Slashdot Mirror
IE Vulnerable to Cross-Browser Spyware Attack
An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
IF you're running Java and you click 'Yes' to the security warning...
VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
Oh, well, it's no problem then. It's not like anybody uses THAT...
It will be interesting to see if there is the usual 24 hour turnaround on a fix for this from the Mozilla Foundation. Lord knows Microsoft probably won't lift a finger to fix it.
FoundNews.com - get paid to blog.,
"IE vulnerable to new attack" - shouldn't we find some sort of shorthand for this, since it happens so often?
I have to imagine Slashdot's bandwidth saving would be enormous.
"So on one hand, honey is an amazingly sophisticated and efficient food source. On the other hand it's bee backwash."
Yeah, I'll get right on that Timothy. Removing IE is so easy on Windows.... Not like it's built into the OS or anything.
This guy is way out there
The spyware installs itself using Java. It's not browser-specific; you can infect IE using Mozilla, Opera, IE, etc.
There _is_ a dialog box, since the applet is unsigned. I tried signing it with my certificate; it installed itself without prompting. I believe it uses some sort of JRE exploit.
switching away from IE does not give adequate projection
What do I need to be able to project my fears of infection adequately?
The article title/summary focuses more on how IE is to blame rather than the real root of the problem, which appears to be Java. I realize this is Slashdot and its Microsoft, but come on.
If you leave the house you will get sick. The is holes in everything. The added value of open source is the ability to patch the system quickly. If Linux had 70% of the desktop market share you would see more viruses for it. But they hole they exploit would be fixed quicker. The question really becomes getting ppl to update thier machines. That really is more fo the problem. Im sure there are plenty of unpatched systems out there spreading nimda.
"All I can tell the "lesser of two evils" folks is that if they keep voting for evil, they'll keep getting evil."-Lp.org
It's important to identify that if this is not a browser thing, but a Sun JRE thing, any Java-enabled program that can come in contact with the installer applet could potentially infect your system.
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.
Guy asked me for a quarter for a cup of coffee. So I bit him.
from the if-you-must-run-windows-remove-ie dept.
f ault.aspx
Really? The microsoft website oftens blocks browsers other than IE from downloading updates and whatnot.
You CAN'T just remove IE. You need it. Just try to update office on firefox for example:
http://office.microsoft.com/en-us/officeupdate/de
1. You can't win
2. You can't break even
3. You can't get out of the game
4. No matter how hard you shake it, the last drop always rolls down your pant leg.
I'm not wrong. You haven't thought about it hard enough.
and Firefox user, I would like to add my two cents:
"Lies! All Lies! Firefox cannot be hacked! Lies!".
Thank you for your support.
Sig it.
That's the point isn't it, though. Crappy software is installed.. spyware comes as an infection. When will we acknowledge that these spyware writers are writing viruses which infect and damage people's systems through backdoor hacking techniques?
Why are the authors not prosecuted?
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
So by using a browser that this exploit is not aimed at will infect part of the operating system your trying to get away from because everything is so integrated with no end user control.
How is this bad for firefox? If anything its a big black eye for MS and integrating IE into the OS.
By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer.... VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
So, the attack happens through Sun's JVM, affects IE, and consequently has nothing to do with Firefox, which was inserted into the article for maximum troll capability.
If an exploit asks you to run it, does it still count as a security exploit? It's not taking advantage of anything other than the users own stupidity/ignorance if they get infected by it. Similar to those email viruses you have to oepn the atached zip, enter the password and then run the exe to get infected by.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
To me this sounds like a Java exploit and not something you can pin on either IE, Firefox or any other browser. It would be pretty lame to demand that Firefox should protect IE from a Java exploit, yes?
HTTP/1.1 400
I know there's been a fair share of MS-bashing already but I just can't resist... It's pretty funny that IE is so insecure that its security holes exist in other programs :)
No way, RTFA.
Firefox warns the hell out of you about allowing a signed, but unverifiable applet from installing itself. Look at the screenshot, there's three separate big warning images.
If the web browser lets you download and install software, even if it warns you that doing so might be dangerous, the author contends this is a bug. That's silly. That's the *point* of a web browser. To download content from the internet.
