Event 1021 - MIME Handling Restrictions

  • Article
  • Logged Message
  • What Is It?
  • When Is This Event Logged?
  • Example
  • Remediation
  • Related topics

Logged Message

Windows Internet Explorer 8 and Windows Internet Explorer 7 use MIME type information to decide how to handle files sent by a Web server. For example, when Windows Internet Explorer receives a .jpg file, the user sees the file in an Internet Explorer window. If Internet Explorer receives an executable (.exe) file, it generally asks the user how to handle the file. The MIME Handling Restrictions security feature protects users from accidentally downloading or executing a dangerous file because of misleading MIME or file name extension information.

What Is It?

Internet Explorer uses the following pieces of information to decide how to handle a file.

  • File name extension, the corresponding ProgID, and the class identifier (CLSID) for the registered handler of that file name extension.
  • Content-Type from the HTTP header (MIME type), the corresponding ProgID, and the CLSID for the registered handler of that content or MIME type.
  • Content-Disposition from the HTTP header.
  • Results of a MIME scan.

During the file download into the cache, Internet Explorer compares the MIME type of the cache file to the extension of the cache file. If there is a mismatch, Internet Explorer reconciles the mismatch by renaming the file in the cache.

Before a file is loaded in its MIME handler or executed by its extension handler, Internet Explorer compares the CLSID of the MIME handler to the CLSID of the extension handler. A file download box comes up when there is a mismatch between mime type and extension handler. This prompt forces the user to confirm whether to load the file in the MIME handler. If the MIME handler rejects the mismatched file, Internet Explorer shows a download error dialog box and does not automatically execute the file in its extension handler.

A related change prevents the execution of a potentially corrupt file in its extension handler. Internet Explorer shows the download error dialog box for any file rejected by its MIME handler with the error code INET_E_CANNOT_LOAD_DATA and does not execute the file in its extension handler regardless of MIME type or extension.

These changes do not affect cases where the file uses a Content-Disposition: attachment HTTP header.

For these files, the final file name or extension suggested by the server is executed, regardless of any MIME/extension mismatch, if the user accepts the file download prompt.

When Is This Event Logged?

This event is logged when a possible dangerous or unknown MIME type is detected and the user is prompted what to do with it.

Example

Perform the following steps to see this event logged in the Internet Explorer Compatibility Test Tool:

  1. Create a webpage with the following contents. For this example call it 1021.aspx.

    <html xmlns="http://www.w3.org/1999/xhtml">
    <body>    
        <div>
               <h1>Mime Handling Example</h1>
        </div>    
    </body>
</html>

  2. Install the file and the exe file in the root directory of the local web server. On a Microsoft Internet Information Services (IIS) server this means putting the file in this directory:

    .\wwwroot

  3. Browse to the file:

    http://127.0.0.1/1021.aspx

The browser downloads the .aspx file which Internet Explorer recognizes to be an HTML file. This causes the MIME Handling restriction event to be fired.

Remediation

If you receive unwanted file download prompts due to an irreconcilable MIME mismatch, you can register the MIME handler's ProgID and bypass all download prompts, including the prompt on mismatch. Before registering the handler, verify that the MIME handler securely manages any delegated file. For example, confirm that the handler never enables an attacker to gain more user rights than enabled by zone of the originating file. If you determine the MIME handler can safely handle the files, you can register it by adding a new value to HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Secure Mime Handlers\MIME Handler PROGID.

In addition to changing the client-side settings, you can also change the Web server so it sends the appropriate Content-Type header for any blocked file, when the filename extension does not match the Content-Type header.

You must update the custom MIME handlers that intentionally rely on Internet Explorer to execute files that the custom MIME handler rejects. The most secure scenario is to handle files natively in the MIME handler rather than rejecting them. If you cannot change the MIME handler, there are a few options.

  • You can develop a MIME handler and extension handler that are both part of the same CLSID. Internet Explorer accepts the CLSID match and does not prompt to download the file or block the file from execution in the extension handler.

  • You can mark the MIME handler to be ignored by Internet Explorer when there is a MIME/extension mismatch. For example, if the MIME handler for a certain media MIME type has a mismatched extension, you can mark the ProgID of the MIME handler to be ignored on the mismatch (when the media file name extension belongs to a different ProgID). To do this, set the following value in the registry with the MIME handler to ignore:

    HKEY_CLASSES_ROOT\PROG_ID_OF_MIMEHANLDER_TO_IGNORE\PreferExecuteOnMismatch = 0x00000001

  • If neither option is viable, notify users of the incompatibility and explain how to save the mismatched file to the file system and how to launch it manually.

    Note that servers that deliver untrusted content, such as a photo sharing site that allows users to upload and download photos, may send the header "X-Content-Type-Options: nosniff" HTTP response header. This is used to protect users downloading photos from a malicious user who had uploaded an HTML webpage with embedded script.

You can also disable this feature through feature control keys.

Security Warning: If you disable this feature, users can unknowingly download malicious content, disguised with an incorrect filename extension. Once downloaded, an incorrect extension handler can run the file, enabling the malicious content to cause damage.

You manage the restrictions through a security feature control registry key (FEATURE_MIME_HANDLING). Internet Explorer (Iexplore.exe) and Windows Explorer (Explorer.exe) must run under this feature control to disable the feature. This can be achieved by setting the following registry key:

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_MIME_HANDLING
                     iexplore.exe = 0x00000000

This feature can also be controlled by the following Group Policy:

GPO Policy Path GPO Policy Setting Name GPO Settings
Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent Mime Handling Internet Explorer Processes If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files. If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files.

 

Internet Explorer Application Compatibility

Events 1021 through 1028