Mozilla Foundation Security Advisory 2006-13

Downloading executables with "Save Image As..."

Announced
April 13, 2006
Reporter
Michael Krax
Impact
Moderate
Products
Firefox, Mozilla Suite, SeaMonkey
Fixed in
  • Firefox 1.0.8
  • Firefox 1.5
  • Mozilla Suite 1.7.13
  • SeaMonkey 1

Description

By layering a transparent image link to an executable on top of a visible (and presumably desirable) image a malicious site might be able to convince some visitors to right-click and choose "Save image as..." from the context menu and fool them by giving them the executable instead. When the users later double-click on the saved "image" to view or edit it the attacker's malware would be run.

The attacker could put a lot of spaces before the extension to hide it by pushing it out of the standard file-saving dialog, and once downloaded the default Windows behavior of hiding the extension could make a filename such as "bikini.jpg        .exe" look like a legitimate image. The attacker could further this illusion by embedding a common image icon into the executable.

Workaround

Check the filename carefully on the save dialog and do not save files unless everything is as you expected. On Windows the highlighting of the filename should stop where you think the filename ends; if the highlighting fills the entire filename box use the arrow keys to scroll. The "Save as type" drop-down should say the appropriate image type and not "Application".

Windows users should modify their system preferences to show file extensions.

References