Slashdot Mirror
IE7 Toolbar Mayhem
nikostheater writes "A user called anyweb tried to infect IE7 with as many toolbars as possible and it's interesting to see what happens and how secure IE7 is.." This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.
You go to the website, and click multiple times to install something on purpose? Sometimes even downloading and running something? I'm not an IE apologist, or even an IE users, but it seems like infection is a bit strong.
If you're actively trying to install lots and lots of toolbars on your own computer, which you have admin access too, there's a very large chance you're going to succeed.
This is news?
By summer it was all gone...now shesmovedon. --
Really? The guy pretty plainly states that he ignores all the warnings and clicks yes/allow/next/install no matter what it says. So he is ignoring the security warnings and installing it anyways just to see how cluttered it will become. Not really a test of IE7's 'security' any more than running a rootkit on linux (as root) is a test of its 'security'.
I read as much of the article that would load, and I don't think that there are any points against IE here. Users should be able to override security measures on THEIR system. I would much rather Microsoft not cater to the really stupid.
/". I suppose it would be nice if IE prompted for a password.
If Microsoft didn't allow people to override those controls I can just see a lot of internal applications breaking in a lot of businesses.
There's a lot wrong with Windows (which is why I chose not to use it), but from what I can tell from this article, the security on the upcoming version of IE might not be one of them (for once).
No one chastises Linux for allowing you to "sudo rm -rf
Help I'm a rock.
Secure = Administrator on the machine should be blocked from installing google toolbar?
Truth is, he should have tried to see how much damage he can make as a standard user without providing Administrator credentials. Being and admin and clicking through all the warning dialogs is like running as root in linux and being surprised you can install software...
Hate to whine, but why do these articles make it into slashdot? It seems like often the other technical subjects discussed here are well moderated, and the articles thought provoking. But as soon as someone with a fleeting command of the english language lays down any thoughts that are anti-Microsoft, it immediately makes the front page.
I did not expect all those applications (where some of them had direct access to file system and registry) could be removed by a single click (and a confirmation).
So we learn three new strong points of IE7 (added to what IE6 already provides):
I'll personally continue to use Firefox, however I'm glad to see IE getting secure, because every now and them I have to use some "bad designed" site which only works on IE. And now I can be more assured about the security of my system.
If Micosoft did the same thing as the Mozilla Foundation and blocked 3rd-party extensions from being installed if they didn't come from a Microsoft-approved extension repository, they'd be in court faster than you can say antitrust.
Damned if you do and all that jazz.
Now we just aren't being reasonable. If Microsoft didn't allow people to install these things every post here would be calling it anticompetitive and complain about how they don't give the user choices. I'm pretty sure I could make a "Log all credit card numbers and email them to me" extension for Firefox and if someone really wanted to install it I bet it would let them.
The fact of the matter is it isn't always obvious if something is going to break functionality, making a user aware that it might and giving them the choice is IMHO better than telling them they can only run signed software on their computer.
Sounds like they are infected by CWS (Cool Web Search).
This is in fact one of the worst spywares you can get. Quite a few variants can be deemed rootkit like.
If it's no on fire, it's a hardware problem.
If the normal workflow in IE7 is having to click a lot of yes/allow/ok popups thats what people will do. Thats not better security, its just a way of handing over the responsibility of the security to the users. For an OS targeted at baffoons thats not really a bright idea. Thanks to this Microsoft will just blame any security problem as a user error not having done anything to fix the bad security in IE.
HTTP/1.1 400
If Yahoo has already figured out a way to defeat the "IE Reset" function, isn't it logical to expect that within a year of IE7/Vista's release, this knowledge will be common to all spyware/malware authors?
A function like "reset browser settings" either works, or it doesn't. There is no middle ground. If there is a way to get it to do anything other than roll back all changes, it doesn't work.
Read my blog.
