Slashdot Mirror
IE7 Toolbar Mayhem
nikostheater writes "A user called anyweb tried to infect IE7 with as many toolbars as possible and it's interesting to see what happens and how secure IE7 is.." This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.
You go to the website, and click multiple times to install something on purpose? Sometimes even downloading and running something? I'm not an IE apologist, or even an IE users, but it seems like infection is a bit strong.
If you're actively trying to install lots and lots of toolbars on your own computer, which you have admin access too, there's a very large chance you're going to succeed.
This is news?
By summer it was all gone...now shesmovedon. --
MSFT came up with it's own extension central of the *same quality of that of the mozilla foundation* (I know there is one out there allready).
Afaik these toolbars add "extra browsing enhancements". If MSFT told it's users that these bars are Teh evil if installed from some random adress I'm sure the "toolbars" will die out soon.
perpetually dwelling in the -1 pits
There is nothing to see here: he systematically disables all of IE7's protections, clicks past up to FOUR warning boxes to get some of the toolbars, and goes through the manual install process (!!) for some of them because IE was like "Uh oh, sorry, you look determined to shoot yourself in the foot and I just can't let you" and denied the install through the browser.
Help poke pirates in the eyepatch, arr.
Looks like the host took out the pictures.
(Some were large JPGs.)
Interesting text nonetheless.
There was a video of some guy recording his browse by infection of IE a while back that was very revealing. Just visited a site and his computer was infected, he proceeded to try to pull the stuff out and noted the techniques the spyware authors used to keep a user from being able to uninstall it.
The critical difference in security though is not what the user can do (as he or she is probably running as administrator anyway) but what can be done without their permission. That's where the work needs to go. Not stopping someone from doing something they have to agree to (no matter how nefarious the wording is).
"And considering what I put Internet Explorer 7 through, the reset tool did a very very very good job, see below, just one toolbar left, and it was Yahoo's, maybe that's a telling result ?"
We'll see how well this works a year after release. That said, it's about damn time MS did something about IE.
The screenshot reminds me of my mother or my sisters computer every time I go over there. They're always ending up with crap like "mycoolsearch", I did an adaware search and got something like 600 items the first time I tried it. I got fed up, and installed firefox and made IE less obvious on the computers.
I go back two weeks later, and now firefox has a mycoolsearch toolbar! Arrg.
Really? The guy pretty plainly states that he ignores all the warnings and clicks yes/allow/next/install no matter what it says. So he is ignoring the security warnings and installing it anyways just to see how cluttered it will become. Not really a test of IE7's 'security' any more than running a rootkit on linux (as root) is a test of its 'security'.
So whats with the submitter implying that allowing third parties to install toolbars is a security hole? The article even said they went looking for them and clicked "yes/install/whatever" to every window they were presented with.
The only possible way to prevent this (and why would you want to prevent users from using their favorite toolbars?) would be to completely disallow downloading toolbars from the internet in IE.
By the way, did the submitter actually refer to Google toolbar as an "infection" with the implication that IE should have prevented it?
It looks like these upcoming MS releases are actually going to be good products based on the things slashdot articles are having to resort to in order to bash them.
I read as much of the article that would load, and I don't think that there are any points against IE here. Users should be able to override security measures on THEIR system. I would much rather Microsoft not cater to the really stupid.
/". I suppose it would be nice if IE prompted for a password.
If Microsoft didn't allow people to override those controls I can just see a lot of internal applications breaking in a lot of businesses.
There's a lot wrong with Windows (which is why I chose not to use it), but from what I can tell from this article, the security on the upcoming version of IE might not be one of them (for once).
No one chastises Linux for allowing you to "sudo rm -rf
Help I'm a rock.
We can expect to see him simulate a viral attack, this will envolve him formatting his hard drive while running IE, removing it and hitting it multiple times with a hammer.
Im not sure what we can expect from that, but I sure cant wait to see!
This sig is licensed under the Free Sig Foundation License, you may re-distribute it as long as you retain this notice
Mirror
Or it is approximately 80 percent, which I see as a legitimate use of "like 80%".
No. Like 25% other slashdotters are also irritated.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Secure = Administrator on the machine should be blocked from installing google toolbar?
Truth is, he should have tried to see how much damage he can make as a standard user without providing Administrator credentials. Being and admin and clicking through all the warning dialogs is like running as root in linux and being surprised you can install software...
Hate to whine, but why do these articles make it into slashdot? It seems like often the other technical subjects discussed here are well moderated, and the articles thought provoking. But as soon as someone with a fleeting command of the english language lays down any thoughts that are anti-Microsoft, it immediately makes the front page.
I did not expect all those applications (where some of them had direct access to file system and registry) could be removed by a single click (and a confirmation).