When I tried to open the page he shows as the source of infection, my TrendMicro Antivirus Software automaticaly detected it and trashed it.
What scares me most, is that FF didn't ask to download the file, it just downloaded the JAR into the cache folder.
mazevedo
So what does it really do? Pop up more pr0n banners? I love this automated feature, actually.
It doesn't "escape" the sandbox... the user explicitly grants it permission to play outside of the sandbox.
Java is behaving in exactly the manner it's designed and advertised to act.
the installer escapes Java's sandbox
No. The user unlocks and opens the door, THEN the exploit escapes.
All the systems are working as designed. It is the user who opens the door.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Alternatively, there's the more generic ESF - (E)xploitable (S)ecurity (F)arce. This is the exact inverse of ESP, in that it is something that should have been predicted but wasn't, rather than the other way round.
For bugs from the (usual) Corporate culprits - Microsoft, Sun and IBM, I suggest that these be called ISMs.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
This has nothing to do with Firefox or the JRE, nor IE. The JRE's security manager properly issues are warning that the user is about to run arbitrary code. It's like an email worm. The user's interaction and ignorance is need to spread the thing.
IE Vulnerable to Cross-Application Spyware Attack
Some website reports that KEYGEN.EXE can be used to infect IE on Windows. By running a malicious KEYGEN with Windows, a user can infect their install of Internet Explorer. Other alternative cracks may expose the same vulnerability. The article quotes the CTO of Obvious, Inc. as saying that '[j]ust switching away from IE does not give adequate projection. Now that BitTorrent and other alternative file-sharing tools have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any feeble mind.'" Killmenow's report points out that this vulnerability can (only) affect Windows users who are morons.
"Monday".
This is infecting the machine using a signed applet. Hello? I can do anything I want to your pc if you allow a signed applet to run. This not news. I can install a trojan, key logger, back door, whatever. Infecting IE is the least of someones problems if they allow signed applets from untrusted sources to run.
There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.
Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language.
--Steve
BUG REPORT:
When I visit a web page and it prompts me to install something, a little hobgoblin pops out of my computer and whacks me on the head with a mallet when I click yes.
After this happens, my computer slows down and I get lots of popups. I think the hobgoblin has infected me with a virus. Please disable the hobgoblin so I can install things from websites easier. And stop it from infecting me with viruses! Can't you guys program a computer right?
Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.
I keep wondering if it wouldn't be better to have something like VMWare a standard part of a consumer OS. You would intantiate a VMWare-type virtual machine, preloaded with your Web browser, email client, etc., for all external communications. You would leave your "real machine" with no Net connection, but use it for other tasks that didn't need a live Net connection. Attacks from the outside would have no way to damage anything other than a virtual machine. If it got screwed up or infected, even by your kids playing with it and saying "Yes" to download offers, you'd just delete it and instantiate a new one.
You'd be able to reach from the real machine into one of the VMs and retrieve a file that you were satisfied was safe, but there would be no way for a VM to export (VMWare is like this). There would be occasions when fetching an infected file would infect your real machine, but the overall incidence of external damage should be significantly reduced by this approach and recovery from screwups would be quick and easy (at a cost of performance for activities done from a VM).
It's just a thought, but it seems as though this would just be an extension of the Unix notion of having root power but doing most of your work from a non-root account just to be safe.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
As other people have noted, you still have to say "yes, bone me". But people don't expect a Java applet (since it's normally firewalled) to be dangerous, so they're more likely to say "yes".
If allowing an unrestricted Java applet to run is just as dangerous as installing and running an application, then the dialog box should reflect that. If Firefox is going to make you manually approve sites that you're going to allow XPI installs from, and *then* run a countdown in the warning dialog, they need to be at least as thorough about any other operation that takes you outside the sandbox.
I'm confused why this is considered an IE vulnerability? And I am even more confused as to why people pin this on Java.
If a user downloads an untrusted applet and grants it unrestricted security access, EVERY SINGLE THING ON YOUR COMPUTER IS VULNERABLE. Just because this particular exploit attacks IE, doens't mean that the exact same applet couldn't be altered to infect Firefox of even something completely different like Adobe Photoshop.
http://brandonbloom.name
No this is not really a Java issue either. This is a social engineering issue.
