Criminals Attacking Myspace, Facebook IE Plugins

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

Get rid of ActiveX

[CastrTroy]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. It's nice that IE7 is somewhat standards compliant, and that IE8 will be even moreso, but if they can't fix/remove activeX, I think that they will really lose a lot more users to the more secure browsers.

Re:Get rid of ActiveX

[calebt3]

I think Windows Update still uses it on XP.

Re:Get rid of ActiveX

[Tablizer]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful.

It's when companies invent custom doodads to do something "fancy" or different and one cannot use that fancy/different service unless they install the given Active-X applet. At work, there is a service that one person needs to do their job, and installing the custom Active-X thing is the only way to get access to the service. It is forced upon them. It is almost like a lawyer saying, "You can have the video evidence for your case, but I will only give it to you on a Betamax tape."

It probably could have been done another way, but somebody at the other end didn't think it through. Or, perhaps wanted to pad their resume with "Active-X" and so invented a reason.

Re:Get rid of ActiveX

[DigitAl56K]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. Flash? DivX Web Player? You don't use either?

IE7 running on Vista is also secured against many things these controls could do to a system maliciously, even if they were compromised. System APIs that provide access to the registry and file system are restricted for low integrity processes such that you can only address very specific, usually virtualized locations.

Firefox plug-ins, btw, are DLL files, and I don't see how that's so wildly different?

Final thought: I just used Vista and IE7 to defend Microsoft, I may have to go throw up now.

Re:Get rid of ActiveX

[misleb]

I think Windows Update still uses it on XP.

Don't most people just use the standalone update tool? Or is that only good for autoupdate?

-matthew

Re:Get rid of ActiveX

[The+MAZZTer]

The Automatic Updates tool only allows you to get critical updates, and only when it checks once a day or whatever.

Re:Get rid of ActiveX

[cheater512]

The difference between Firefox plugins and IE ActiveX is with the latter anyone can make a website which throws up a yes or no box which users will click yes on and then it takes over their computer.

Also toolbars and other stuff in Firefox dont require any executable code at all and are thus less prone to attack.
Only things like Flash require executable code.

Re:Get rid of ActiveX

[ericlondaits]

Installation of Firefox add-ons (via XPI files) is just a "Yes/No" dialog away. The dialog appears when you attempt to navigate to an XPI file. Also, toolbars and other stuff in Firefox DO have executable code... usually it's just JS, but they can be made to use native DLLs as well. Perhaps you're confusing the fact that their layout is handled through XUL (which is an XML language akin to an HTML for UI layouts), but all interaction and functionality is provided through executable code. I'm not familiar enough with Firefox's security model, but I don't see why a vulnerable Firefox Add-on couldn't be exploited... through their APi they can access the filesystem, get full access to your browser's content, cookies, inject content in 3rd party pages, etc. so the potential is there. It's much easier to exploit vulnerabilities in plug-ins (either Firefox plug-ins or IE Active X) because a page can usually force execution of its functionality by itself... whereas most FF add-ons are activated by the user through the UI, and not by the web content (though popular exceptions to the rule exist, like Ad-Block).

Re:Get rid of ActiveX

[cheater512]

My point about the XUL was that its far harder to have a security flaw in your toolbar if you use it than if you make a IE toolbar.
Firefox handles all the tough code to make a toolbar and the XUL/js just does basic stuff.

Re:Get rid of ActiveX

[ericlondaits]

Defining UI through XUL it's not too different from how you do it in a Windows application (or an ActiveX control) through a Dialog definition in a .res file. Vulnerabilities in ActiveX don't have anything to do with UI... but rather with the exported interface.

With Firefox you really program most of the extension through JS... XUL just provides the UI that glues it together. But it's a bit like assuming that web pages are safe because you define them mostly through HTML... vulnerabilities through the use of JS and PHP still exist, and these are analogous to the ones you could have with Firefox extensions.

The difficulty in exploiting an add-on is that you can't normally excercise their code with arbitrary parameters through web content, like you can with plug-ins.

