Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE7 Toolbar Mayhem

Posted by ryuzaki0 on from the bad-ideas-are-fun dept.

nikostheater writes "A user called anyweb tried to infect IE7 with as many toolbars as possible and it's interesting to see what happens and how secure IE7 is.." This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.

30 of 296 comments (clear)

  1. Is it really an infection if... by Anonymous Coward · · Score: 5, Insightful

    You go to the website, and click multiple times to install something on purpose? Sometimes even downloading and running something? I'm not an IE apologist, or even an IE users, but it seems like infection is a bit strong.

    1. Re:Is it really an infection if... by Fordiman · · Score: 3, Insightful

      Feh.

      The slashdot post here is definately FUD. It gives the impression that IE7 happily installs all kinds of crap. In the article, however, the experimenter says multiple times that IE7 made doing this VERY DIFFICULT to do without noticing you're braking shit.

      That's not to say some Typhoid User isn't perfectly capable of doing this anyways, but a Typhoid User should be encouraged very strongly to never ever log in as an admin, and charged through the nose for repair services.

      --
      110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
    2. Re:Is it really an infection if... by Omnifarious · · Score: 5, Insightful

      It's only FUD to people who decide what it says based on their own biases and an unwillingness to read the article. I clicked through to the article, and even though it renders very badly on my browser for some reason, the parts I could read told me the IE was getting a lot better.

      Someone clicking 'yes' to everything is not that far off from a typical user's behavior. Most people have no idea what any of that stuff means and not much of a desire to learn. They just want the computer to do what they think they told it to.

      --
      Need a Python, C++, Unix, Linux develop
  2. Um... by jb.hl.com · · Score: 4, Insightful

    If you're actively trying to install lots and lots of toolbars on your own computer, which you have admin access too, there's a very large chance you're going to succeed.

    This is news?

    --
    By summer it was all gone...now shesmovedon. --
    1. Re:Um... by ziggyzig · · Score: 5, Insightful

      I think the better point is that at the end, even after screwing up IE 7 so badly, the author was able to remove all the toolbars with relative ease (save the Yahoo toolbar). The better question is why was the Yahoo toolbar allowed to stay? Can just anyone buy those rights?

    2. Re:Um... by meringuoid · · Score: 5, Insightful
      If you're actively trying to install lots and lots of toolbars on your own computer, which you have admin access too, there's a very large chance you're going to succeed. This is news?

      He got repeatedly warned about what he was doing, had to click through an awful lot of 'Yes, I'm sure'-type dialogue boxes to do it, and at the end was able to wipe out pretty much all of the toolbars very easily.

      This is indeed news. It looks like Microsoft are actually getting something right this time!

      --
      Real Daleks don't climb stairs - they level the building.
    3. Re:Um... by antifoidulus · · Score: 5, Funny

      Yes, but that still isn't allowed to be stated in a slashdot summary... I mean think of the group think, won't someone PLEASE think of the groupthink!

      --
      Monstar L
    4. Re:Um... by alanjstr · · Score: 4, Insightful

      It isn't that IE let him install toolbars. Of course it will if you click yes. The good news is that IE makes it more difficult.

      The bad news is "once you accept ONE UAC prompt in IE7 it disables the protection for subsequent browsing until you completely restart IE7"

    5. Re:Um... by whoever57 · · Score: 5, Interesting
      I think the better point is that at the end, even after screwing up IE 7 so badly, the author was able to remove all the toolbars with relative ease (save the Yahoo toolbar
      This does look like MS has improved security in IE. IE7 made some of the installations sufficiently difficult that a naiive user would not be able to complete them.

      The real question is how long will this situation persist? Will spyware vendors find means to disable the security features of IE7, or will IE7 continue to be resistant?

      --
      The real "Libtards" are the Libertarians!
    6. Re:Um... by digidave · · Score: 5, Informative

      Windows and IE security may be getting better, but there are two glaring holes evident from this article.

      1. Vista Ultimate Edition's default user has administrative rights.

      2. If you choose to accept to install something from the web, IE7's protected mode turns off until you restart the program. This could leave you vulnerable if you install a legitimate program (Google toolbar) and continue to browse the web.

      --
      The global economy is a great thing until you feel it locally.
  3. Failing by design by patio11 · · Score: 3, Informative

    There is nothing to see here: he systematically disables all of IE7's protections, clicks past up to FOUR warning boxes to get some of the toolbars, and goes through the manual install process (!!) for some of them because IE was like "Uh oh, sorry, you look determined to shoot yourself in the foot and I just can't let you" and denied the install through the browser.

