X
Tap here to go to the mobile version of the site.

Support Forum

Firefox downloads a file, even if I choose "Cancel"

Posted

This is a security issue.

I have firefox set to always ask what to do with a download. However, a malicious website ad pushed the browser to a website posing as a firefox update site.

This fake site popped up a download window for an obviously fake firefox update. Knowing it was fake, and probably malicious, I clicked the cancel button to avoid any malicious code from getting on my PC.

However.... Firefox apparently started downloading the file before I could click cancel (probably as an idea to save time). The problem with this, is that Windows Defender detected the malicious file on the computer a few seconds later.

As the user, I clicked cancel. I would expect that THERE IS NO PART OF THE DOWNLOADED FILE anywhere on the computer unless I click "Save File".... It is a security risk to start downloading the file at all.

The file in question was located in C:\Users\MyName\AppData\Local\Temp\WNQJod1_.exe.part (which i assume is a random filename with ".part" added on while the file is only partially downloaded.)

Thankfully an antivirus program detected this flaw, but Firefox can do better by not auto-downloading any file until the user approves the process.

This is a security issue. I have firefox set to always ask what to do with a download. However, a malicious website ad pushed the browser to a website posing as a firefox update site. This fake site popped up a download window for an obviously fake firefox update. Knowing it was fake, and probably malicious, I clicked the cancel button to avoid any malicious code from getting on my PC. However.... Firefox apparently started downloading the file before I could click cancel (probably as an idea to save time). The problem with this, is that Windows Defender detected the malicious file on the computer a few seconds later. As the user, I clicked cancel. I would expect that THERE IS NO PART OF THE DOWNLOADED FILE anywhere on the computer unless I click "Save File".... It is a security risk to start downloading the file at all. The file in question was located in C:\Users\MyName\AppData\Local\Temp\WNQJod1_.exe.part (which i assume is a random filename with ".part" added on while the file is only partially downloaded.) Thankfully an antivirus program detected this flaw, but Firefox can do better by not auto-downloading any file until the user approves the process.

Chosen solution

You may think that it is a security issue, but I disagree with you.

Feel free to file a Bugzilla report here: https://bugzilla.mozilla.org/ Read this first to learn how to write an effective Bug report. https://developer.mozilla.org/en/Bug_writing_guidelines

Read this answer in context 0

Additional System Details

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 15.16.20045
  • Version 5.1.4.17398
  • Google Talk Plugin Video Accelerator version:0.1.44.29
  • Google Update
  • Intel web components updater - Installs and updates the Intel web components
  • Intel web components for Intel® Identity Protection Technology
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.91.2 for Mozilla browsers
  • Office Authorization plug-in for NPAPI browsers
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Shockwave Flash 22.0 r0
  • 5.1.50428.0

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0

More Information

Question owner

To test this safely for yourself, set your browser to "Always ask me where to save files" on the General tab of preferences.

After doing the above, visit the EICAR anti-virus test file download page.

http://www.eicar.org/85-0-Download.html

When you click on one of the downloadable test files, let the "Save as" dialog open, but DO NOT press any button. Just wait about a minute or less...

You antivirus software will notify you that a malicious file is on your computer.

Now, some people argue that clicking on the link to download a file is a request for the file made by the user, and that's why the download is begun before you finish selecting where to save the file. This can be considered incorrect in the event of a malicious website that prompts to download a file via an HTML "meta" tag, an HTTP header setting, or some other javascript mechanism that can start the browser downloading a file without the user initializing the action.

