Razi Shaban wrote Wednesday, September 03, 2008 2:04 PM > There's a huge difference between downloading and running. > If a file that is unwanted is auto-downloaded, just delete it. > No harm done. Unapproved download does open exploit vectors against other vulnerabilities, especially when the download is to a location the attacker can predict. Merely opening a folder in a GUI triggers exploitable actions such as icon display. Desktop.ini in Windows triggers actions when its containing folder is opened. Selecting a file to delete it can trigger other exploitable actions. Anti-virus scans and other automatic processes can be exploited by the download or even the mere presence of some hostile files. There is plenty of actual malware in the wild that only needs you to touch the file or scan it with AV or list it in the GUI to be owned, depending on companion vulnerabilities. Some vulnerability exploits are mitigated by their need to access a local file from a known location. Automatic file downloading to a predictable location eliminates that mitigation. So users should always be prompted when content is copied to any location other than their browser cache, and higher-risk file types should not even go to the cache without giving the user a fighting chance to refuse the file.
