Slashdot Mirror
New IM Worm Installs Own Web Browser
Aquafinality writes "A new IM worm discovered recently takes the novel step of installing its own web browser onto the victims PC. Ironically titled "The Safety Browser", its default settings actually make your PC less secure - switching on pop-ups, changing your home page and hijacking your desktop with a looped music track that plays every time you switch your computer on.
It's clear people cannot resist clicking "yes" to anything they're presented with via IM - with this in mind, what on Earth can we do so stop the spread of garbage like the above? To put it another way, will reducing the amount of potential "suckers" out there dissuade the bad guys from coming up with ever-more elaborate ideas such as this latest scam? Or is IM safety a lost cause?"
They have some interesting locked-down Windows boxes at my sixth form. You can't write to the C drive (obviously), and you can't run executables from your own network folder, or from USB sticks, or in fact from anywhere you have write access to.
It infuriates me, but it wouldn't even be noticed by the sort of people who catch this "worm" (surely actually a virus, as the user is required to run it him/herself?).
I don't know how its done, but it seems to be at a fairly low level (doesn't just apply to starting things with Explorer but instead gives the same error even if you try to launch things from office macros, batch files, etc.). If something like this were built into windows (the machines at school have a lot of RM stuff in them, so I suspect it isn't a Windows feature), it would at least protect idiots that have bright friends and family to set stuff up for them. It's much simpler than TC, and the admin can log in (with a separate password you wouldn't even have to give your sister) and install things as normal, even if MS doesn't like it.
# cat
Damn, my RAM is full of llamas.
Or is this already possible with any OS? The ability to specify a list of allowed executables and the disability for a user application to change the list.
I can think of at least two
In my 20 years of system administration I have often had people come to me and say "Peter, I just clicked the wrong button and my computer's acting funny." I've less often had people say "Peter, I downloaded a file to the desktop and opened it and my computer's acting funny." I've had several people say "Peter, I just clicked the wrong button AGAIN and I think I'm infected."
.NET-in-the-browser into the next Active Desktop disaster.
I've never had the same person come to me twice with "I've downloaded and opened a file and I'm infected." Give people even a small breathing space to think about what they're doing, without that reflex "gotta push a button" effect, and social social engineering is MUCH harder.
So...
You can solve this for most people simply by not including a mechanism for running untrusted content. Don't pop up a dialog box asking "What do you want to do with this application you just downloaded? (Open) (Show) (Ignore)". Don't even ask "The file you just asked to open is an appliaction? (Infect Me) (Cancel)". Just don't put the user in the position of deciding, right then, what to do with the file. Ever.
Firefox: get rid of the XPI install-from-web stuff. Let the user download the XPI and open it explicitly.
Apple: Dont' "open safe files after downloading"... there are no "safe files".
Microsoft: get rid of ActiveX and security zones and for god's sake don't try and make
All of the above: If it's a file you've got a safe application for... a *safe application*, not a *safe file*... open it explicitly IN THAT APPLICATION. Don't go "this is a ZIP file so I'll open it in whatever random program the user has for opening archives". Keep a database of safe programs to use on untrusted content like you keep a database of plugins people have explicitly installed. This would resolve SO MANY security issues... damnit.
(don't treat archives as "safe files", but that's another rant)
(in fact there's a lot of ranting I could add here...)
If you get hold of the CTP, you'll find that Vista actually does this. If something needs to prod around with something which should need admin (Registry, system folder etc) then you will be prompted for your admin password. Even if you're logged in with an admin account, it will ask you again.
How many people can read hex if only you and dead people can read hex?
You mean, welcome to MSN plus install, would you like us to bundle adware with this program to really annoy you?
[yes] [no]
My freeware games
Users need a way to transfer files to each other. What they should do is run an actual server for this, but they are told they should not, so every end user program gets a file transfer protocol tacked on - users can't be expected to say "yeah,get the file from http://my.ip.address:8080/foo", so they're given a way to transfer directly.
I am trolling
Try demoplanet.tv, the homepage shown in the article. That might just be it.
Yes, it is. There are many things an "Administrator" cannot do.
It can force ownership upon itself when it's not able to automaticly override.
This is a different thing to "not being bound by ACLs".
The unix 'root' user effectively bypasses the entire unix security system. That is, security restrictions simply are not applied if UID=0. The Administrator user can (and does) not do this. Indeed, no account in Windows can do this, as it has no concept of a "superuser".