Re:Get rid of ActiveX

[cheater512]

Your completely misread my post.

Its far harder to make a toolbar with a vulnerability with XUL/JS than making one for IE.
TFA says that they are targeting specific IE toolbars with flaws. You couldnt do that with standard Firefox toolbars.

Re:Get rid of ActiveX

[kcbanner]

It's only for autoupdate and installing automatically downloaded updates.

Re:Get rid of ActiveX

[billcopc]

Fine. ActiveX in a controlled environment can be useful in a backwards kind of way, even though I personally believe they should package such functionality as a standalone app in most corporate environments... but given how 99.44% of programmers aren't even worth the hot-dog meat, I guess we have to make compromises.

The one place where ActiveX does NOT belong, is on the intarwebs. I _far_ prefer the Firefox plugin system, where everything is Javascript and still runs in a sandbox. The petty little features that are most often built into ActiveX plugins are just as easily made into XUL, without all these retarded vulnerabilities. I'm not saying Firefox is perfect, but I trust sandboxed Javascript a LOT more than random bytecode.

Re:Get rid of ActiveX

[Tablizer]

Fine. ActiveX in a controlled environment can be useful in a backwards kind of way...

I don't understand your use of "fine". I did not promote Active-X. I was only describing circumstances where one is sort of forced into using such pluggins.

Re:Get rid of ActiveX

[Kalriath]

You describe Firefox ADDONS. Firefox PLUGINS are compiled DLL code written in languages like C++ - Netscape style. Apparently you trust Firefox addons (sandboxed javascript) a lot more than Firefox plugins (random bytecode)

Re:Get rid of ActiveX

[billcopc]

Correct, apologies for my ambiguity. I trust addons. I don't trust plugins. That said, I don't use many plugins other than the ubiquitous Flash and Shockwave.

Given what I've seen done with Firefox addons, I'm quite confident that most of the functionality that traditionally used ActiveX can be safely and completely replicated with Javascript and XUL. After all, most of them are simple UI mods.

Re:Get rid of ActiveX

[holophrastic]

Well yeah, but most of those UI mods are pure fluff -- completely useless for anything worthwhile. I don't really care about the "skin" of the application -- I'm not racist that way. There have been a number of activex controls that I've built into web apps for clients that necessarily need to be bytecode -- well, they necessarily need enough direct access to the machine in order to provide basic functionality that any exploits become real concerns.

Hey, something as simple as accessing files on the machine -- welcome to an FSO. Or any piece of hardware control, like a barcode scanner, a card reader, or a thermal printer -- all real-world things in the business world. Or something as simple as registry manipulation. There are advantages to storing things in the system registry, and you can't get there without some level of system access.

Each of those needs access to the machine directly. You can't sandbox everything. And just think of the applications that become useless without those. Think of every ticketing system, most invoicing systems, every inventory system, and every e-commerce system. That covers a great big portion of the business computers out there -- I'd say the majority of non desktop business machines.

Certainly, when you're dealing with consumer usage, or home usage, or simple word processing and e-mail, then yeah, your machine becomes a dumb and stupid terminal for the nothing that you're doing. But the moment your machine has to do something real -- like read a credit card from a magnetic card reader -- the application needs to use the whole playground, not juts the sandbox. And if you want to encrypt that credit card number, and not leave it is raw text javascript memory, then you already need to do things at a lower level.

There's nothing wrong with running an application and giving it open access to the entire machine. Of course you're trusting that application, but you're trusting that application anyway -- with your data. Stop trusting applications and companies that you don't trust. But definitely trust those that are trust-worthy -- you'll get a lot more out of them, to be sure.

ActiveX = the IE culprit?

[Slorv]

I know little about Windows programming but ActiveX seems to be the source for many of the problems with IE and Windows security.
Why is it still used so much by commercial actors like Facebook, or not secured by MS?

Re:ActiveX = the IE culprit?

[ILuvRamen]

I'll break it down for you. An activeX is basically a program you download that any website can run on your computer. Yeah that kinda sums it up. If the activeX isn't 100% secure, a website can hack you with it. I usually use an activeX once if completely necessary then delete it instead of leaving it sit around.

