DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 11 of 11

Thread: Subj: Regarding security warning while trying to run an executable and digital signat

  1. #1
    Join Date
    Jul 2006
    Posts
    91

    Subj: Regarding security warning while trying to run an executable and digital signat

    Hi

    On my webpage I have several links called “run”, clicking on this link will launch an executable. But, before launching that executable it pops up a security warning dialog box with following message and 3 buttons (Run, save, cancel):-

    Do you want to save this file?
    Name: sample_collada_viwer32.exe
    Type: Application, 736KB
    From: C:\Programm files\samples\sample_collada_viwer\release\
    sample_collada_viwer32.exe

    It’s apparent that when downloading any exe file from the internet it gives this warning message, for example downloading mozilla firefox from the web gives similar security warning dialogbox as above, because Operating system does not trust the remote exe file, bcz it might be harmful.

    But, in my case I have several graphics exe files, developed by graphics programmers, that are located in c:\program files\ samples\nameofsample\nameofsample.exe. And my webpage has “run links” for each of the samples. Clicking on “run” link will launch that sample exe file. But, before that it launches the above security warning file dialog box.

    So, my question is since the webapp/webpage that displays these samples and the actual samples (.exe files) are on the same box, can we prevent the above warning message from poping up?

    Does in any way digital signatures or buying a valid certificate can prevent this security dialog box from popping up. Because, what I think about this warning message is that the browser or operating system cannot trust these exe files and thinks that these might be harmful.

    So, what are the possibilities and/or patches or certificates that are available to make our browser or webpage or operating system to believe that they are not harmful when launched. And if its available how can I get them.

    Any, inputs on this are appreciated.

    Thanks,

  2. #2
    Join Date
    Oct 2005
    Location
    Maady
    Posts
    1,819
    This message appear actually whenever you want to download a file, and accompanied with a security warning if it's an executable file... it's a kind of security implemented in the Internet Explorer .
    buying certificate will just make your website TRUSTED by the web explorer, especially if you buy the trust-logo ; but this won't give you the level of executing files without asking the user. also the digital signature just give you a TRUSTED-PUBLISHER , or a KNOWN-PUBLISHER at least, when the user want to run the program, otherwise there will be another security warning like this : "you are trying to execute a file from untrusted publisher do you want to continue ?"
    In the other hand, if you can tell the user to add your website as trusted website in the web browser, you can use a script that SHELL the file. any kind of those script are always prompt to the user that they were blocked, but if the user add the website to trusted websites, and choose the option to NOT block again contents from this page, the script will run forever and shell whatever you want.

    Hope this can helps.
    Programmer&Cracker CS
    MyBlog:Blog.Amahdy.com
    MyWebsite:www.Amahdy.com

  3. #3
    Join Date
    Apr 2007
    Location
    Sterling Heights, Michigan
    Posts
    8,663
    Quite frankly, I like that security warning.

    It puts the decision of whether or not I want to run the program in my hands rather than having someone else may that decision for me.

    I stay away from sites that don't give me that warning.

  4. #4
    Join Date
    Oct 2005
    Location
    Maady
    Posts
    1,819
    The site can't decide by itself, any modern web browser will give you this warnning, or block the script; unless you tell the browser that you trust on it.

    if it's not an "executable" file, you can prevent this dialog easily but for executable files -because the security implemented in the browser- you can't by a legal method ...
    and here is two other methods you can use to do that:
    1- as told before using a script to shell the file, but should tell the user to add the website to trusted site.
    2- using php, call the file to be downloaded and in the header put the mime-type as anything other than application [say pdf or document] .. and tell the user to choose to not prompt again for this file type from the checkbox that will appear below to the warning.

    this last method is very risky, it's used by some back-doors to make the user think that he is going to download a document say, and if the user choose "open" the trojan will run ... and if the user choose to save, and the trojan has a fake icon like a document, once he click on it the trojan will execute also... the best solution is to NOT HIDE EXTENSION FOR KNOWN FILE TYPE in windows ...
    Programmer&Cracker CS
    MyBlog:Blog.Amahdy.com
    MyWebsite:www.Amahdy.com

  5. #5
    Join Date
    Jul 2006
    Posts
    91
    Hi Amahdy,

    Thanks for the reply. Can you refer me to a good article about how to shell a file in Java script.

    Thanks,

  6. #6
    Join Date
    Oct 2005
    Location
    Maady
    Posts
    1,819
    and what about the method you used here :

    http://forums.devx.com/showthread.php?t=165071

    can't it help ? putting the singel quote doesn't solve it and shell the exe ?
    Programmer&Cracker CS
    MyBlog:Blog.Amahdy.com
    MyWebsite:www.Amahdy.com

  7. #7
    Join Date
    Jul 2006
    Posts
    91
    No, it doesn't work, bcz we cannot open any exe file on a web page. Browser will not allow us to do that due to inbuilt security reasons.

  8. #8
    Join Date
    Apr 2007
    Location
    Sterling Heights, Michigan
    Posts
    8,663
    Quote Originally Posted by srinivasc_it
    No, it doesn't work, bcz we cannot open any exe file on a web page. Browser will not allow us to do that due to inbuilt security reasons.
    Are these inbuilt security settings something that was established by your company admins?

  9. #9
    Join Date
    Oct 2005
    Location
    Maady
    Posts
    1,819

    Arrow

    Quote Originally Posted by srinivasc_it
    No, it doesn't work, bcz we cannot open any exe file on a web page. Browser will not allow us to do that due to inbuilt security reasons.
    Have you put your website as trusted website in the webbrowser ? or what the error you got and what happens when the script run in the browser ? what did you got ?
    Programmer&Cracker CS
    MyBlog:Blog.Amahdy.com
    MyWebsite:www.Amahdy.com

  10. #10
    Join Date
    Jul 2006
    Posts
    91
    I tryed to test the below code in the browser, but does not launch an explorer nor gives any error mesage:-

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html>
    <head>
    <title>Testing</title>
    <script language="javascript" type="text/javascript">
    var shellObject = new ActiveXObject("wscript.Shell");
    function StartThis(CommandToRun)
    {
    shellObject.run(CommandToRun)
    }
    </script>
    </head>
    <body>
    <a href="javascript:StartThis('explorer.exe')">Start explorer</a>
    <br />
    </body>
    </html>

    My company did not set any of these security settings.

    Yes, I have added it in trusted sites list, but still not able to get away with the security warning.


    Thanks,

  11. #11
    Join Date
    Oct 2005
    Location
    Maady
    Posts
    1,819
    This code should run under windows, and with Internet explorer or what webbrowser do you use ?
    if it's not IE don't use "ActiveXObject" and use any alternatives.
    Programmer&Cracker CS
    MyBlog:Blog.Amahdy.com
    MyWebsite:www.Amahdy.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center