The JRE pops up it's "Warning" dialog, like its supposed to . It displays to the user that it cannot verify who signed this, that the cert is out of date etc, like its supposed to . It displays a warning reccomending that you NOT say yes and install the applet, like its supposed to . So when you ignore all of that and say yes, you deserve to get infected. I mean, what do you want, another dialog asking "Are you sure?".
I mean 3 big yellow exclaimation marks? I've never seen that even in the most unstable of development environments.
Oh and BTW, if you say yes to a Java applet in this instance, it runs as a local application without a security manager. This is not a 'hole' it is what it is supposed to do. When you say yes, that's what you're saying 'yes' to.
Now if people were taught not to do that the same way their are taught not to run arbitrary files sent to them via e-mail, this wouldn't be a problem. (That's sarcasm BTW)
In the end, the problem is the goof behind the keyboard that is willing to say 'Yes' to run applications they don't know about and that the JRE itself warns them at least 3 times in 3 ways not to run.
How do you defend against that?
Never by hatred has hatred been appeased, only by kindness - the Buddha
You missed the part where IE opened on its own. Unless you have REMOVED IE from your system (good luck) or never had it in the first place (ya, ya, Mac and Linux and BSD are great) then you care about this.
It looks like an exploit I happened to discover only about two and a half weeks ago while running Windows XP-sp2-blabla under emulation. The recconisable part is being able to get 'spyware' (in the test, just a dummy cookie) through Firefox and into IE. A few people were told this and repeated it. It should be made VERY clear that Sun Java is NOT needed (MS has every reason to FUD Sun) and its not Mozilla at fault, but the fact that IE cannot yet be 'de-installed'. The advised solution is for _someone_ to develop a full de-installer for IE. Nobody I know gives a flying f* for MS, but getting a practical de-installer out for IE is the slap-in-the-face MS has coming!
In the meantime watch out for FUD. MS will say Sun and Mozilla are bad and IE is good. You never say in business: "I told you so", but MS will. WATCH
OUT! As usual there is a spin on this that seems to favour Microsoft. Don't buy it.
There are some 'unfixable' bugs in all Windows and MS products due to the "I want to be different factor". Being able to completely remove IE (use Firefox, Opera, etc.) would go a long way in reducing the threat. Removing "Media Player" (use mplayer) would help a little more. The real truth however is that Windows is flawed by design and can never be fixed in an acceptable way.
If you are unfortunate enough to be using Windows, please look at the track record, including all the lies you've been told and make an informed decision. Get Solaris 10 if you wish, I'll stick with FreeBSD. Linux has a range of distros that range from 'true hardcore' to 'clickity-click' and even have a dual boot. Sooner or later, you are going to have to make the transition. You decide when.
Those are the JRE runtime warning boxes and have little to do with Firefox itself. Never mind, the top story is FUD.
The fact that it even asks that stupid question when running in a web browser is ridiculous. Even asking the questions makes it just as bad as ActiveX. It should be refusing to run outside of the sandbox without forcing the (knowledgable) user to jump through some hoops other than clicking a button.
Seriously slashdotters. . . .
At some point, the user must take some responsiblity for their own security.
System doing something unintended, without user notification or permission? Security exploit.
System doign something unitended, after user notificition and approval? Idiot exploit.
The ONLY way to stop idiots from being exploited to take the permission/aprroval step out of their hands, and give it to someone else.
Either the sys-admin, or the OS manufacturer.
The sys-admin route is already possible. We don't need anything else for that. These boxes are secure, but a giantic pain to work with, depending upon what you users needs/wants are.
The OS manufactuer route. This is the route Microsoft would love to push us all.
Dump Java. It's insecure. User our New(TM) Palladium(TM) Super-Secure Trust-In-Our-Magic-Decision-Making Signed Certificate, only MS(TM) software ActiveSecureX.
The only way to prevent (idiot) exploits such as this one, is to prevent any 'unapproved' application installs.
Ask for that, and you're asking for Trusted Computing(TM).
