understand. I was in the trusted sites zone at the time. Today I searched for that item and hit on http://www.microsoft.com/technet/pro.../sp2brows.mspx That says that the default setting is Enabled for Internet, Intranet, and Trusted Sites zones, but *Disabled* for Restricted Sites Zone. That confirmed to me that the Disabled is the safer setting. And if there is a place I need to select a safer setting, it is in the Internet zone the way I set things up. So my questions are, why have the setting ever Enabled? Why is the default "Enable"? What I would feel better about is some setting that says if the filename and the file-type-based-on-content differ materially, warn me or something. Here is an experiment that worries me. Make a copy of a safe .exe file, but name it test.jpg. Then in a Cmd window, type "test.jpg". It runs the .exe program! I thought that was a quirk of command windows, but not a problem with IE6. Perhaps I was wrong-- again. |
Ads |
#2
|
|||
|
|||
"Open files based on content, not file extension" in SP2
In microsoft.public.windowsxp.general, Cal Learner wrote:
Today I searched for that item and hit on http://www.microsoft.com/technet/pro.../sp2brows.mspx That says that the default setting is Enabled for Internet, Intranet, and Trusted Sites zones, but *Disabled* for Restricted Sites Zone. After looking at the setup in SP2 IE6, I only find "Open files based on content, not file extension" for the trusted sites zone, despite what the above article says. There must have been a security-conscious re-think before SP2 was released. |
#3
|
|||
|
|||
"Open files based on content, not file extension" in SP2
Cal Learner wrote:
After looking at the setup in SP2 IE6, I only find "Open files based on content, not file extension" for the trusted sites zone, despite what the above article says. There must have been a security-conscious re-think before SP2 was released. I think so. I think it was originally brought in so that there was no need for separate treatment of all the different extensions used (say) with the JPEG format, and similar cases. But I agree that having anything executable executed, even if it is trying to masquerade as a ..gif is *not* a safe idea, and I would (and do) have the setting off -- Alex Nichol MS MVP (Windows Technologies) Bournemouth, U.K. (remove the D8 bit) |
#4
|
|||
|
|||
"Open files based on content, not file extension" in SP2
Interesting post.
I've noticed that if you enable the 5th "My Computer" zone eg by following the advice on this webpage http://www.tweakxp.com/tweak941.aspx you can observe that the setting is also set to "enable" by default for the local "My Computer" zone too. That command line prompt experiment is worrying too. Jon "Cal Learner" wrote in message ... While looking for a different setting in the Zone security details of IE6 Tools Tools-Options-Security I ran across "Open files based on content, not file extension", and the option was set by default. I thought, if an EXE file on a page is named *.gif, do I want to "open"=run it as an EXE, or do I want the picture viewer to try to handle it as a GIF. Please, let the picture viewer think it is a corrupted GIF. So I clicked from Enable to Disable. I was in the trusted sites zone at the time. I got to wondering why this setting was added, and why enable was the default. Maybe there was some security reason to not change it that I did not understand. I was in the trusted sites zone at the time. Today I searched for that item and hit on http://www.microsoft.com/technet/pro.../sp2brows.mspx That says that the default setting is Enabled for Internet, Intranet, and Trusted Sites zones, but *Disabled* for Restricted Sites Zone. That confirmed to me that the Disabled is the safer setting. And if there is a place I need to select a safer setting, it is in the Internet zone the way I set things up. So my questions are, why have the setting ever Enabled? Why is the default "Enable"? What I would feel better about is some setting that says if the filename and the file-type-based-on-content differ materially, warn me or something. Here is an experiment that worries me. Make a copy of a safe .exe file, but name it test.jpg. Then in a Cmd window, type "test.jpg". It runs the .exe program! I thought that was a quirk of command windows, but not a problem with IE6. Perhaps I was wrong-- again. |
#5
|
|||
|
|||
"Open files based on content, not file extension" in SP2
