firefox shouldnt suggest to open .exe files with wine (virus)

Bug #309214 reported by Patola on 2008-12-18
260
Affects Status Importance Assigned to Milestone
Bugzilla
Invalid
Undecided
Unassigned
Mozilla Firefox
Confirmed
Unknown
firefox-3.0 (Ubuntu)
Medium
Unassigned

Bug Description

I understand Ubuntu's need to be as easy as it gets and help the end user, but it this REALLY necessary? Associating wine programs so that firefox tries to run executables from the internet via wine? In my experience, every time I am asked to run a windows executable via firefox, it's a virus.

It might be more than enough to let the user download the executable and, if he is inclined to, run it via wine.

I'd recommend take off all these entries from /etc/mailcap so that firefox does not try to run windows programs/virii:

[patola@ubuntola patola]% grep wine /etc/mailcap
application/x-msdos-program; /usr/bin/wine '%s'; description=Windows Executable
application/x-msdownload; /usr/bin/wine '%s'; description=Windows Executable
application/exe; /usr/bin/wine '%s'; description=Windows Executable
application/x-exe; /usr/bin/wine '%s'; description=Windows Executable
application/dos-exe; /usr/bin/wine '%s'; description=Windows Executable
vms/exe; /usr/bin/wine '%s'; description=Windows Executable
application/x-winexe; /usr/bin/wine '%s'; description=Windows Executable
application/msdos-windows; /usr/bin/wine '%s'; description=Windows Executable
application/x-msdos-program; /usr/bin/wine '%s'; description=Windows Executable
application/x-msi; /usr/bin/wine '%s'; description=Windows Installer archive

Patola (patola) wrote :
Alexander Sack (asac) wrote :

i am not sure how bad virusses are to run in wine, but i agree this isnt really good. the problem is not the mime mapping because users should still be open .exe files by clicking on them in wine.

However, firefox has tweaks for exectuables on windows to not suggest "open with ..." at all for them (just download). I think we should get that behaviour for linux as well.

Changed in firefox:
importance: Undecided → Medium
status: New → Triaged
John Vivirito (gnomefreak) wrote :

What is wrong with our firefox that you have to run it in wine?

On Tue, Dec 23, 2008 at 2:43 AM, John Vivirito <email address hidden> wrote:

> What is wrong with our firefox that you have to run it in wine?
>

I don't run firefox via wine. I run the regular ubuntu-packaged firefox, but
the problem is that he is prone to running windows virii with wine.

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5

When you use Firefox in Linux, will try to open .exe files using wine. It would be nice if it made sure a virus was not being opened. This bug report is derived from a bug reported in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/309214.

Reproducible: Always

Steps to Reproduce:
1. Find a virus with a .exe extension
2. Try to open it. (With wine)
3.
Actual Results:
Firefox lets wine install the virus

Expected Results:
Firefox does a good job keeping its users safe from bed things on the internet. It would be nice if it prevented wine from opening a virus.

I guess that's not the job of Firefox. Wine should let check if it's a virus..

You can also choose with which application the exe will be opened.

Joseph Smidt (jsmidt) wrote :

This bug report has been sent upstream with a request to prevent Firefox from letting wine open viruses: https://bugzilla.mozilla.org/show_bug.cgi?id=477532.

Changed in bugzilla:
status: Unknown → New
Joseph Smidt (jsmidt) wrote :

Added bug watch.

Firefox can not protect a user from himself.
How should know if you are downloading a virus or not ?

That is not our problem is the user decides to run random .exe files with Wine.

Changed in bugzilla:
status: New → Won't Fix
Patola (patola) wrote :

What do you mean by "won't fix"? Why not? This is a particularly dangerous security concern! Firefox should NOT run arbitrary executables from the internet. Should Ubuntu become another Windows?

John Vivirito (gnomefreak) wrote :

I agree with upstream's comments. If you are going to install virus' than its your problem not firefox. maybe file a bug upstream with wine to check the file you are trying to run.

Changed in firefox:
status: New → Invalid
status: Triaged → Invalid
Patola (patola) wrote :

Yay, right. I agree that is difficult to blame it on Firefox. But that does not mean that there's not a problem. The distribution should take steps to protects their users. It just happens that the combination of MIME types, browsers and wine can lead an user to compromise his/her system. Shouldn't this hole be closed?

Couldn't the ubufox package include some programming that blocks wine programs from being executed? After all, I don't think it's common for an user to run windows programs from the web except in the case of viruses/worms.

I think what the reporter asks for is to make a similar behaviour for .exe files on linux like we currently have on windows for .exe files, e.g. only allow to download.

Was that understood? Personally, I think is somewhat a valid request; though not really a severe one for now.

reopening.

for now moving to downloadmanager where we could handle this.

I would argue this is a GNOME bug - we should have a generic warning interception dialog for when you try to execute unsandboxed code downloaded from the Internet. IIRC there was some sort of attempt at this somewhere (nautilus?). Needs investigation.

On Thu, Feb 12, 2009 at 04:59:49PM -0000, Patola wrote:
> Yay, right. I agree that is difficult to blame it on Firefox. But that
> does not mean that there's not a problem. The distribution should take
> steps to protects their users. It just happens that the combination of
> MIME types, browsers and wine can lead an user to compromise his/her
> system. Shouldn't this hole be closed?
>
> Couldn't the ubufox package include some programming that blocks wine
> programs from being executed? After all, I don't think it's common for
> an user to run windows programs from the web except in the case of
> viruses/worms.
>

I reopened your upstream bug and confirmed it. I think they didnt
really understand the request you made because you wrote it in a kind
of generic fashion ... lets see.

 affects ubuntu/firefox-3.0
 status triaged

I dont think its really severe, setting to medium

 importance medium

 - Alexander

Changed in firefox-3.0:
status: Invalid → Triaged
Changed in bugzilla:
status: Won't Fix → Confirmed
Changed in firefox:
importance: Undecided → Unknown
status: Invalid → Unknown
Changed in bugzilla:
importance: Unknown → Undecided
status: Confirmed → New
status: New → Invalid
Changed in firefox:
status: Unknown → Confirmed
Scott Ritchie (scottritchie) wrote :

See also: https://bugs.edge.launchpad.net/ubuntu/+source/wine/+bug/355005 (in fact this might be a dupe).

I'll repeat the comment I made there: why can't Firefox do the same thing it does in Windows when you download an executable file? Firefox has specific behavior there to warn the user about executables.

Colin, how is this a gnome bug? All the app handling and mime code is kind of redone on mozilla side atm. At some point we might have the system application chooser for gnome integrated in firefox; at that point it would probably become a gnome bug, but not for now.

Technically, there shouldnt be much wizardry required here, except to hard code that .exe files are always unsafe - even on linux. See: https://bugs.edge.launchpad.net/ubuntu/+source/firefox-3.0/+bug/309214/comments/11

What I'm saying is that if GNOME provided some facility for applications to check whether a file was downloaded from the internet, and pop up a warning dialog, it could be reused not only in Firefox but also in say Empathy/Pidgin file transfers.

I know Firefox does application handling manually now, but there's not a reason that can't be changed.

*** Bug 492456 has been marked as a duplicate of this bug. ***

Micah Gersten (micahg) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 355005, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Please continue to report any other bugs you may find.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.