And I'll bet ten grand that someone will figure out how to exploit THAT, and then you'll have an pwned box that is unfixable.
This is Microsoft. Even though your users make DAMN STUPID decisions on what to install (Press Yes to Install MySpware Super-Happy Plugin!), Microsoft has proven itself to be just as, if not far more vulnerable.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
No the prompt was from the JRE indicating that the applet that was being downloaded was asking for special privileges, beyond that of the sand box (see the picture in the middle of the Vital Security article). 3 excalimation marks, big and yellow, telling the user that it couldn't verify the authenticity of the applet, that the cert used to sign it had expired and then warned the user specifically to NOT say yes.
The idiot said yes anyway.
Now, if this happened without those warning, then there would be an issue. But that is not the case. The JRE functioned as it was designed to - to allow for extra privileges to be granted to an applet under certain circumstances and to vigorously warn the user and present them with information before hand. It was the user that ignored the warning, not the JRE.
Note to self: never get advice from "Vital Security" about security because anyone that would ignore that kind of warning from a site they did not know is definitely NOT a security professional
Never by hatred has hatred been appeased, only by kindness - the Buddha
Java applets can do all sorts of things.
It is not true that they can't 0wn your box.
In fact, whoever told you that should be shot.
Java is very powerful, and can do many, many interesting things.
If it works properly (i.e. no exploits), than a Java applet will not be able to silently 0wn your box.
It'll request permissions, and you'll have to approve it.
There are two possible circumventions.
1. Set system-wide permissions too low. By default, they come pretty restrictive. I would not suggest changing them.
2. Exploit in the JRE. Has happened before (rarely). This doesn't count.
Java is not a pure safe language. Java does not run its applets in an entirely isolated Virtual Machine.
Java, however, does not experience buffer overruns (which lead to exploits), and does not experience a variety of other security problems.
No exploits != No 0wnage.
No explots = No 0wnage without requesting securityt permissions.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
How do you defend against that?
Clearly, all software should only be installable from floppy disks, and not from over the Internet. That way, script kiddies would have to send people their exploits by snail mail, with a note attached that reads:
Still, I'm sure there'd be a few who did...
Comment removed based on user account deletion
A nice intelligent choice with WinNT was the "Press Alt-Ctl-Delete" to login.
Since applications shouldn't be able to hijack that combination it adds additionaly security.
You can have a lot of fun with micking login boxes. Back when I was in uni we'd screw around with each others laptops. I got a terminal window on a friends machine and aliaed the su command to a perl script which would prompt for a password, send the password to my webserver, tell the user it was wrong, and then unalis the command so the next try would go to the real su.
Easy to do, but you'd have to be very on top of things to spot it.
I stand corrected.
It's been a long time since I worked with Java code, but I recall that once the user tells Java he "trusts" the code, (signed or unsigned), he opens himself up to a number of risks, including accessing the local filesystem and making network connections to hosts other than the host from which the applet was downloaded. This would, of course, include HTTP calls, probably using the installed default browser. I don't know about executing local programs.
So, while this may have been an exploitation of MSIE, the fact remains that it would never have occurred had the user not agreed to trust the applet. This is why it's important for developers and sites to sign their code, but more importantly, it shows the importance of embedding into end-users' brains: "Never, never, never click 'yes' when the application tells you the code is untrusted."
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
So you are telling me that someone found a way to get into a system with java, and - once there, found that it was actually more effective to try to break IE than the browser actually being used? Doesn't that sort of blow the popularity vs. intrinsic insecurity argument out of the water? I mean, the user is running firefox, right? The argument of what they are likely to use (and therefore be affected by) has pretty much been resolved at that point.
This sounds like a FUD factory somewhere is trying to come up with vulnerabilities against Firefox. Interesting that the best they can come up with so far is an exploit of IE. "Hey, wait, guys, we can make this one run with another browser! Let's run with that!"
The Giant DUH! Award goes to VitalSecurity.org, quite possibly the dumbest security company ever.
At the end of his blog, the author says that the purpose of his article is NOT to point out the social-engineering aspects of this exploit, but to point out that "most spyware installs occur when someone clicks "yes" to something they shouldn't have."
