Ubuntu
firefox-3.0 package

firefox shouldnt suggest to open .exe files with wine (virus)

Bug #309214 reported by Patola on 2008-12-18

This bug report is a duplicate of: Bug #355005: Malicious executable code defaults to "Open with", cannot be changed. Edit Remove

260

	Status	Importance	Assigned to
Bugzilla	Invalid	Undecided	Unassigned
Mozilla Firefox	Confirmed	Unknown	mozilla-bugs #477532
firefox-3.0 (Ubuntu)	Triaged	Medium	Unassigned

Bug Description

I understand Ubuntu's need to be as easy as it gets and help the end user, but it this REALLY necessary? Associating wine programs so that firefox tries to run executables from the internet via wine? In my experience, every time I am asked to run a windows executable via firefox, it's a virus.

It might be more than enough to let the user download the executable and, if he is inclined to, run it via wine.

I'd recommend take off all these entries from /etc/mailcap so that firefox does not try to run windows programs/virii:

[patola@ubuntola patola]% grep wine /etc/mailcap
application/x-msdos-program; /usr/bin/wine '%s'; description=Windows Executable
application/x-msdownload; /usr/bin/wine '%s'; description=Windows Executable
application/exe; /usr/bin/wine '%s'; description=Windows Executable
application/x-exe; /usr/bin/wine '%s'; description=Windows Executable
application/dos-exe; /usr/bin/wine '%s'; description=Windows Executable
vms/exe; /usr/bin/wine '%s'; description=Windows Executable
application/x-winexe; /usr/bin/wine '%s'; description=Windows Executable
application/msdos-windows; /usr/bin/wine '%s'; description=Windows Executable
application/x-msdos-program; /usr/bin/wine '%s'; description=Windows Executable
application/x-msi; /usr/bin/wine '%s'; description=Windows Installer archive

Tags:

Revision history for this message

Patola (patola) wrote on 2008-12-18:

Screenshot of firefox trying to run a virus. Edit (39.8 KiB, image/png)

Revision history for this message

Alexander Sack (asac) wrote on 2008-12-22:

i am not sure how bad virusses are to run in wine, but i agree this isnt really good. the problem is not the mime mapping because users should still be open .exe files by clicking on them in wine.

However, firefox has tweaks for exectuables on windows to not suggest "open with ..." at all for them (just download). I think we should get that behaviour for linux as well.

Changed in firefox:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

John Vivirito (gnomefreak) wrote on 2008-12-23:

What is wrong with our firefox that you have to run it in wine?

Revision history for this message

Patola (patola) wrote on 2008-12-23: Re: [Bug 309214] Re: firefox shouldnt suggest to open .exe files with wine (virus)

On Tue, Dec 23, 2008 at 2:43 AM, John Vivirito <email address hidden> wrote:

> What is wrong with our firefox that you have to run it in wine?
>

I don't run firefox via wine. I run the regular ubuntu-packaged firefox, but
the problem is that he is prone to running windows virii with wine.

Revision history for this message

In Mozilla Bugzilla #477532, Joseph Smidt (jsmidt) wrote on 2009-02-08:

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5

When you use Firefox in Linux, will try to open .exe files using wine. It would be nice if it made sure a virus was not being opened. This bug report is derived from a bug reported in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/309214.

Reproducible: Always

Steps to Reproduce:
1. Find a virus with a .exe extension
2. Try to open it. (With wine)
3.
Actual Results:
Firefox lets wine install the virus

Expected Results:
Firefox does a good job keeping its users safe from bed things on the internet. It would be nice if it prevented wine from opening a virus.

Revision history for this message

In Mozilla Bugzilla #477532, Michael Kohler (michaelkohler) wrote on 2009-02-08:

I guess that's not the job of Firefox. Wine should let check if it's a virus..

You can also choose with which application the exe will be opened.

Revision history for this message

Joseph Smidt (jsmidt) wrote on 2009-02-09:

This bug report has been sent upstream with a request to prevent Firefox from letting wine open viruses: https://bugzilla.mozilla.org/show_bug.cgi?id=477532.

Bug Watch Updater (bug-watch-updater) on 2009-02-09

Changed in bugzilla:
status:	Unknown → New

Revision history for this message

Joseph Smidt (jsmidt) wrote on 2009-02-09:

Added bug watch.

Revision history for this message

In Mozilla Bugzilla #477532, Matti-mversen (matti-mversen) wrote on 2009-02-09:

Firefox can not protect a user from himself.
How should know if you are downloading a virus or not ?

That is not our problem is the user decides to run random .exe files with Wine.

Bug Watch Updater (bug-watch-updater) on 2009-02-10

Changed in bugzilla:
status:	New → Won't Fix

Revision history for this message

Patola (patola) wrote on 2009-02-10:

#10

What do you mean by "won't fix"? Why not? This is a particularly dangerous security concern! Firefox should NOT run arbitrary executables from the internet. Should Ubuntu become another Windows?

