3

Question

Standard security advice is:

Only download files from websites that you trust.

http://windows.microsoft.com/en-ca/windows/downloading-files-internet-faq

This implies that 1. we are active agents when downloading files from websites and 2. websites cannot download files to our computer without our interaction.

So, let's say I am using Firefox. I go to a sketchy website. Can that website download malicious content to my computer without my interaction or awareness?

Optional Context

I know that web browsers render content on my computer when I surf the web. In one sense then, they are always "downloading" stuff to my computer. Most of that stuff I don't consider to be a download, though. Even streaming videos, while they may cache content, are not downloads in this sense, and I assume these non-downloads do not pose a security threat.

By download, I am talking about what, by default, appears in the Downloads folder of my Windows computer. Usually, I have to click a download link, confirm that I want to save/open the file, and then watch the Firefox download progress. The downloaded file appears in my Downloads folder.

As such, I have given the download permission, I am aware as it is happening, and I can see evidence after it has happened, because it is in my Downloads folder. Further, I have to open the download before it runs. It's an interactive procedure.

Result: I feel safe on a sketchy website, if I do not initiate or accept any downloads. Am I misguided? Can downloads from websites happen without my interaction or awareness?

  1. without my clicking a link on a website
  2. without my giving permission to save/open the file
  3. without the Firefox download progress indicator showing a download, and
  4. without the download appearing in the Downloads folder.
Shaun Luttin
  • 1,423
  • 3
  • 12
  • 13
  • 2
    From one perspective, the whole point of a web browser is to download files to your local computer, and you don't approve each file as it comes. Can you qualify your question? – schroeder May 30 '14 at 15:56
  • @schroeder Done. I have updated my question. I am referring to what usually appears in the Downloads folder on my Windows computer. – Shaun Luttin May 30 '14 at 16:24
  • 2
    By using and exploiting flaws in your web browser through embedded Javascript programs... Yes. – perror May 30 '14 at 16:35
  • @perror Can you please provide a link that helps to learn more about this threat? – Shaun Luttin May 30 '14 at 16:37
  • 2
    It usually go through heap-overflow exploitation. For example, you may refer to: [Heap Feng Shui in JavaScript](http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html) by Alexander Sotirov. – perror May 30 '14 at 16:48
  • @perror Thank you. I will search that term. I've also learned now that these are sometimes called drive-by-downloads. (Note: Avast screened the link you posted as malicious.) – Shaun Luttin May 30 '14 at 16:50
  • 1
    @ShaunLuttin: Yes, these are commonly used in the kind of scenario you were describing. Sorry to not have written a full answer, but I can't spend too much time on it now. :-/ – perror May 30 '14 at 16:52

1 Answers1

2

Latest version of Firefox? Not that I'm aware of, though in the past there has been at least one remote execution vulnerability that could be used for surreptitious downloading (though I'm not aware of it being used for that; rather, it was used to unmask TOR users).

Historically, the "download without your knowledge or consent" browser was Internet Explorer: ActiveX controls were originally intended to be downloaded automatically, and even once Microsoft realized this was a bad idea, there have been various exploits that would let attackers bypass protection.

Mark
  • 34,390
  • 9
  • 85
  • 134