Re:ActiveX = the IE culprit?

[CastrTroy]

Yeah, but you can accomplish the same things with a Java applet or using flash. Why the need to use ActiveX which has been proven insecure over and over again, and only works under IE?

Re:ActiveX = the IE culprit?

I'll break it down more .
If you surf the internet as a limited user, much of the crap you would otherwise collect is denied permission to install,
Remember , The bad crap often inherits the permission level of the logged in user , this isn't obvious to many consumer types.

It really does take knowledge to user a computer safely ,

Re:ActiveX = the IE culprit?

That's all true, but ignores the parent's point. Why use ActiveX which is buggy and insecure as all hell when there are better alternatives available? Is there stuff you can do in ActiveX but not in a Java Applet?

Re:ActiveX = the IE culprit?

>Why is it still used so much by commercial actors like Facebook, or not secured by MS?

That's like asking why C is still used so much or not secured by ANSI. Incompetent programmers can write insecure apps using any technology.

Re:ActiveX = the IE culprit?

[WD]

"ActiveX" itself is not necessarily the problem. ActiveX is a commonly used format for packaging native code in a way that it can be used by Internet Explorer. If that code contains a flaw, then Internet Explorer can be used as an attack vector for that buggy code. For example, if that code is written in C and it doesn't properly handle strings, it may be vulnerable to a buffer overflow that can reached by viewing a web page. That holds true whether that code is packaged as an ActiveX control or a Netscape-style plugin.

Plug-ins (including ActiveX) are dangerous. ActiveX is much more ubiquitous than Netscape-style plugins. For example, nearly every windows application comes with ActiveX or COM objects, but it's very rare for them to install Netscape-style plugins. Therefore, using Internet Explorer with ActiveX enabled for all sites on the internet (the default configuration) is dangerous because you're relying on all of these components to be written securely.

Secure your web browser and you'll be much better off.

Re:ActiveX = the IE culprit?

[flyingfsck]

Why? Microsoft has no economic incentive to fix their crapware and being strictly a commercial enterprise, they have no pride and cannot be shamed into fixing their crapware either.

Re:ActiveX = the IE culprit?

[zootie]

Indeed. It is just an extension mechanism. The component themselves have to be marked as "safe for scripting", and newer versions of IE don't enable ActiveX in public zones by default.

A problem is that users have dialog fatigue and don't read nor undestand when they get the prompts. Then again, most would trust Yahoo/MySpace/Facebook anyway if they get the prompt.

Re:ActiveX = the IE culprit?

[Constantine+XVI]

If memory serves, both Flash and Java are implemented in IE via ActiveX.

Re:ActiveX = the IE culprit?

[grossvogel]

IIRC, XMLHttpResponse is implemented via ActiveX under IE 6. (Anybody know if IE 7 implements it as a native JS object?)

In some cases it's the fault of developers (or their bosses) who rely on IE-only technology, but ActiveX is sometimes the only way to get 'standard' behavior out of IE.

Re:ActiveX = the IE culprit?

[Constantine+XVI]

From http://en.wikipedia.org/wiki/XMLHttpRequest#Cross-browser_support

Internet Explorer 7 added native support for the XMLHttpRequest object, but retains backward compatibility with the ActiveX implementation.

Re:ActiveX = the IE culprit?

[piojo]

Yeah, but you can accomplish the same things with a Java applet or using flash. Sometimes, ActiveX is used when intimate interaction with the user's computer is necessary. I have seen a consulting firm use ActiveX to start a VNC connection for support purposes. Telling the user to go to a URL and click "yes" is a lot easier than telling them to find and run an executable (that may not even be installed).

Re:ActiveX = the IE culprit?

[SL+Baur]

Hmmph. +5 insightful? You are an astroturfer.

You totally miss the point, as did the Microsoft middle managers who signed off on this. Running any code coming from a wire is unwise in the extreme. Running it without user intervention is worse.

