When Security becomes annoying – Saving a .docx file from a web site automagically saves as a zip

I hate it when things don’t go right on my computer. One of the things I’ve been annoyed with lately is how on some sites, when I click on a .docx file to open it or save it, it always reads the file "header" (the first part of the file) and thinks that it’s a ZIP file (which it kind of is – except I don’t want it to open in WinZip, I want to open it in Word).
 
I finally got jack of it tonight. Tools down, I was going to fix this problem come hell or high water. First thing I did was Google the problem – Heaps of hits on it. Great! this will be a cinch! The sites I opened though had other ideas on what they thought was a "helpful" solution.
  • Change the filename during the save dialog (Duh! Been there – I want a fix, not a workaround).
  • Rename it once you save it (these mental giants were having a laugh at me)
  • Use Firefox (I almost expected to find this on a Firefox site once I read it – I live in the Microsoft world)
  • Add the site to your trusted sites (again, not a solution but a workaround every time I saw the problem)
  • Change the MIME types on the web server… now this was interesting… okay, apparently a .NET framework update came out with a new set of MIME types that indicated what application should open up what file – this was controlled by the Web site administrator though, so out of my reach
  • Disable IE’s habit of "sniffing" the file header and working it out based on what it saw <– BINGO!

What was happening – in web servers that had not been recently updated, the docx and pptx and xlsx file types were not registered properly on the web server. As a result, IE downloads the start of the file, looks at the first few bytes and assesses what it thinks is the correct application to open it with. This prevents someone from "disguising one file as another type, just by changing the extension (eg renaming .exe to .txt). It’s a security feature – Firefox does not have it (which is why the Firefox solution works).
As some would know, the docx format is a renamed zip (cab?) file with lots of XML data in it. In fact, you can rename any docx file to .zip and have a look at its innards. This is why it picked .ZIP as the extension.

The other solution is to disable this IE security feature in the Registry. Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING

Change iexplore.exe’s DWORD value from 1 to 0 – this allows the OS to take over and use the native application. Security lowered, problem solved… Well, kind of.

Brad

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to When Security becomes annoying – Saving a .docx file from a web site automagically saves as a zip

  1. Yaohan says:

    It sounds like a security vulnerability if you do that to your machine, so just be careful. some web masters need to update their web servers to not only handle 3 letter type MIME types, but also 4.

  2. Brad says:

    @Yaohan – you\’re right of course, it lowers the security of your local machine (thus the final comment). It poses a problem that I don\’t have an optimal answer to – but it has certainly solved some frustration I was experiencing daily (Our webmail server has this problem)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s