Given the choice when browsing, I would download and save an executable file rather than directly run it. Free will has always been a hot topic in philosophy and when it comes to Web browser security the topic suddenly gets hot as well! I was recently browsing a well known adware vendor Web site when I decided to download a game and try it. As usual I came across a normal download page:

Figure 1: The standard Web download interface

After clicking “continue” I was prompted with the usual “File Download” message box from Internet Explorer, but it actually took me a while to realize something was missing:

Figure 2: File download box missing the “Save” option

I could either only "Run" the setup or eventually cancel the download operation. Where did the “Save” button go? Normally you would expect this sort of file download box:

Figure 3: The standard file download message box

Well, that is a neat trick. I used Internet Explorer 6 for this test and then I also checked Internet Explorer 7, Firefox, Opera, and Safari. Good to know that the latter three are not affected by this problem—they always prompt the user to save the executable file rather than execute it. In particular, the Web site does not allow the download if you use Opera or Safari. For Firefox you are asked to save the file using the standard file download box, but the Web site takes care of giving you exact instructions on how to run the setup as soon as you finish the download:

Figure 4: Instructions on how to run the file if Firefox is used

Now of course the question is, how does it work? Why am I not asked to save the file when I use IE? The answer is very simple and lies in the very first lines of the html page:

Figure 5: The meta tag responsible for the missing save button

The responsible party is the above highlighted meta tag named "DownloadOptions," whose content property is set to “nosave”. This property will cause the browser not to show the Save button in the download box, but only the Run and Cancel buttons. There also exists the “noopen” property that will only show the Save and Cancel buttons, not the Run button. All the documentation regarding these properties can be found in MSDN: http://msdn2.microsoft.com/en-us/library/ms533689.aspx

This is an example of yet another functionality that can be used to trick users into running something rather than downloading it and of course the target audience are the more distracted or inexperienced users. Luckily, Windows will mark the downloaded file with a Zone.Identifier alternate data stream, so when it is run you still have a second warning (and the Web site of course will provide you instructions about running it in a more straight forward way):

Figure 6: The second prompt for the file to be run and the Web site instructions

So, at least there is a two-layer barrier before the code is actually executed. Always watch out and be sure your free will is respected!