Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE7 Toolbar Mayhem

Posted by ryuzaki0 on from the bad-ideas-are-fun dept.

nikostheater writes "A user called anyweb tried to infect IE7 with as many toolbars as possible and it's interesting to see what happens and how secure IE7 is.." This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.

14 of 296 comments (clear)

  1. Failing by design by patio11 · · Score: 3, Informative

    There is nothing to see here: he systematically disables all of IE7's protections, clicks past up to FOUR warning boxes to get some of the toolbars, and goes through the manual install process (!!) for some of them because IE was like "Uh oh, sorry, you look determined to shoot yourself in the foot and I just can't let you" and denied the install through the browser.

    --
    Help poke pirates in the eyepatch, arr.
  2. Host took out Pictures by jafiwam · · Score: 3, Informative

    Looks like the host took out the pictures.

    (Some were large JPGs.)

    Interesting text nonetheless.

    There was a video of some guy recording his browse by infection of IE a while back that was very revealing. Just visited a site and his computer was infected, he proceeded to try to pull the stuff out and noted the techniques the spyware authors used to keep a user from being able to uninstall it.

    The critical difference in security though is not what the user can do (as he or she is probably running as administrator anyway) but what can be done without their permission. That's where the work needs to go. Not stopping someone from doing something they have to agree to (no matter how nefarious the wording is).

    1. Re:Host took out Pictures by Snover · · Score: 2, Informative

      The person you're probably thinking of is Ben Edelman. A couple videos are here and here. Pretty interesting stuff.

      --

      [insert witty comment here]
  3. Re:Um... by Anonymous Coward · · Score: 1, Informative

    In your rush to fail at the first post, you neglected to read the article where it states that he's doing this for fun to see if he can reproduce the same situation in IE6. And additionally, at the end of it all he uses IE's reset command and all those toolbars are gone (except Yahoo's). Of course, he doesn't analyze what kinds of processes are still running *outside* the browser and hiding in the registry. But all in all, an entertaining read and a good step forward for Microsoft.

  4. SlashDotted by Anonymous Coward · · Score: 5, Informative

    Mirror

  5. "Like" here means approximately by tepples · · Score: 2, Informative
    It either is 80% or is not 80%.

    Or it is approximately 80 percent, which I see as a legitimate use of "like 80%".

  6. There is some 'news' in the article by I'm+Don+Giovanni · · Score: 3, Informative

    One thing that the author encountered in his tests was that once a user says OK to a UAC dialog in IE, then IE turns off "protected mode" and that mode remains off until IE is shutdown and restarted. "Protected mode" prevents IE from writing anywhere in the filesystem except the cache (without explicit implicit user permission, such as the File-Save dlg), so malware installed on top of IE can't do any harm. But if "Protected mode" is off, then the IE process can write to any place allowed by the permissions of the user, meaning that malware running within IE's process can do the same. This might be a legit bug in IE7 (which hasn't reached RTM yet, so there's still time to fix it, if it is indeed a bug).

    --
    -- "I never gave these stories much credence." - HAL 9000
  7. Missed point ... by ProfM · · Score: 3, Informative

    After reading several comments on how this isn't news (because disabling protections to install stuff is easy) ... the point that was COMPLETELY MISSED that was in the article, was that the "IE Reset" function actually worked, sans Yahoo.

    This, I believe is the main point of the article, because this will help EVERYONE keep junk off of IE. Not that it deletes anything, but allows the clutter to be easily fixed.

  8. Re:Insecure Browsing by SanityInAnarchy · · Score: 2, Informative
    Um... Isn't quite a bit of software "insecure" by default?

    In short: No.

    Long answer: IE seems to actually have saner defaults now. It still has the occasional buffer overflow that gives full access to the system.

    I currently use IE. I don't get spyware. It's called proper security settings.

    One of my proper security settings, while on Windows, is to use Firefox for all web browsing, only resorting to IE Tab for Windows Update.

    Again, it's got to do with IE inevitably having some security hole that doesn't care what "security settings" you have.

    Maybe part of the current belief you can't secure your browser is fostered by the anti-spyware companies.

    Maybe. These are also the same people who would have you never install Linux.

    As far as this "test" or whatever it was supposed to be goes; I imagine that if I wanted to compile a virus and run it with the root account on a linux machine I could get it infected too. See? Linux is insecure.

    Well, as far as I can tell, this wasn't supposed to prove that anything was insecure.

    For the record, I am not missing a ton of webpage functionality either.

    That implies you're missing something. What, exactly, have you disabled in your security settings?

    I can browse the web with Javascript enabled, Java enabled, Flash enabled, even a couple of nice extensions like Adblock and the Web Developer Toolbar.

    If you're missing one of those things, I'd see that as a possible reason to prefer Firefox.

    I use it because it's already on my machine and does everything I want it to

    You must not want web standards to work properly.

    Or, a more relevant question: Most good web browsers these days are less than a ten meg download. Firefox: 4.9 megs. Opera: 4.6 megs. Most IE updates are more than that, but more importantly, with a decent connection, it should take you less than ten minutes -- more like 3-5 minutes, at worst -- to download and install another browser. So, "already on my machine" doesn't seem like a valid reason to me, if you know of better alternatives.

    As for me, I use tabbed browsing and Google Browser Sync, among other things, that don't exist in the current version of IE, that I never thought I'd need, but I would be helpless without them now. IE will be stealing... er, implementing these, eventually, but it still won't be anywhere close with web standards, and I still doubt it will be secure, whether or not you use "proper security settings."

    --
    Don't thank God, thank a doctor!
  9. Mirror. by Janek+Kozicki · · Score: 4, Informative

    Ok, I managed to wget the final screenshot, enjoy: http://cosurgi.googlepages.com/iemess2.jpg

    --
    #
    #\ @ ? Colonize Mars
    #
  10. Re:Um... by digidave · · Score: 5, Informative

    Windows and IE security may be getting better, but there are two glaring holes evident from this article.

    1. Vista Ultimate Edition's default user has administrative rights.

    2. If you choose to accept to install something from the web, IE7's protected mode turns off until you restart the program. This could leave you vulnerable if you install a legitimate program (Google toolbar) and continue to browse the web.

    --
    The global economy is a great thing until you feel it locally.
  11. Sit back and behold... by hysterion · · Score: 2, Informative

    ...the Man with a Thousand Toolbars (2002).

    --
    Timeo idiotikOS et dona ferentes
  12. Absolutely useless article by xxdesmus · · Score: 1, Informative

    Who would have thought, if you Manually install spyware toolbars they will be installed...who would have thought? This article is useless. IE7 is a huge leap ahead in terms of security for the "normal" user. Sure people are prone to just click yes, but IE7 will make you click it 3 or 4 times to install something god awful (and in most cases it still won't install it then either). You can only make the loaded gun more safe, but you're still giving stupid (and clueless) people a loaded gun either way.

  13. Re:What IF by WilliamSChips · · Score: 2, Informative

    Not if they allowed you to add sites from which you could also add extensions, like Firefox. The antitrust was not because IE was bundled, it was because MS banned OEMs from bundling Netscape.

    --
    Please, for the good of Humanity, vote Obama.