    --
    Help poke pirates in the eyepatch, arr.
  4. Host took out Pictures by jafiwam · · Score: 3, Informative

    Looks like the host took out the pictures.

    (Some were large JPGs.)

    Interesting text nonetheless.

    There was a video of some guy recording his browse by infection of IE a while back that was very revealing. Just visited a site and his computer was infected, he proceeded to try to pull the stuff out and noted the techniques the spyware authors used to keep a user from being able to uninstall it.

    The critical difference in security though is not what the user can do (as he or she is probably running as administrator anyway) but what can be done without their permission. That's where the work needs to go. Not stopping someone from doing something they have to agree to (no matter how nefarious the wording is).

  5. FTA by big_groo · · Score: 3, Interesting

    "And considering what I put Internet Explorer 7 through, the reset tool did a very very very good job, see below, just one toolbar left, and it was Yahoo's, maybe that's a telling result ?"

    We'll see how well this works a year after release. That said, it's about damn time MS did something about IE.

  6. Reminds me of... by celardore · · Score: 5, Funny

    The screenshot reminds me of my mother or my sisters computer every time I go over there. They're always ending up with crap like "mycoolsearch", I did an adaware search and got something like 600 items the first time I tried it. I got fed up, and installed firefox and made IE less obvious on the computers.

    I go back two weeks later, and now firefox has a mycoolsearch toolbar! Arrg.

  7. Security? by paranode · · Score: 3, Insightful

    Really? The guy pretty plainly states that he ignores all the warnings and clicks yes/allow/next/install no matter what it says. So he is ignoring the security warnings and installing it anyways just to see how cluttered it will become. Not really a test of IE7's 'security' any more than running a rootkit on linux (as root) is a test of its 'security'.

    1. Re:Security? by nine-times · · Score: 4, Insightful

      You're right to criticize. On the other hand, hitting "yes/allow/next/install no matter what it says" sounds like an accurate approximation of what 90% of users will do. So I guess it still asks the question, if "increased security" means that there are a couple more pop-ups that I have to click "yes" on, how effective will that "increased security" be?

  8. Your Point? by prichardson · · Score: 3, Insightful

    I read as much of the article that would load, and I don't think that there are any points against IE here. Users should be able to override security measures on THEIR system. I would much rather Microsoft not cater to the really stupid.

    If Microsoft didn't allow people to override those controls I can just see a lot of internal applications breaking in a lot of businesses.

    There's a lot wrong with Windows (which is why I chose not to use it), but from what I can tell from this article, the security on the upcoming version of IE might not be one of them (for once).

    No one chastises Linux for allowing you to "sudo rm -rf /". I suppose it would be nice if IE prompted for a password.

    --
    Help I'm a rock.
  9. SlashDotted by Anonymous Coward · · Score: 5, Informative

    Mirror

  10. Re:What IF by taskforce · · Score: 3, Funny

    The problem is that MS actually makes one of these as well. I believe MSN offers a particularly annoying toolbar for IE.

    --
    My 3D Texturing Skinning work (under construction)
  11. Re:Hmmm... by A+beautiful+mind · · Score: 3, Funny

    No. Like 25% other slashdotters are also irritated.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  12. The result is really interesting by stikves · · Score: 3, Insightful
    Actually, as everyone has already pointed out, disregarding FOUR (max) security warnings to install software is not "a security" test. However what he does at the end is very interesting.

    I did not expect all those applications (where some of them had direct access to file system and registry) could be removed by a single click (and a confirmation).

    So we learn three new strong points of IE7 (added to what IE6 already provides):
    • Every installation requires confirmation (actually several of them) with a big warning dialog
    • If the installation requires access to file system or registry, it will require another specific confirmation (in a special secure mode)
    • IE has the capabilty to clean all the crap with a single reset button now


    I'll personally continue to use Firefox, however I'm glad to see IE getting secure, because every now and them I have to use some "bad designed" site which only works on IE. And now I can be more assured about the security of my system.
  13. There is some 'news' in the article by I'm+Don+Giovanni · · Score: 3, Informative

    One thing that the author encountered in his tests was that once a user says OK to a UAC dialog in IE, then IE turns off "protected mode" and that mode remains off until IE is shutdown and restarted. "Protected mode" prevents IE from writing anywhere in the filesystem except the cache (without explicit implicit user permission, such as the File-Save dlg), so malware installed on top of IE can't do any harm. But if "Protected mode" is off, then the IE process can write to any place allowed by the permissions of the user, meaning that malware running within IE's process can do the same. This might be a legit bug in IE7 (which hasn't reached RTM yet, so there's still time to fix it, if it is indeed a bug).