DUH!!!! What a total maroon.
Let's review. The user is presented with a dialog box that warns them, 3 times, that this thing can't be trusted, but they click 'Yes' anyway.
This is not a Firefox exploit. It is not an IE or Java exploit. It is a USER STUPIDITY exploit.
Never been to Tennessee have you?
Was it addiction then that caused them to smoke the first cigarette? Nope - it's the ye olde "I know best" and "what the (insert swear) do I care" routine.
http://jcsnippets.atspace.com/ - a collection of Java & C# snippets
...because the following month a user's default actions will be: - notice that dialog pops up. - check that checkbox without which websites seem not to work correctly. - click OK.
I was about to go off on a tirade about the editor, but I can see from the TFA that the blame clearly rests on the original authors.
Oh good grief, my head hurts from this one:
It has nothing to do with security problems in either IE, Firefox, or Java. The user is authorizing a foreign, untrusted piece of software to run. It could happen through any browser using Sun's JRE, or an ActiveX control. It could be a script, or a trojan application. Yes, the operating system allows software to do things like this. If you can't trust yourself or your users to read warnings, then use an unprivileged account to do your browsing, and lock down the registry.
Check out this follow-up:
What's the point? If the user runs malicious software, it can do anything allowed by the user's current OS permissions, including editing parts of the registry that aren't protected. Whether or not IE is the target is irrelevant.
TFA: Troll -1
Fred
"A fool and his freedom are soon parted"
-RMS
In response to the other responses....
Sorry for the oversight - this has nothing to do with SSL. The browser is prompting the user, stating that the authenticity of the cert can not be validated and is asking the user whether the applet should be trusted anyway. The user is not being asked whether the applet should be trusted with elevated privilege to install software. In fact, in Firefox certificate trusts and software installation trusts are two seperate configuration spaces. Even if the user read the firefox documentation, they would expect to be prompted explicitly for software installs, independantly from certificate issues. There is no mention of privilege or software installation on that dialogue.
My expectation for an applet with a bad cert trying to install software is to:
1. Prompt for trust of certificate
2. AND prompt for permission to install software
My expectation was that trusting this certificate will:
1. if defined in Firefox's Software Install config, run under configured settings for that particular domain
2. OR prompt for further privilege (to install software)
Users are also so used to ignoring certificate problems for SSL sites that the user will always ignore certificate problems for sites that they do not trust. Users do not care if confidentiality and/or integrity of communications with an untrusted site are compromised as they don't really trust the communication to begin with. Users assume (as they should) that attempts by untrusted sites to do anything which may violate security will be prompted for or denied by default.
The notice that Firefox has stopped the installation of software will be disregarded by the user as the user will believe that the installation has been blocked and can only be unblocked by right clicking on that notice. The dialogue with which the user is interacting will not be assumed to be related to the notice that installation of software was prevented.
If it is the case that trusting the applet by providing a positive response to this dialogue results in the applet running outside of a sandbox, I would argue that the dialogue is misleading and extremely dangerous. In this case the dialogue must be changed to be more clear. The dialogues presented by Firefox (or the JVM?) are completely inadequate and must be fixed. Claming that everything is working fine is rediculous if the guy only accepted the dialogue as shown in the screenshot. The user is not at fault.
Further, assuming that there was no certificate problem (eg if the attacker had a Verisign certificate), would the user have been prompted with anything? I certainly would not expect that anyone with a Verisign certificate has an ability to run applets at elevated privilege without me being prompted by my browser. If browsers/JVM will run all signed applets at an elevated privilege I would consider that a major vulnerability and a completely bone headed design. I don't think that this is the case and expect that the user would have to define the host as being allowed to install software in the Firefox configuration.
W.R.T. the security professional comment... few except for those professionals who have in depth experience with applet security would know to have expectations other than those which I described in this message. One can not be an expert in everything. I would suggest that you meant that anyone who would ignore that kind of warning from a site they did not know, on a box they care much about, is definitely NOT a security professional.
Most (all?) Japanese cars have a "feature" that the door won't lock unless you're holding the handle up (open, whatever.)