So we learn three new strong points of IE7 (added to what IE6 already provides):
I'll personally continue to use Firefox, however I'm glad to see IE getting secure, because every now and them I have to use some "bad designed" site which only works on IE. And now I can be more assured about the security of my system.
One thing that the author encountered in his tests was that once a user says OK to a UAC dialog in IE, then IE turns off "protected mode" and that mode remains off until IE is shutdown and restarted. "Protected mode" prevents IE from writing anywhere in the filesystem except the cache (without explicit implicit user permission, such as the File-Save dlg), so malware installed on top of IE can't do any harm. But if "Protected mode" is off, then the IE process can write to any place allowed by the permissions of the user, meaning that malware running within IE's process can do the same. This might be a legit bug in IE7 (which hasn't reached RTM yet, so there's still time to fix it, if it is indeed a bug).
-- "I never gave these stories much credence." - HAL 9000
After reading several comments on how this isn't news (because disabling protections to install stuff is easy) ... the point that was COMPLETELY MISSED that was in the article, was that the "IE Reset" function actually worked, sans Yahoo.
This, I believe is the main point of the article, because this will help EVERYONE keep junk off of IE. Not that it deletes anything, but allows the clutter to be easily fixed.
Now we just aren't being reasonable. If Microsoft didn't allow people to install these things every post here would be calling it anticompetitive and complain about how they don't give the user choices. I'm pretty sure I could make a "Log all credit card numbers and email them to me" extension for Firefox and if someone really wanted to install it I bet it would let them.
The fact of the matter is it isn't always obvious if something is going to break functionality, making a user aware that it might and giving them the choice is IMHO better than telling them they can only run signed software on their computer.
In short: No.
Long answer: IE seems to actually have saner defaults now. It still has the occasional buffer overflow that gives full access to the system.
One of my proper security settings, while on Windows, is to use Firefox for all web browsing, only resorting to IE Tab for Windows Update.
Again, it's got to do with IE inevitably having some security hole that doesn't care what "security settings" you have.
Maybe. These are also the same people who would have you never install Linux.
Well, as far as I can tell, this wasn't supposed to prove that anything was insecure.
That implies you're missing something. What, exactly, have you disabled in your security settings?
I can browse the web with Javascript enabled, Java enabled, Flash enabled, even a couple of nice extensions like Adblock and the Web Developer Toolbar.
If you're missing one of those things, I'd see that as a possible reason to prefer Firefox.
You must not want web standards to work properly.
Or, a more relevant question: Most good web browsers these days are less than a ten meg download. Firefox: 4.9 megs. Opera: 4.6 megs. Most IE updates are more than that, but more importantly, with a decent connection, it should take you less than ten minutes -- more like 3-5 minutes, at worst -- to download and install another browser. So, "already on my machine" doesn't seem like a valid reason to me, if you know of better alternatives.
As for me, I use tabbed browsing and Google Browser Sync, among other things, that don't exist in the current version of IE, that I never thought I'd need, but I would be helpless without them now. IE will be stealing... er, implementing these, eventually, but it still won't be anywhere close with web standards, and I still doubt it will be secure, whether or not you use "proper security settings."
Don't thank God, thank a doctor!
Holy crap! I never thought I'd see the day when nearly all of the posts in a thread about a Microsoft product would be *defensive*! Time to clean out the fallout shelter!
Ok, I managed to wget the final screenshot, enjoy: http://cosurgi.googlepages.com/iemess2.jpg
#
#\ @ ? Colonize Mars
#
If the normal workflow in IE7 is having to click a lot of yes/allow/ok popups thats what people will do. Thats not better security, its just a way of handing over the responsibility of the security to the users. For an OS targeted at baffoons thats not really a bright idea. Thanks to this Microsoft will just blame any security problem as a user error not having done anything to fix the bad security in IE.
HTTP/1.1 400
I think it's useful as it shows whether or not IE7 can be restored to a default state after you hose your system with a bunch of crap. A typical IE7 situation may not be like this, but for admins and those repairing PCs, or even if -- heaven forbid -- IE7 has a flaw that is taken advantage of by spyware, if a user can restore it to full functionality.
