Mozilla Foundation Security Advisory 2006-13
Downloading executables with "Save Image As..."
- April 13, 2006
- Michael Krax
- Firefox, Mozilla Suite, SeaMonkey
- Fixed in
- Firefox 1.0.8
- Firefox 1.5
- Mozilla Suite 1.7.13
- SeaMonkey 1
By layering a transparent image link to an executable on top of a visible (and presumably desirable) image a malicious site might be able to convince some visitors to right-click and choose "Save image as..." from the context menu and fool them by giving them the executable instead. When the users later double-click on the saved "image" to view or edit it the attacker's malware would be run.
The attacker could put a lot of spaces before the extension to hide it by pushing it out of the standard file-saving dialog, and once downloaded the default Windows behavior of hiding the extension could make a filename such as "bikini.jpg .exe" look like a legitimate image. The attacker could further this illusion by embedding a common image icon into the executable.
Check the filename carefully on the save dialog and do not save files unless everything is as you expected. On Windows the highlighting of the filename should stop where you think the filename ends; if the highlighting fills the entire filename box use the arrow keys to scroll. The "Save as type" drop-down should say the appropriate image type and not "Application".
Windows users should modify their system preferences to show file extensions.