I heard that this was a measure to prevent people from locking their keys in their car. The Japanese car manufacturers decided that if people have to lock the door, then hold the handle in the open position as they close the door, it will prevent them from accidentally locking their keys in the car.
Sounds nice in theory... until the day I locked the keys in my Civic. It was then that I noticed that because I couldn't lock the car door without holding up the handle, that I had gotten into the habit of *always* holding up the handle while closing the door, even when I didn't want to lock it.
I've known a lot of people who have locked their keys in their Japanese car, they told me the same thing.
So, instead of being a mechanism to prevent people from accidentally locking their keys in their car, it was instead a mechanism to train people to hold their door handle up when closing the car door.
You can't fix a behavioural problem with a technological solution.
Best. Webhost. Ever. Dreamhost.
When I visited http://www.lyricspy.com/ (this site listed as being the origin in the VitalSecurity story) I immediately receive a pop-up warning from McAfee 8.0 that the file "javainstaller.jar" is a Trojan, and an "exploit". The installer window never appears at all.
Additionally, Firefox automatically blocks the installation with its pop-up blocker, so it appears that, with my settings (which are not terribly restrictive), I have a double layer of security preventing me from even getting to the point of clicking "yes" to the installer.
Not too big a deal, this, but it is good to know that following basic security procedures like keeping virus definitions up to date and using the pop-up blocker correctly can make it a lot easier to avoid the kind of crap this story deals with. I do realize, however, that a great many people do not follow these guidelines, and that that is the point of the story.
But I would like to point out that it seems that I am not quite as vulnerable as this story makes it appear that I will be (when running Windows). And, of course, if I flip over to my Fedora Core 3 partition, this problem goes away entirely.
And yes, I am using the Sun Java Runtime.
B
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
...and then warned the user specifically to NOT say yes. The idiot said yes anyway.
I think there's a bigger problem with users getting "trained" to click "ok" or "yes" on all sorts of dialog boxes without understanding why the dialog box appeared or what the consequences are. Like when we "techies" casually say "Oh, yeah, just click ok on that one".
Part of the reason, imho, is that dialog boxes are abused. I think software authors and especially Microsoft should try to think much harder about dialog boxes, especially when to use them and how to present them. For one, include a "if you are unsure, do X" (like the Linux kernel config menu, very good example). I think that would help users to not just "I don't want to do anything wrong, so I'll click Yes".
Web browsers should also have visually different windows for popups and similar, so that casual users could have an easier time distinguising between real dialogs and "copycat" ads.
Just my thoughts on the issue.
This is unbelievable. How could news be more misleading ? This is obviously not a "vulnerability", since Firefox, IE and Java are all behaving as expected.
That being said, this dialog for trusted applets is just as misleading for people who are not Java developers. A company paying for a certificate will have a nice dialog saying the applet is safe, giving the user that warm comforting feeling, while a poor developer will only get a scary dialog, which (believe it or not) really makes users flee. In both cases a lot of users will click without thinking, "yes" if it looks nice or "no" if it looks scary. And the result will always be the same if they click "yes".
Instead, this dialog could display a useful and educational message like "Warning - if you agree, this program will be able to read, change, delete or add any file on your account, like any other program you run outside of the web browser".
I don't want to start another conspiracy theory, but this looks like Sun is somehow related to the certificate business.
This whole mess is damaging for everybody, because users might just disable Java and thus lose the ability to run programs safely (the only alternative being to download and run).
Maybe if those who used Firefox on Windows were permitted by the operating system to uninstall IE completely, this wouldn't be a problem.
I just tried
/bin/su="echo you suck"
alias
and it hurt my feelings
However, I do see the problem MS faced. If they made system hooks too restrictive, it would realy hurts third party programmers that needed a system service to start up without a user login. So, ofcourse MS picked the most lucrative path, instead of the most secure ; )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
"IE Vulnerable..." instead of "Firefox Exploit..."
The former is hardly newsworthy. The latter is more accurate and constructive.
I'm as frustrated with MSFT as the next guy, but honestly...
Why even bother to make such a long post as AC? Additionally you obviosuly didn't read any of the facts that were linked for you, I mean how easy can I make it. This article provided by wormbin(537051) is especially easy to read, with a nice numbered list. I suggest you go read it since you got the facts you claimed to know incorrect.