ActiveX could work fine in a totally trusted environment, like inside an isolated company network. On the Internet it's Just Plain Stupid. It was accepted knowledge decades ago that one should just not run executable anythings (scripts or binaries) coming in over a wire.

Microsoft chose to ignore the past. There's nothing "buggy" about ActiveX. It's Just Plain Stupid and the model it uses has been known to be insecure and stupid for decades. Everything I wrote about ActiveX goes about Javascript as well. Javascript may be slightly safer, but not by much.

We had the problem fixed! Unshar was created and accepted and shar scripts became obsolete and then along came Microsoft and popularized the problem with the world. Sigh.

Re:ActiveX = the IE culprit?

[cheater512]

TightVNC and others provide a Java applet for connecting to VNC servers.

Re:ActiveX = the IE culprit?

[LO0G]

Not quite.

ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology).

The plugins have vulnerabilities, and the bad guys are exploiting the vulnerabilities in the plugins. There's nothing about ActiveX involved except for the fact that the plugins are written for IE.

The exact same exploits could be written for Firefox or Safari or Opera, because they all contain support for the vulnerable plugins.

Windows Vista runs all browser plugins in a very locked down sandbox which should mitigate most vulnerabilities caused by browser plugins, but other browsers don't run their plugins in a locked down mode.

There's one real negative about ActiveX controls - Microsoft, for whatever reason, chose to make it easy for a web site to host and use plugins, and before Windows XP SP2, certain ActiveX controls were automatically assumed to be safe (which is utterly stupid).

From a security standpoint, an ActiveX control is indistinguishable from any other browser plugin - the security holes are in the plugins, NOT in ActiveX.

Re:ActiveX = the IE culprit?

[billcopc]

I'm pretty sure the parent was referring to a one-time-use VNC server, as would be used in a remote tech support scenario. Dell uses that sort of thing.

Re:ActiveX = the IE culprit?

[thePowerOfGrayskull]

ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology). Actually, ActiveX is an interface which an application must implement. This is not specific to web browsers at all, as ActiveX can be used (and often are) in any Windows application.

Re:ActiveX = the IE culprit?

[LO0G]

My answer was relatively simplified for the audience. I was just trying to get across the idea that ActiveX isn't an insecure technology per-se (which appears to be the general opinion on the internet), but instead a vehicle for deploying plugins, and it's the plugins that are insecure. As I mentiond, at least one of the vulnerabilities mentioned in TFA are applicable to Firefox (the vulnerability is in QT). The attackers are only targetting QT when it's hosted in IE, but according to Apple, QT is vulnerable in all flavors.

In reality, ActiveX is the name for a collection of technologies that are used to get a plugin running in the browser. The biggest part of ActiveX is the COM/OLE Automation programming interface (which provides activation and scripting control). There is also the Authenticode code signing technology (which allows you to know that a particular control was written by the person who said they authored the control), the IObjectSafety COM interface (which is required to get a COM object to run in the browser), and there are others.

Re:ActiveX = the IE culprit?

[thePowerOfGrayskull]

Fair 'nuff, I shall not be requiring you to turn in your geek license this day.

Re:ActiveX = the IE culprit?

[tmalone]

I don't think it is just dialog fatigue; the problem is also that the user clearly wants what the dialog is promising to give them. When those dialogs come up because you clicked on a link, it's essentially saying, "Do you want this information you requested?" Of course the user is going to say yes. They wouldn't have clicked on the link otherwise. The problem is two fold: too many dialogs because too many reputable sources use these facilities; and users who just want the info they requested. Users have been trained to expect these dialogs because every lazy or thoughtless developer uses activeX objects to display stuff that either doesn't need to be displayed, or could be displayed in a more standardized way.
Microsoft needs to make it even more difficult for the developers to give ActiveX objects to end users. They've done a decent job so far, but they need to go further. If it's easy, everybody will do it, and users will get used to it.

Limited user anyone?

I run as a limited user . I was attacked .
Instead of getting crap installed, an error in my security log about an Active X control not having required permissions to install
So I must ask, How many are vulnerable merely because they foolishly surf as Owner/ Administrator?
You might that this make no difference, but here, you would be wrong.

