Event 1021- MIME Handling Restrictions
Applies To: Windows 7, Windows Vista
Windows® Internet Explorer® uses Multipurpose Internet Mail Extensions (MIME) type information to decide how to handle files sent by a Web server. For example, when Internet Explorer receives a .jpg file, the user sees the file in an Internet Explorer window. If Internet Explorer receives an executable (.exe) file, it generally prompts the user for a decision on how to handle the file. The MIME Handling Restriction security feature protects users from accidentally downloading or executing a dangerous file because of misleading MIME or file name extension information.
MIME Handling and the Extension Handler
Internet Explorer uses the following pieces of information to decide how to handle a file.
File name extension, the corresponding programmatic identifier (PROGID), and the class identifier (CLSID) for the registered handler of that file name extension.
Content-Type from the HTTP header (MIME type), the corresponding PROGID, and the CLSID for the registered handler of that content or MIME type.
Content-Disposition from the HTTP header.
Results of a MIME scan.
Internet Explorer enforces consistency between how the browser handles a file and how the Windows shell handles a file. During the file download into the cache, Internet Explorer compares the MIME type of the cache file to the extension of the cache file. If there is a mismatch, Internet Explorer reconciles the mismatch by renaming the file in the cache.
Before a file is loaded in its MIME handler or executed by its extension handler, Internet Explorer compares the CLSID of the MIME handler to the CLSID of the extension handler. A file download box comes up when there is a mismatch between mime type and extension handler. This prompt forces the user to confirm whether to load the file in the MIME handler. If the MIME handler rejects the mismatched file, Internet Explorer shows a download-error dialog box and does not automatically execute the file in its extension handler.
A related change prevents the execution of a potentially corrupt file in its extension handler. Internet Explorer shows the download-error dialog box for any file rejected by its MIME handler with the error code INET_E_CANNOT_LOAD_DATA and does not execute the file in its extension handler regardless of MIME type or extension.
These changes do not affect cases where the file uses a Content-Disposition: attachment HTTP header.
For these files, the final file name or extension suggested by the server is executed, regardless of any MIME type or extension mismatch, if the user accepts the file download prompt.
When Is This Event Logged?
This event is logged when a possibly dangerous or unknown MIME type is detected, and the user is prompted to take action.
Note
For more information and examples, see the Event 1021-MIME Handling Restrictions topic from Internet Explorer Application Compatibility.
Remediation
If you receive unwanted file download prompts due to an irreconcilable MIME mismatch, you can register the MIME handler's PROGID and bypass all download prompts, including the prompt on mismatch. Before registering the handler, verify that the MIME handler securely manages any delegated file. For example, confirm that the handler never enables an attacker to gain more user rights than enabled by zone of the originating file. You can do this through threat modeling, a code review for secure failure modes that checks for buffer overruns. If you determine the MIME handler can safely handle the files, you can register it by adding a new value to HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Secure Mime Handlers\MIME Handler PROGID.
In addition to changing the client-side settings, you can also change the Web server so it sends the appropriate Content-Type header for any blocked file, when the filename extension does not match the Content-Type header.
You must update the custom MIME handlers that intentionally rely on Internet Explorer to execute files that the custom MIME handler rejects. The most secure scenario is to handle files natively in the MIME handler rather than rejecting them. If you cannot change the MIME handler, there are a few options:
You can develop a MIME handler and extension handler that are both part of the same CLSID. Internet Explorer accepts the CLSID match and does not prompt to download the file or block the file from execution in the extension handler.
You can mark the MIME handler to be ignored by Internet Explorer when there is a MIME/extension mismatch. For example, if the MIME handler for a certain media MIME type has a mismatched extension and needs to be executed directly to play properly, you can mark the PROGID of the MIME handler to be ignored on the mismatch when the media file name extension belongs to a different PROGID. To do this, set the following value to ignore in the registry with the MIME handler.
HKEY_CLASSES_ROOT\PROG_ID_OF_MIMEHANLDER_TO_IGNORE\PreferExecuteOnMismatch=0x00000001
If neither option is viable, notify users of the incompatibility and explain how to save the mismatched file to the file system and how to launch it manually.
MIME Handling Restriction and the Registry
You manage the restrictions through a security feature control registry key (FEATURE_MIME_HANDLING). Internet Explorer (Iexplore.exe) and Windows Explorer (Explorer.exe) run under this feature control by default. The following shows the registry key and enabled processes:
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exe= 0x00000001
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe= 0x00000001
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\process name.exe= 0x00000001
What Happens If I Disable This Security Feature?
If you disable this feature, users can download malicious content, disguised with an incorrect filename extension. Once a file is downloaded, an incorrect extension handler can run the file, enabling the malicious content to cause damage.