Occasionally we get security reports that go something like this:<\/p>\n
\nInstall the ContosoScript scripting language interpreter. it uses the file extension .contososcript<\/tt>. Write a script that does \u27e6 something malicious \u27e7 and put it on a Web site so it can be downloaded. Download the script to your Downloads folder, and then run it by double-clicking it from Explorer.<\/p>\n
Notice that no warning appears. The ContosoScript interpreter runs the malicious script which \u27e6 something malicious \u27e7.<\/p>\n<\/blockquote>\n
There are other variations of this report, like putting the malicious script on a malicious file share, but they all boil down to “Nobody stopped me from running this malicious script!”<\/p>\n
Windows takes several things into consideration when deciding whether a file with a non-local source requires an extra warning before opening. The relevant one here is whether the file extension is considered “dangerous to use with untrusted files.”<\/p>\n
Identifying these dangerous extensions is done by the function AssocIsDangerous()<\/tt><\/a>, and it consults a hard-coded list of known dangerous extensions (like .bat<\/tt> and .reg<\/tt>) as well as checking whether the file type reports itself as dangerous.<\/p>\n
The documentation for registering file types<\/a> calls out that “a ProgID subkey should include the following elements”, and one of them is the EditFlags<\/tt> registry value which allows the file type to report various attributes about itself. One of them is FTA_Always\u00adUnsafe<\/tt><\/a>, which is documented as<\/p>\n
\nPrevents the Never ask me<\/b> check box from being enabled. Use of this flag means FTA_OpenIsSafe<\/b> is not respected and AssocIsDangerous<\/a> always returns TRUE<\/b><\/span>.<\/p>\n
If your file type can execute code, you should always use this flag or ensure that the file type handlers mitigate risks, for example, by producing warning prompts before running the code.<\/p>\n<\/blockquote>\n
If your file type has the ability to execute code when opened (for example, if it is a scripting language interpreter), then set the FTA_Always\u00adUnsafe<\/tt> flag in your type registration to indicate that it is “unsafe at any speed.”<\/p>\n