When Security becomes annoying - Saving a .docx file from a web site automagically saves as a zip

Brad's profileSharePoint BlogPhotosBlogLists

< Previous Next >

October 28

When Security becomes annoying - Saving a .docx file from a web site automagically saves as a zip

I hate it when things don't go right on my computer. One of the things I've been annoyed with lately is how on some sites, when I click on a .docx file to open it or save it, it always reads the file "header" (the first part of the file) and thinks that it's a ZIP file (which it kind of is - except I don't want it to open in WinZip, I want to open it in Word).

I finally got jack of it tonight. Tools down, I was going to fix this problem come hell or high water. First thing I did was Google the problem - Heaps of hits on it. Great! this will be a cinch! The sites I opened though had other ideas on what they thought was a "helpful" solution.

Change the filename during the save dialog (Duh! Been there - I want a fix, not a workaround).
Rename it once you save it (these mental giants were having a laugh at me)
Use Firefox (I almost expected to find this on a Firefox site once I read it - I live in the Microsoft world)
Add the site to your trusted sites (again, not a solution but a workaround every time I saw the problem)
Change the MIME types on the web server... now this was interesting... okay, apparently a .NET framework update came out with a new set of MIME types that indicated what application should open up what file - this was controlled by the Web site administrator though, so out of my reach
Disable IE's habit of "sniffing" the file header and working it out based on what it saw <-- BINGO!

What was happening - in web servers that had not been recently updated, the docx and pptx and xlsx file types were not registered properly on the web server. As a result, IE downloads the start of the file, looks at the first few bytes and assesses what it thinks is the correct application to open it with. This prevents someone from "disguising one file as another type, just by changing the extension (eg renaming .exe to .txt). It's a security feature - Firefox does not have it (which is why the Firefox solution works).
As some would know, the docx format is a renamed zip (cab?) file with lots of XML data in it. In fact, you can rename any docx file to .zip and have a look at its innards. This is why it picked .ZIP as the extension.

The other solution is to disable this IE security feature in the Registry. Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING

Change iexplore.exe's DWORD value from 1 to 0 - this allows the OS to take over and use the native application. Security lowered, problem solved... Well, kind of.

Brad

9:57 PM | Blog it

Comments (2)

To add a comment, sign in with your Windows Live ID (if you use Hotmail, Messenger, or Xbox LIVE, you have a Windows Live ID). Sign in

Don't have a Windows Live ID? Sign up

	Brad Saidewrote: @Yaohan - you're right of course, it lowers the security of your local machine (thus the final comment). It poses a problem that I don't have an optimal answer to - but it has certainly solved some frustration I was experiencing daily (Our webmail server has this problem) Nov. 16
	Yaohan Yaohanwrote: It sounds like a security vulnerability if you do that to your machine, so just be careful. some web masters need to update their web servers to not only handle 3 letter type MIME types, but also 4. Oct. 29

Trackbacks

The trackback URL for this entry is:

http://sharepointblog.spaces.live.com/blog/cns!74C8FB1191265567!616.trak

Weblogs that reference this entry

None