Apologies, but...

[gardyloo]

I apologize to any *individual* who may have been hit hard by these 'sploits. But if they're forcing better security on those sites, and hitting IE hard, I say Good For The "Criminals"!

Re:Apologies, but...

[causality]

I apologize to any *individual* who may have been hit hard by these 'sploits.

I don't feel sorry for them in the slightest. It's not like IE/ActiveX's security track record is some big secret that would take a great deal of effort to find out about. People are voluntarily using a program with an unusually poor security history and are having security problems -- where is the surprise?

You could argue from the victim mentality and say "but they don't know any better", to which I would ask, do you think it's reasonable to work with what you do not understand and expect a good result? I'm growing tired of this fallacy that Microsoft or Norton or anyone else is going to do a good job of looking out for your interests; we've been operating under that idea for a long time now and it fails routinely (perhaps because software vendors don't have product liability like any other company would, but protecting yourself is much easier than changing that). To paraphrase a quote I once saw on here, some people learn by study, some learn from the mistakes of others, while some must figure things out the hard way. Lighting a fire under the asses of that third crowd can only end up being a good thing.

But if they're forcing better security on those sites, and hitting IE hard, I say Good For The "Criminals"!

I'm not sure how important it is that those sites become more secure because two specific (albeit high-traffic) sites is a drop in the bucket in the grand scheme of things. I consider it a great thing that they're hitting IE hard, however, since that one continues to be the common denominator in most of these attacks. Really though, if your browser is secure and does not trust remote content, then the site you visit is one of the least important parts of this equation. Having said that, I am forced to agree with your "good for the criminals" sentiment, since that seems to be about the only way that anything related to IE ever improves. Certainly, good design principles or an idea of "the right thing to do" hasn't produced a proactive, prevantative approach to security (as demonstrated by OpenBSD); at least the reactive "well now that this is being exploited, perhaps we should fix that" approach is better than nothing. With the resources at Microsoft's disposal, however, they could do with a Web browser what the much smaller, less-funded OpenBSD team has done with an operating system. To the people who are exploited by this, I wonder how it feels to know that Microsoft could have done a better job but couldn't be bothered.

Re:Apologies, but...

That's great! And when if you get sick for not following healthy lifestyle (which as a /. poster you probably don't) I'll make sure to lol too!

Re:Apologies, but...

Except it won't change anything. It never does.

Re:Limited user anyone?

[calebt3]

I find it incredible how much you can't do as an XP limited account. My parent's WiFi link is defective, and the only way to get it back is to have it go through the 'Repair' process. Limited accounts aren't allowed to do this. Merely for curiosity's sake: can limited accounts in Vista do the Repair function?

Re:Limited user anyone?

[perlchild]

If you can do it in a limited account, and the repair function actually turns off the network, and on again, it's a ddos in the making...

Good reminder for the Mozilla extensions

[pembo13]

To check twice as hard for security flaws.

ActiveX is not the problem per se

[zootie]

ActiveX is a way to extend the browser, to make the web site better for -at least Windows- users (and overcome some of the limitations of good old fashioned HTML/HTTP). Truth is that even standards compliant web sites leave something to be desired when compared with native desktop applications. ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

After 15+ years of Internet explosion, you'd expect that we would be doing better in security, and that we wouldn't miss desktop apps. There is a dire need for better web apps that blend better with the local system.

In fact, while many of us might look forward to Web 2.0 using Ajax/JSON et al, there is a bit of a growing movement in non-standards based environments: Flash and Silverlight are emerging as full fledged OS-like environments inside the browser. Instead of re-inventing the OS using the browser with an interpreted (slow) language (like Netscape, and Java -client- tried to do), you have Adobe and MS coming up with a graphics friendly and programming flexible alternatives within their own ActiveX controls (which are blazing fast because the core is in C++, and the content is pre-compiled). As much as Flash is maligned, I wouldn't be surprised if in 10 years it takes over the Internet, and the browser is little more than a tool to deliver flash content.