Now let's break down your arguments in manner that follows logic and reason rather than off-the-hip emotional analysis as you attempted with my first post.
A) I routinely boil up some water in the kettle, pour it into a cup, [...] and hand it to someone. I expect a sane, mentally competent adult to realize that hot drinks may be hot at first. Somehow, for thousands of years, adults have managed to deal with the concept of hot drinks. The McDonalds incident wasn't even boiling -- it was *colder* than what I'm talking about.
Yes, because as we all know, water colder than boiling is incapable of harming people. You're trying to set up a straw man argument; only stupid people ever spill hot drinks on themselves, therefore this woman is stupid and it's her fault. I argue that there is no one alive who has never spilled a drink for any reason. I'd wager even you have spilled some of your delicious hot chocolate. The point here is that drinks will be spilled, and whether the person is aware of it being hot when given to them is irrelevant (also impossible to miss, I'm sure this woman was aware her hot coffee was hot). However since drinks do on occassion spill, it would be prudent for them not to be at an unreasonably dangerously hot temp. Key phrase here is 'unreasonably dangerously' as all hot liquids are to some degree dangerous, but we can mitigate that by keeping the temp a bit lower. In your example the person knew for a fact the cocoa they were given was just at the boiling point, this woman had no idea precisely hot hot her coffee was. I think a consumer given a hot drink can have a reasonable expectation that it is drinkably hot, not barely sub-boiling.
B) There are a ton of people that eat at McDonalds who *didn't* find the coffee "way above what any reasonable person would consider acceptable" -- including this woman, if she'd ever had a McDonald's coffee before.
First, I don't understand how this woman having had McD coffee in the past somehow waives her right to ever declare it too hot. And once again you are marginalizing the point here by saying if X people didn't have a problem then X+1 will not have a problem. A fallacy. Just because Joe Citizen likes his coffee a scalding 185, doesn't make that temperature any safer for consumption.
C) They had received numerous complaints about it prior to the incident
They're McDonald's. They're enormous. They have complaints about coffee being too hot, meat not being kosher, coffee being too cold, a lack of Italian buns, and so forth. It would be unusual if they had *nobody* mentioning it.
True, this is perhaps your best point, but again here you show your lack of actual facts of the case. It wasn't just that some trivial subset of people had made this complaint, there were in fact over 700 incidents of coffee burns on file. That's just burns, I'm sure the number of 'too hot' complaints are therefore well above 700. I'd say 700 burn cases easily eclipses the other trivial complaint statistics. And by-the-by, no one needed medical treatment for the food being not kosher or no italian buns. Obviously the company cannot please everyone but potential injuries should rank high on the to-fix list.
And if you were familiar with the case and were being honest, you would have mentioned that all the *other* coffees from the *other* fast-food places caused the same burns -- it's just that McDonald's, being the hottest of the temperature range by ten degrees, did so faster.
I bolded the being honest bit above because it per
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Oh pu-leaze.... If MS had made the system hooks restricted, programmers would have been climbing the walls over how MS locked everyone out of the OS and slashdotters doing the same "MS sucks and this is why *nix rules". Complain about one or the other, but MS got it right on this decision.
And just to keep on topic, I wish everyone would get off this "IE sucks" trip. IE is part of the OS now... this crap doesn't infect IE anymore, it infects Windows. Now, lets change all these little rants I see all over this post. User goes to a webpage. Firefox gets to a Java applet and passes control to the JRE. JRE asks 3 times if they want to continue, and the user clicks "Yes" (because that is what they have been trained to do) and Windows gets infected. This isn't a software exploit. This is a user (ie. idiot) exploit that was not anticipated by Sun. If Sun would change their warning dialog to make someone put a checkmark in a box to accept instead of just clicking "Yes", this wouldn't happen. But again, not Sun's fault, but something that could easily be fixed by them.
User logging on... 300 baud... 300 BAUD?!? (Click!) NO CARRIER
This is awesome. Now even Windows users who switch over from IE are fucked because windowsupdate.com doesn't play well with other browsers.