To test this safely for yourself, set your browser to "Always ask me where to save files" on the General tab of preferences. After doing the above, visit the EICAR anti-virus test file download page. http://www.eicar.org/85-0-Download.html When you click on one of the downloadable test files, let the "Save as" dialog open, but DO NOT press any button. Just wait about a minute or less... You antivirus software will notify you that a malicious file is on your computer. Now, some people argue that clicking on the link to download a file is a request for the file made by the user, and that's why the download is begun before you finish selecting where to save the file. This can be considered incorrect in the event of a malicious website that prompts to download a file via an HTML "meta" tag, an HTTP header setting, or some other javascript mechanism that can start the browser downloading a file without the user initializing the action.
cor-el
  • Top 10 Contributor
  • Moderator
17352 solutions 156837 answers

That is how it works in Firefox. Once you click the downloads button then Firefox start downloading the file in the background to the OS temp folder. When you cancel the download then Firefox will delete the file unless your security software is locking the file to prevent access.

That is how it works in Firefox. Once you click the downloads button then Firefox start downloading the file in the background to the OS temp folder. When you cancel the download then Firefox will delete the file unless your security software is locking the file to prevent access.

Question owner

I know that's how it works. This is a security issue I think development needs to fix. How do you post something so that they can fix it?

I know that's how it works. This is a security issue I think development needs to fix. How do you post something so that they can fix it?
the-edmeister
  • Top 25 Contributor
  • Moderator
5391 solutions 40034 answers

Chosen Solution

You may think that it is a security issue, but I disagree with you.

Feel free to file a Bugzilla report here: https://bugzilla.mozilla.org/ Read this first to learn how to write an effective Bug report. https://developer.mozilla.org/en/Bug_writing_guidelines

You may think that it is a security issue, but I disagree with you. Feel free to file a Bugzilla report here: https://bugzilla.mozilla.org/ ''Read this first to learn how to write an effective Bug report''. https://developer.mozilla.org/en/Bug_writing_guidelines

Question owner

The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it.

The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it.
cor-el
  • Top 10 Contributor
  • Moderator
17352 solutions 156837 answers

Firefox will (should) remove the file immediately when you cancel the download. If you do not open the file then there shouldn't be a problem.

See this article for a similar issue with the cache and security software.

Firefox will (should) remove the file immediately when you cancel the download. If you do not open the file then there shouldn't be a problem. See this article for a similar issue with the cache and security software. *https://support.mozilla.org/kb/Firefox+cache+file+was+infected+with+a+virus
James
  • Moderator
1594 solutions 11226 answers

rgagnon24 said

The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it.

The fake firefox-patch.exe is not a issue in this case unless the user actually runs the .exe.

''rgagnon24 [[#answer-894453|said]]'' <blockquote> The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it. </blockquote> The fake firefox-patch.exe is not a issue in this case unless the user actually runs the .exe.

Question owner

The response from cor-el with the link to:

https://support.mozilla.org/kb/Firefox+cache+file+was+infected+with+a+virus

seems to be about as far as anyone can go with this. It makes sense, and I know that not running the program means you won't get infected, unless there becomes a flaw in a program anywhere... such as Firefox, an antivirus program (which HAS happened in the past, IE: Sophos) or something else that might be forced into running a file that is on the disk.

I guess this ticket can be closed, but I still stand by the best practice of not doing something to a user's PC if their understanding is that nothing is being done. From the perspective of the user, the cancel button means nothing goes to disk, whereas it seems that Mozilla's position is that they can write anything they want as long as it goes into the cache without regard to what the user believes is happening.

This is similar to the government listening and recording phone calls just in case they need them in the future, but they might not keep them.

The response from cor-el with the link to: https://support.mozilla.org/kb/Firefox+cache+file+was+infected+with+a+virus seems to be about as far as anyone can go with this. It makes sense, and I know that not running the program means you won't get infected, unless there becomes a flaw in a program anywhere... such as Firefox, an antivirus program (which HAS happened in the past, IE: Sophos) or something else that might be forced into running a file that is on the disk. I guess this ticket can be closed, but I still stand by the best practice of not doing something to a user's PC if their understanding is that nothing is being done. From the perspective of the user, the cancel button means nothing goes to disk, whereas it seems that Mozilla's position is that they can write anything they want as long as it goes into the cache without regard to what the user believes is happening. This is similar to the government listening and recording phone calls just in case they need them in the future, but they might not keep them.