Re:ActiveX is not the problem per se

Wait, what ?
Flash, fast ? Maybe it is for you, but the last time i checked it was mostly used as a movie player and i can assure you, it isn't that good at it. In fact, every movie that is played with flash on my fathers pc just looks like some pictures which are changed every 3 seconds. Stage6 works fine though with the totem-plugin.

Re:ActiveX is not the problem per se

[zootie]

While movie player and ad-rotator are common uses for Flash, many site are using it for more than that. They're doing full fledged interactive environments within Flash - I remember seeing Flash based games as early as 1996 (and now they are pretty common). In my office, people don't play Solitaire, they play Wheel of Fortune, Backgammon and other Flash games...

For graphics designers, Flash programming comes as a natural extension (and a way to bypass programmers), and it can offer enhanced functionality that rivals Ajax. For example, to distribute automated updates for monitoring (during elections) - Instead of refreshing the whole HTML page, you just refresh the data within the plug-in automatically.

That aside. A blocky and slow movie playback in Flash might have more to do with the speed of the connection, the cache buffer, and overall computer performance... Flash is being used for movie playback by YouTube, and you know how that has worked out..

And Flash is an ActiveX control...

Re:ActiveX is not the problem per se

[ACMENEWSLLC]

Per various sources, Flash is on 98% of PC's connected to the Internet. So when I start to refresh my web apps on my companies site (about 8 years old now) what should I use? AJAX type code which may or may not work 6 years from now and I might have to update as vulnerabilities become know? My apps from 6 years ago have some AJAX type coding in them, but had to be backwards compatible with IE 4 and NS 3.0 so it's nothing like AJAX of today. Still, I've spent considerabile time updating libraries with security updates.

Or should I program in Flash, where most of the vulnerabilities lie within the users browser & it's their job to update it? As long as I sanitize the SQL server side, I'm ok. There have only been a few cases of changes in Flash requiring me to change my site. Such as in a 7.x change where previously drop down html menus would float over flash content, then after the change, the drop down menus appeared behind the flash content.

Anyway, I am a big fan of Flash. After all, the Internet was made for..... (If you don't know, Google does http://www.google.com/search?q=the+internet+was+made+for )

Re:ActiveX is not the problem per se

[pembo13]

I really hope that never happens. Too many websites are in flash as it is. Darn you for wishing for more.

Re:ActiveX is not the problem per se

[ladybugfi]

ActiveX is a way to extend the browser.... ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers. I strongly disagree. ActiveX has a bad reputation for a reason: it has a very poor security model for its intended use.

Securitywise, Flash isn't as good as it could be. It seems that the security features have been a gradual add-on features over the years instead of being designed as an integral part of the system from day one. And that approach has never really worked well. For example, as far as I know, you can't digitally sign SWF files.

Re:ActiveX is not the problem per se

Flash and Silverlight are emerging as full fledged OS-like environments inside the browser.

Both Flash and Silverlight rely on ActiveX to work correctly. Silverlight won't save us from IE nor activeX apparently.

That was my biggest disappointment when I started reading about Silverlight: Another fricking ActiveX object? Don't we have enough yet?

Re:ActiveX is not the problem per se

[NatasRevol]

"And Flash is an ActiveX control..."

Not on my computer. Or the browser I use in Windows.

Re:ActiveX is not the problem per se

[Winckle]

deafblind people?

Re:ActiveX is not the problem per se

[DeftPunk79]

I agree with zoot. I also think other programs such as firefox are just as susceptible to attack. The bad guys go after IE and activeX because they are more widely used. If the user numbers were switched for IE and FF I think you would have just as bad a time, if not worse, with FF as with IE users now.

Re:Limited user anyone?

Your right limited users does really break some programs.
  The writer of the program simply didn't divulge what must have access,or they simply don't know .
\Many users of XP don't understand or want to understand user/ File permissions
If the writer of a program requires owner admin access to run their programs ,they have much to learn .
Good programmers don't usually need to have owner /admin access Period, except to install it

Re:Limited user anyone?