Revision history for this message

John Vivirito (gnomefreak) wrote on 2009-02-12:

#11

I agree with upstream's comments. If you are going to install virus' than its your problem not firefox. maybe file a bug upstream with wine to check the file you are trying to run.

Changed in firefox:
status:	New → Invalid
status:	Triaged → Invalid

Revision history for this message

Patola (patola) wrote on 2009-02-12:

#12

Yay, right. I agree that is difficult to blame it on Firefox. But that does not mean that there's not a problem. The distribution should take steps to protects their users. It just happens that the combination of MIME types, browsers and wine can lead an user to compromise his/her system. Shouldn't this hole be closed?

Couldn't the ubufox package include some programming that blocks wine programs from being executed? After all, I don't think it's common for an user to run windows programs from the web except in the case of viruses/worms.

Revision history for this message

In Mozilla Bugzilla #477532, Alexander Sack (asac) wrote on 2009-02-13:

#13

I think what the reporter asks for is to make a similar behaviour for .exe files on linux like we currently have on windows for .exe files, e.g. only allow to download.

Was that understood? Personally, I think is somewhat a valid request; though not really a severe one for now.

reopening.

Revision history for this message

In Mozilla Bugzilla #477532, Alexander Sack (asac) wrote on 2009-02-13:

#14

for now moving to downloadmanager where we could handle this.

Revision history for this message

In Mozilla Bugzilla #477532, Colin Walters (walters) wrote on 2009-02-13:

#15

I would argue this is a GNOME bug - we should have a generic warning interception dialog for when you try to execute unsandboxed code downloaded from the Internet. IIRC there was some sort of attempt at this somewhere (nautilus?). Needs investigation.

Revision history for this message

Alexander Sack (asac) wrote on 2009-02-13: Re: [Bug 309214] Re: firefox shouldnt suggest to open .exe files with wine (virus)

#16

On Thu, Feb 12, 2009 at 04:59:49PM -0000, Patola wrote:
> Yay, right. I agree that is difficult to blame it on Firefox. But that
> does not mean that there's not a problem. The distribution should take
> steps to protects their users. It just happens that the combination of
> MIME types, browsers and wine can lead an user to compromise his/her
> system. Shouldn't this hole be closed?
>
> Couldn't the ubufox package include some programming that blocks wine
> programs from being executed? After all, I don't think it's common for
> an user to run windows programs from the web except in the case of
> viruses/worms.
>

I reopened your upstream bug and confirmed it. I think they didnt
really understand the request you made because you wrote it in a kind
of generic fashion ... lets see.

affects ubuntu/firefox-3.0
status triaged

I dont think its really severe, setting to medium

importance medium

- Alexander

Changed in firefox-3.0:
status:	Invalid → Triaged

Bug Watch Updater (bug-watch-updater) on 2009-02-13

Changed in bugzilla:
status:	Won't Fix → Confirmed

Tormod Volden (tormodvolden) on 2009-03-15

Changed in firefox:
importance:	Undecided → Unknown
status:	Invalid → Unknown
Changed in bugzilla:
importance:	Unknown → Undecided
status:	Confirmed → New
status:	New → Invalid

Bug Watch Updater (bug-watch-updater) on 2009-03-15

Changed in firefox:
status:	Unknown → Confirmed

Revision history for this message

Scott Ritchie (scottritchie) wrote on 2009-05-04:

#17

See also: https://bugs.edge.launchpad.net/ubuntu/+source/wine/+bug/355005 (in fact this might be a dupe).

I'll repeat the comment I made there: why can't Firefox do the same thing it does in Windows when you download an executable file? Firefox has specific behavior there to warn the user about executables.

Revision history for this message

In Mozilla Bugzilla #477532, Alexander Sack (asac) wrote on 2009-05-05:

#18

Colin, how is this a gnome bug? All the app handling and mime code is kind of redone on mozilla side atm. At some point we might have the system application chooser for gnome integrated in firefox; at that point it would probably become a gnome bug, but not for now.

Technically, there shouldnt be much wizardry required here, except to hard code that .exe files are always unsafe - even on linux. See: https://bugs.edge.launchpad.net/ubuntu/+source/firefox-3.0/+bug/309214/comments/11

Revision history for this message

In Mozilla Bugzilla #477532, Colin Walters (walters) wrote on 2009-05-05:

#19

What I'm saying is that if GNOME provided some facility for applications to check whether a file was downloaded from the internet, and pop up a warning dialog, it could be reused not only in Firefox but also in say Empathy/Pidgin file transfers.

I know Firefox does application handling manually now, but there's not a reason that can't be changed.

Revision history for this message

In Mozilla Bugzilla #477532, Matti-mversen (matti-mversen) wrote on 2009-05-11:

#20

*** Bug 492456 has been marked as a duplicate of this bug. ***

Revision history for this message

Micah Gersten (micahg) wrote on 2009-11-27:

#21

Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 355005, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Please continue to report any other bugs you may find.