Actually looks like the new FEATURE_LOCALMACHINE_LOCKDOWN handles that for the local computer zone , since URLACTION_FEATURE_MIME_SNIFFING is set to disable (ie key 2100 has value 3) in both the registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Lockdown_Zones\0 and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Lockdown_Zones\0 So whether it's set to enable (ie key 2100 has value 0) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Zones\0 or HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Zones\0 is probably irrelevant (at least for iexplore.exe, explorer.exe, msimn.exe, wmplayer.exe). Jon Jon "Jon" wrote in message ... Interesting post. I've noticed that if you enable the 5th "My Computer" zone eg by following the advice on this webpage http://www.tweakxp.com/tweak941.aspx you can observe that the setting is also set to "enable" by default for the local "My Computer" zone too. That command line prompt experiment is worrying too. Jon "Cal Learner" wrote in message ... While looking for a different setting in the Zone security details of IE6 Tools Tools-Options-Security I ran across "Open files based on content, not file extension", and the option was set by default. I thought, if an EXE file on a page is named *.gif, do I want to "open"=run it as an EXE, or do I want the picture viewer to try to handle it as a GIF. Please, let the picture viewer think it is a corrupted GIF. So I clicked from Enable to Disable. I was in the trusted sites zone at the time. I got to wondering why this setting was added, and why enable was the default. Maybe there was some security reason to not change it that I did not understand. I was in the trusted sites zone at the time. Today I searched for that item and hit on http://www.microsoft.com/technet/pro.../sp2brows.mspx That says that the default setting is Enabled for Internet, Intranet, and Trusted Sites zones, but *Disabled* for Restricted Sites Zone. That confirmed to me that the Disabled is the safer setting. And if there is a place I need to select a safer setting, it is in the Internet zone the way I set things up. So my questions are, why have the setting ever Enabled? Why is the default "Enable"? What I would feel better about is some setting that says if the filename and the file-type-based-on-content differ materially, warn me or something. Here is an experiment that worries me. Make a copy of a safe .exe file, but name it test.jpg. Then in a Cmd window, type "test.jpg". It runs the .exe program! I thought that was a quirk of command windows, but not a problem with IE6. Perhaps I was wrong-- again. |
#6
|
|||
|
|||
"Open files based on content, not file extension" in SP2
Actually looks like the new FEATURE_LOCALMACHINE_LOCKDOWN handles that for the local computer zone , since URLACTION_FEATURE_MIME_SNIFFING is set to disable (ie key 2100 has value 3) in both the registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Lockdown_Zones\0 and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Lockdown_Zones\0 So whether it's set to enable (ie key 2100 has value 0) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\Zones\0 or HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Zones\0 is probably irrelevant (at least for iexplore.exe, explorer.exe, msimn.exe, wmplayer.exe). Jon Jon "Jon" wrote in message ... Interesting post. I've noticed that if you enable the 5th "My Computer" zone eg by following the advice on this webpage http://www.tweakxp.com/tweak941.aspx you can observe that the setting is also set to "enable" by default for the local "My Computer" zone too. That command line prompt experiment is worrying too. Jon "Cal Learner" wrote in message ... While looking for a different setting in the Zone security details of IE6 Tools Tools-Options-Security I ran across "Open files based on content, not file extension", and the option was set by default. I thought, if an EXE file on a page is named *.gif, do I want to "open"=run it as an EXE, or do I want the picture viewer to try to handle it as a GIF. Please, let the picture viewer think it is a corrupted GIF. So I clicked from Enable to Disable. I was in the trusted sites zone at the time. I got to wondering why this setting was added, and why enable was the default. Maybe there was some security reason to not change it that I did not understand. I was in the trusted sites zone at the time. Today I searched for that item and hit on http://www.microsoft.com/technet/pro.../sp2brows.mspx That says that the default setting is Enabled for Internet, Intranet, and Trusted Sites zones, but *Disabled* for Restricted Sites Zone. That confirmed to me that the Disabled is the safer setting. And if there is a place I need to select a safer setting, it is in the Internet zone the way I set things up. So my questions are, why have the setting ever Enabled? Why is the default "Enable"? What I would feel better about is some setting that says if the filename and the file-type-based-on-content differ materially, warn me or something. Here is an experiment that worries me. Make a copy of a safe .exe file, but name it test.jpg. Then in a Cmd window, type "test.jpg". It runs the .exe program! I thought that was a quirk of command windows, but not a problem with IE6. Perhaps I was wrong-- again. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
The plot thickens - 51,000 files missing | Ron Patterson | The Basics | 12 | November 21st 05 07:37 AM |
New Imformation on System Restore & Windows Installer Registry Corruption | Chad Harris | The Basics | 57 | July 24th 05 02:58 AM |
New Imformation on System Restore & Windows Installer Registry Corruption | Chad Harris | General XP issues or comments | 60 | July 24th 05 02:58 AM |
New Imformation on System Restore & Windows Installer Registry Corruption | Chad Harris | Customizing Windows XP | 58 | July 24th 05 02:58 AM |
Offline file access - subfolder creation | Adam Raff | General XP issues or comments | 3 | August 11th 04 03:07 AM |