[WEB SECURITY] Re: Minimal User Interaction with Links

Steven M. Christey coley at linus.mitre.org
Fri Aug 14 17:11:20 EDT 2009


On Fri, 14 Aug 2009, Micheal Espinola Jr wrote:

> Under normal circumstances, no, it is not possible in this day and age
> (i.e with an up-to-date OS) to automatically execute/save a file by
> clicking a link.

It's possible to do this automatically, without any user interaction, by
referencing vulnerable ActiveX controls with insecure exposed methods with
names like DownloadAndExecuteFile() (see CVE-2008-4586 for example).

These types of issues are starting to show up fairly regularly in CVE.
Very few researchers seem to be paying attention to Firefox plug-ins, but
once they do, I expect to see similar results there, too.

Theoretically it's within the browsers' security models to avoid the
automatic save/execute of files, but browser bugs and the aforementioned
plugin vulnerabilities mean that practically speaking, it's still
possible.  I assume the more knowledgeable Flash experts among us have
their own suggestions.

- Steve

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list