User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030217 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030217 Email attachments that have (Content-Type: Application/Octet-stream;) will be saved by the Mozilla Mail client with an .EXE extension. (When double clicked) Why this confusing and potentially a security risk to windows users. #1 When viewing the “Attachment:” window you see the following: The file name: picture.tif (no .exe extension is visible) The icon that corresponds with the file extension. (In my case the icon for Kodak Imaging software the system default for .tif files appears) (See Attachment Received.gif) #2 How this could be a security risk: If the file with a name like “picture.tif” is in reality a windows executable of some type (worse case scenario it does something bad). If when the save dialog box opens, the user does not notice the .exe added to the end of the file name. “Picture.tif.exe” (This is the only place that you would notice this) If the application’s default icon looks like what the file is masquerading to be. (In my case again the Kodak Imaging icon) there is no way to visually notice that anything is amiss. Especially if the file name is long enough to cause the .exe to not show (See Attachment Desktop.gif ) If the users double clicks on what now appears to be a graphics file the program will execute. Reproducible: Always Steps to Reproduce: 1. In Mozilla create an email and attach a file. I believe this will work with any file type, but I have only tested this with TIFF files and EXEs renamed with .TIF extensions. 2. Save the email as a draft & exit Mozilla 3. Using a text editor open the mail file and change the file Content-Type: from image/tiff; to Application/Octet-stream;. 4. Restart Mozilla and send your draft email to a Mozilla user. 5. When the mail is received, the email recipient’s message will show that there is an email attachment. Double Click on the email attachment. Actual Results: The “Enter name of file to save to…” dialog box comes up. The default file name is the name that appeared in the Attachments: window with the .exe appended to filename. (i.e. picture.tif.exe) Expected Results: Double Clicking should either launch the appropriate helper application, or give you an options menu. “Run this file with …, Save As, Cancel”. Interestingly, if you right click on the attachment and choose “Save Attachment As” the “Save Attachment” dialog comes up and defaults to file name without the .exe extension added to it. I am Using Mozilla 1.3b Build ID: 2003021704 on Windows 98 Modern Theme I am composing my email in plain text mode. I notice this problem because faxes from j2.com that contain TIFF files are coded as Content-Type: Application/Octet-stream; It looks like there is a similar sort of problem with the browser. Bug 65827 Also, Bug 193943 looks at this problem from a more narrow scope, just Excel files.

Do you have assigned a halper app to application/octet-stream in edit\preferences\Navigator\Helper Apps ?

> It looks like there is a similar sort of problem with the browser. Bug 65827 Yeah, it's similar like "the same" -- the same code is used. ;) *** This bug has been marked as a duplicate of 65827 ***

v