[phantomcircuit]

If you can do it in a limited account, and the repair function actually turns off the network, and on again, it's a dos in the making... DDoS == Distributed Denial of Service
DoS == Denial of Service

Fixed that for you.

Re:Limited user anyone?

[DNS-and-BIND]

I find it incredible how much you can't do as an XP limited account.

That's kind of the idea there, buddy. Bringing network interfaces up and down is definitely an administrative task. If XP were a real operating system, it'd have some way to temporarily become administrator during a session. Even "run as Administrator" with the proper password doesn't work for tons of programs, QQ and Alibaba Trade Manager being the offenders I'm pissed off with currently.

Re:Limited user anyone?

[calebt3]

I can disable/enable networking in Ubuntu without using gksu.

Re:Limited user anyone?

[flyingfsck]

How many? About 100% of home Windows users and 99% of business Windows users. Most people have no idea that Windows can be locked down and not the foggiest notion of how to do it, sine they have never heard of MS Technet and Common Criteria Certification.

Re:Limited user anyone?

[calebt3]

That's why we can get paid so much as a PC Technician.

Re:Limited user anyone?

[Joe+The+Dragon]

Most of the people who use Myspace, Facebook also play games that need admin to run and some just error out when try to run them as limited user and that some has to do with there copy prevention systems, on line play systems that are used to prevent cheating, built in game auto updating and so on.

Re:Limited user anyone?

[vtscott]

That seems like a lame reason to not allow that functionality. I mean, if you allow a limited account to visit websites, they could just keep clicking reload over and over again on the router configuration page. There's another possible DoS attack.

Re:Limited user anyone?

Moreover, they get pissed right the hell off when they try to go and do something and find "that goddamned security thing won't let me fuck up my computer"...

I've had any number of people bitch when they try to install their screen saver, or some other PoS bit of crapware doohickey their neice's best-friend got from an pseudo-anonymous myspace poster.

One of such user was my boss, who despised the notion of operating system security as being "crap that makes it hard (or impossible) to do whatever the hell you want to do to/on your computer whenever you want to do it." A condition that becomes very difficult when you're trying to explain to Jane/Joe user why they can't have permission to install screen-saver-du-jure and they complain to your boss who share's their perspective...

(Also, if you were talking about Vista, the average /.'r also thinks that extra security "just gets in the way" too... but that position is based on hating Microsoft, not anything to do with logic or rationality).

-AC

Re:Limited user anyone?

[STrinity]

Merely for curiosity's sake: can limited accounts in Vista do the Repair function?

Vista doesn't distinguish between limited and administrator accounts without some major tweaking. By default all accounts are limited, but if you do anything that requires elevated privileges, the screen greys and a dialogue box appears asking if you want to perform the action as administrator. This is the dreaded UAC.

IE7 does not disable ActiveX in public zones

[WD]

Your statement is incorrect. Newer versions of IE (IE7) does indeed have ActiveX enabled in the Internet zone. It does have a feature called ActiveX opt-in, which requires the user to accept a prompt before running controls installed by most stand-alone applications. However, ActiveX controls that are installed through IE (Such as the Myspace and Facebook controls mentioned in this article) are automatically opted-in during the install process. So IE7 would provide no additional protection in this case.

Re:Limited user anyone?

[Mr.+Vage]

I tried to run my parents in limited user mode, but it only caused problems. You really can't do anything as a limited user. Vista has improved on this a lot with UAC. Users run as limited users, but if something requires administrative access they can temporarily raise the application's permissions (Cancel or Allow).

Re:Limited user anyone?

I can disable/enable networking in Ubuntu without using gksu. Er, that means the daemons that are responsible for networking is running suid root, or some privileged level that can touch vital system devices without your explicit consent.

I suppose on a desktop-oriented distribution like Ubuntu that may be O.K., but you should be very suspicious when you can do things that affect hardware without having to type in a root password, run sudo, or have some kind of "authenticated session". I wouldn't personally use Ubuntu on servers for those reasons.