Twinstiq, game news
Those toolbars are a plague. Does every company in the world need a toolbar? It has nothing to do with filling a need for anyone, it's pure marketing trash. In the early days of IE6 there was literally no defense against them, and some of them were practically impossible to remove (hotbar, cool web search). The anti-spyware tools (at the time) were horribly inadequate; using Ad-Aware and Spybot with up to date definitions back then would only remove some of the toolbars. My company spent a lot of money removing that crap. Fortunately people started using another web browser and Microsoft finally admitted that spyware was a problem (years too late IMHO). That whole situation was enough to get me off of Microsoft products. I've been an Ubuntu Linux user for quite some time now, and never had a *single* unwanted toolbar or spyware installed on my computer. The old cliche's about "you must be visiting questionable web sites if you have spyware" is completely ridiculous. I can't tell you how many times I've heard techs (or Microsoft) wrongly blame users for crappy OS and web browser security. It is 100% possible (and likely) for someone to get spyware and unwanted toolbars in Internet Explorer without visiting questionable web sites or agreeing to install it. It's a virus plain and simple. And where are the anti-virus companies? Instead of adding virus definitions for spyware to existing AV products, they IRRESPONSIBLY used the opportunity to create a new category of viruses and sell additional products. MS has used the opportunity to themselves launch anti-spyware products (Defender is currently in free beta, but word is that it will be pay only when out of beta). Nevermind that IE is the ONLY browser with this problem. What makes it worse is that companies like Adobe and Sun bundle toolbars with their software. So if someone isn't paying close attention they get Yahoo or Google toolbar. The fact that IE now has a "cleanup" option is completely meaningless IMHO. The fact that the browser can be loaded down with crap toolbars filling up 80% of the page in less than a few minutes should tell Microsoft that IE still needs a LOT of work.
Now go to mozilla's website. Download and install every damn extension there is for Firefox. Take a screen shot and post it please. I am no MSFT supporter. But TF(antastic)Article is just stupid.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Dear Microsoft apologists:
IT'S JUST A HUMOR ARTICLE. IT SAYS RIGHT IN THE ARTICLE THAT HE'S DOING IT ON PURPOSE TO SEE WHAT HAPPENS. NOTHING MORE.
Okay? Get it? We know it requires user action to infest IE7 with toolbars. That's not the point of the article, which is just to see what happens and laugh on a Sunday. For crying out loud, why does everyone think they have to leap forward and be some sort of heroic truthbringer to the poor Slashdot masses who won't understand the article? We're not idiots.
"Sufferin' succotash."
Toolbars themselves are a good feature add. By design, "plug-ins" allows for extension of the framework in ways the user wants. I'm all for Microsoft or Mozilla or Opera to have a way to install plugins! What is bad is the way Microsoft goes about doing this with their rules and exceptions which lead to a confused user.
By design or miracle, "warning dialogs" are somewhat minimal in Mac or Linux but in Windows its all over. "Are you sure you want to do this? Yes/No" over and over again causes "fatigue" where users just dismiss it for the sake of making it go away. I've seen users who just click and dismiss things that are clearly warnings and indicators that something is wrong. Why? Because they see it dozens of times and its nonsense as far as they can tell. The reason they never hit "No" is because it stops what they were doing. They would rather be encumbered by a flakey IE than not do what they wanted and frankly these errant users have a point.
The point is worth repeating: Adding a toolbar to IE7 isn't a bad thing. The real problem is the way the process works and it isn't getting better for Vista. For each plugin there should be one and only one confirmation. If it fails **any hard defined requirements** then it the plugin is not installed. They should not be asked to elevate their privilages. They should not be asked if they want to activate secondary controls (Active X). They should not be asked if the install can modify the registry.
Why does any toolbar need 'elevated privilages' at all to install or work? IE is supposed to be an issolated framework that is user dependant. Why does a toolbar need another control hosted outside of itself (violates sandbox)? Why does any toolbar need to access the registry (again violates sandbox)? None of this stuff seems necessary at all for toolbars to function. Why bother asking the user "Yes/No" questions on things that are "violations"?? In most normal cases, when a program violates the rules it doesn't allow it. Why is IE different?
...the Man with a Thousand Toolbars (2002).
Timeo idiotikOS et dona ferentes
The first picture is hilariously absurd, but what really shocked me was the second one, and he says
This is the first time I had seen MSIE7, so maybe it's old hat and "standard" to everyone else, but I thought the "clean" picture was provocative. Why? Look at it: the menu bar isn't even at the top of the window; the url and back/forward arrows are. Are they trying to slow down the user and make them hunt for things? Is this normal and default for MSIE and recent Microsoft applications, for the menu bar to be somewhere other than top? Or had this user already diddled with some settings to make MSIE look bad?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
From your original post:
The AC was giving you crap for misspelling "breaking".Microsoft's products already have enough situations where the software decides the user doesn't want something and doesn't give even the most experienced users the option to do it nonetheless, they really don't need more.
And I'm sure many people wouldn't appreciate not being able to install any uncertified extensions for the browser at all (which is the only way to prevent installing malicious toolbars since the browser cannot determine with absolute accuracy if something is malicious so it'd have to show the warnings whenever there is doubt). What if a company wanted to use IE 7 for some company internal stuff that involves a plugin with full system access? Telling them "We think you don't want that" certainly isn't the correct approach.
Justice is the sheep getting arrested while an impartial judge declares the vote void.