    --
    -- "I never gave these stories much credence." - HAL 9000
  14. Missed point ... by ProfM · · Score: 3, Informative

    After reading several comments on how this isn't news (because disabling protections to install stuff is easy) ... the point that was COMPLETELY MISSED that was in the article, was that the "IE Reset" function actually worked, sans Yahoo.

    This, I believe is the main point of the article, because this will help EVERYONE keep junk off of IE. Not that it deletes anything, but allows the clutter to be easily fixed.

    1. Re:Missed point ... by jalefkowit · · Score: 4, Insightful
      the point that was COMPLETELY MISSED that was in the article, was that the "IE Reset" function actually worked, sans Yahoo.

      If Yahoo has already figured out a way to defeat the "IE Reset" function, isn't it logical to expect that within a year of IE7/Vista's release, this knowledge will be common to all spyware/malware authors?

      A function like "reset browser settings" either works, or it doesn't. There is no middle ground. If there is a way to get it to do anything other than roll back all changes, it doesn't work.

      --

      Read my blog.

  15. Re:"Failing by design" Is Proper? by the.Ceph · · Score: 5, Insightful

    Now we just aren't being reasonable. If Microsoft didn't allow people to install these things every post here would be calling it anticompetitive and complain about how they don't give the user choices. I'm pretty sure I could make a "Log all credit card numbers and email them to me" extension for Firefox and if someone really wanted to install it I bet it would let them.

    The fact of the matter is it isn't always obvious if something is going to break functionality, making a user aware that it might and giving them the choice is IMHO better than telling them they can only run signed software on their computer.

  16. The world is going to end! by Jon.Laslow · · Score: 5, Funny

    Holy crap! I never thought I'd see the day when nearly all of the posts in a thread about a Microsoft product would be *defensive*! Time to clean out the fallout shelter!

  17. Mirror. by Janek+Kozicki · · Score: 4, Informative

    Ok, I managed to wget the final screenshot, enjoy: http://cosurgi.googlepages.com/iemess2.jpg

    --
    #
    #\ @ ? Colonize Mars
    #
  18. Normal behaviour. by miffo.swe · · Score: 3, Insightful

    If the normal workflow in IE7 is having to click a lot of yes/allow/ok popups thats what people will do. Thats not better security, its just a way of handing over the responsibility of the security to the users. For an OS targeted at baffoons thats not really a bright idea. Thanks to this Microsoft will just blame any security problem as a user error not having done anything to fix the bad security in IE.

    --
    HTTP/1.1 400
  19. Restore to default state by HalAtWork · · Score: 4, Insightful

    I think it's useful as it shows whether or not IE7 can be restored to a default state after you hose your system with a bunch of crap. A typical IE7 situation may not be like this, but for admins and those repairing PCs, or even if -- heaven forbid -- IE7 has a flaw that is taken advantage of by spyware, if a user can restore it to full functionality.

    --
    Twinstiq, game news
  20. You Misunderstand: Feature Good, Process Bad by EXTomar · · Score: 3, Insightful

    Toolbars themselves are a good feature add. By design, "plug-ins" allows for extension of the framework in ways the user wants. I'm all for Microsoft or Mozilla or Opera to have a way to install plugins! What is bad is the way Microsoft goes about doing this with their rules and exceptions which lead to a confused user.

    By design or miracle, "warning dialogs" are somewhat minimal in Mac or Linux but in Windows its all over. "Are you sure you want to do this? Yes/No" over and over again causes "fatigue" where users just dismiss it for the sake of making it go away. I've seen users who just click and dismiss things that are clearly warnings and indicators that something is wrong. Why? Because they see it dozens of times and its nonsense as far as they can tell. The reason they never hit "No" is because it stops what they were doing. They would rather be encumbered by a flakey IE than not do what they wanted and frankly these errant users have a point.

    The point is worth repeating: Adding a toolbar to IE7 isn't a bad thing. The real problem is the way the process works and it isn't getting better for Vista. For each plugin there should be one and only one confirmation. If it fails **any hard defined requirements** then it the plugin is not installed. They should not be asked to elevate their privilages. They should not be asked if they want to activate secondary controls (Active X). They should not be asked if the install can modify the registry.

    Why does any toolbar need 'elevated privilages' at all to install or work? IE is supposed to be an issolated framework that is user dependant. Why does a toolbar need another control hosted outside of itself (violates sandbox)? Why does any toolbar need to access the registry (again violates sandbox)? None of this stuff seems necessary at all for toolbars to function. Why bother asking the user "Yes/No" questions on things that are "violations"?? In most normal cases, when a program violates the rules it doesn't allow it. Why is IE different?