I think it's useful as it shows whether or not IE7 can be restored to a default state after you hose your system with a bunch of crap. A typical IE7 situation may not be like this, but for admins and those repairing PCs, or even if -- heaven forbid -- IE7 has a flaw that is taken advantage of by spyware, if a user can restore it to full functionality.
Twinstiq, game news
Dear Microsoft apologists:
IT'S JUST A HUMOR ARTICLE. IT SAYS RIGHT IN THE ARTICLE THAT HE'S DOING IT ON PURPOSE TO SEE WHAT HAPPENS. NOTHING MORE.
Okay? Get it? We know it requires user action to infest IE7 with toolbars. That's not the point of the article, which is just to see what happens and laugh on a Sunday. For crying out loud, why does everyone think they have to leap forward and be some sort of heroic truthbringer to the poor Slashdot masses who won't understand the article? We're not idiots.
"Sufferin' succotash."
The problem with your statement in relation to the article is that Anyweb, intentionally installed every single toolbar that ended up corrupting his browser. I do not doubt your statements about how websites install toolbars without permission nor do I doubt that this is a problem. So, personally, I think you are right. Microsoft has issues with security, everybody knows that.
But simply put, due to the manner in which the author installed the toolbars, and the great lengths he went to do so (in some cases actually downloading the installer via FireFox) this article should not be used as a gauge of whether or not the Internet Explorer team has a lot of work left on their hands or not. Clearly they still have some work left as IE7 in still in beta stage and as the article pointed out IE turns of protection mode for the rest of the browsing experience once a toolbar is installed.
I think this that this article shows that Microsoft has, in fact, taken security seriously for a change. The author had to click warning dialogues multiple times to install a single tool bar. Though any windows user can install the toolbars, I would not be surprised if many get too bored or worried after facing, seemingly, endless warnings. And also, assuming a user does make a "mistake" and installs a toolbar, they can simply remove it from the system with a couple of clicks of the mouse, which is much, much, easier then before.
Toolbars themselves are a good feature add. By design, "plug-ins" allows for extension of the framework in ways the user wants. I'm all for Microsoft or Mozilla or Opera to have a way to install plugins! What is bad is the way Microsoft goes about doing this with their rules and exceptions which lead to a confused user.
By design or miracle, "warning dialogs" are somewhat minimal in Mac or Linux but in Windows its all over. "Are you sure you want to do this? Yes/No" over and over again causes "fatigue" where users just dismiss it for the sake of making it go away. I've seen users who just click and dismiss things that are clearly warnings and indicators that something is wrong. Why? Because they see it dozens of times and its nonsense as far as they can tell. The reason they never hit "No" is because it stops what they were doing. They would rather be encumbered by a flakey IE than not do what they wanted and frankly these errant users have a point.
The point is worth repeating: Adding a toolbar to IE7 isn't a bad thing. The real problem is the way the process works and it isn't getting better for Vista. For each plugin there should be one and only one confirmation. If it fails **any hard defined requirements** then it the plugin is not installed. They should not be asked to elevate their privilages. They should not be asked if they want to activate secondary controls (Active X). They should not be asked if the install can modify the registry.
Why does any toolbar need 'elevated privilages' at all to install or work? IE is supposed to be an issolated framework that is user dependant. Why does a toolbar need another control hosted outside of itself (violates sandbox)? Why does any toolbar need to access the registry (again violates sandbox)? None of this stuff seems necessary at all for toolbars to function. Why bother asking the user "Yes/No" questions on things that are "violations"?? In most normal cases, when a program violates the rules it doesn't allow it. Why is IE different?
The first picture is hilariously absurd, but what really shocked me was the second one, and he says
This is the first time I had seen MSIE7, so maybe it's old hat and "standard" to everyone else, but I thought the "clean" picture was provocative. Why? Look at it: the menu bar isn't even at the top of the window; the url and back/forward arrows are. Are they trying to slow down the user and make them hunt for things? Is this normal and default for MSIE and recent Microsoft applications, for the menu bar to be somewhere other than top? Or had this user already diddled with some settings to make MSIE look bad?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.