Take Azureus for example - built in Java, but separate downloads for OSX and Windows.
That's because Azureus isn't 100% Pure Java. They decided to use SWT instead of Swing for the UI. SWT uses a lot of "native code". Of course you end up needing separate installers.
The software company I work for targets Linux, Windows, AS/400, HP-UX, Solaris, and AIX. In our non-trivial experience, Java is shockingly and impressively portable.
The "world" hasn't moved on anywhere. Most people browse web, because they want to browse the web. If a web page has a game, or a similar application, it will work within the page. It does so NOW, with no problems on FF 3.6.x which when going by your logic is some outdated piece of crap since it hasn't "moved on with the world" and optimized for web apps only.
Straw man.
Issue is that some retarded ultra-hip designers who live in the world of "tomorrow is today" decided that there is nothing but web applications, and any and all features designed for myriad of other uses of web, that easily encompass 90% of worldwide web usage (I could reasonably argue 99%+ since most web applications nowadays are pages with certain active elements, that are optimized to be viewed as a WEB PAGE because that's what they are) should just be canned so that the hip stuff could look marginally better.
[Citation needed]
Mandatory car analogy: designers decide that gasoline and diesel cars can no longer have a standard fuel inlet standardized for a pump. Instead they should have a barrel-sized opening on top of the fuel tank, and user should fill the barrel at pump, then lift it and dump contents into the car tank. Reasoning being that electric cars don't need pumps either and electric cars are the future and so all pumps should be scrapped anyway as useless, and anyone using one "hasn't moved on with the world".
If you really can't figure out how to make Firefox 5 look very similar to how Firefox 3.6 looked, perhaps you should stop using computers.
"Web application" could be coded to work natively on my machine, thank you very much. Browser should first and foremost be exactly what the name suggests: a "browser", program to browse web pages. Not a software platform. We have windows/linux/max os/etc operating systems for that.
Web apps offer a lot of advantages which many people and companies choose to leverage. Easier deployment across N seats; ability to access critical business apps via desktop, tablet, smartphone, etc.; server-side storage of critical business data; etc.
If you must run some application inside a browser, that's all fine and dandy. But that's just an additional feature, which should never overshadow the actual purpose of the program.
The world has moved on. Web browsers are application platforms as well as just web browsers.
And that chrome would mean you would then be able to tell the difference between a fradulent phishing window from haxxors.r.us.ru and your account payment window from bigbank.com. But you'd rather do away with that and create a fiction where everything is just "an app" which you trust equally well because...?
Whoops, miscommunication. I am not advocating that web browsers remove all chrome so that you cannot tell the difference between a fraudulent phishing window and the real thing.
I am glad for your response, though. You bring up a very good point. I would prefer it if web apps could never break out of their containing window. That way, users could always easily detect a fraudulent window or dialog box by merely minimizing the browser window, and seeing if the suspected fraudulent window was still on the desktop.
So I actually think we are on the same page and want the same things.
Whatever happen to UI consistency? "Back in the day" UIs used to use the same toolkits, have their menus and toolbars all in the same spot and work consistently across applications. Today all those UI elements are kind of splattered around the application and there is really no consistency where you can find something anymore. There are also things in modern UIs that I really don't get, Firefox4 for example will present you different menus depending on if you click it with a mouse or if you activate it with the keyboard. What's the point in that? Didn't we figure out that changing menus where a really bad idea back when Windows tried it many years ago? Once up-on a time the menu was full of all the stuff the application could do, now its like playing hide and seek with the functions an application might have and hiding them from the user is really not helping.
Web browsers are a special case, because they are increasingly being used to run web applications.
If web browsers were to keep all the chrome of a regular application, you end up with a pretty cluttered display: a full blown application (the web app) within a full blown application (the web browser). Yuck.
I, for one, am pleased that web browser UIs are increasingly getting out of the way so that I can concentrate on the web app they are hosting. However, web browser makers might be able to please everyone by making sure users can re-enable a thick, more traditional and consistent UI.
Browsers have now reached the maturity of 1950s American cars. They more or less work, still break too much, use too much fuel, and have lots of chrome and tailfins.
Unless you've been living under a rock, it should be obvious that browsers have been trending toward less chrome (i.e., a less distracting UI) by removing a lot of UI clutter. The comparison to 1950s American cars seems completely wrong, at least where the UI is concerned.
Chrome does support this via an extension API (chrome.proxy).
I don't see any extensions that use the proxy API so that you can keep proxy settings separate from the OS. Can you recommend one? Or hasn't one been created (yet)?
A while back, Google added integration with kwallet and gnome keyring, which, does this without requiring a separate master password for the browser; OTOH, simply using saved passwords and having appropriate security on your OS user account would seem to be an adequate approach for dealing with this concern.
I use KeePass myself, and don't really want my browser keeping passwords for me; however, I know people that do. For non-technical users, downloading and installing yet another application to keep passwords for them -- passwords they'll only use on web sites while in their web browser -- can be a non-trivial challenge and annoyance. Also, I'm not sure how your suggested approach will help Chrome OS users at all.
This really does smell like one of those basic features Google should consider. Many or most non-technical users will probably cope by using the same password on all the web sites on which they have accounts -- the exact opposite of the kind of security Google claims they consider important.
Of course, the moment you mentioned kwallet and gnome keyring (of all things) suggests you're probably completely out of touch with normal users already. I'm sure next you'll be telling me how people should be compiling their own kernel and learning Emacs so they can edit textual configuration files.
Have you considered that, aside from your errors regarding what features they have supposedly skipped,
I bet your immature and condescending approach to communication wins you lots of friends and respect.
In any case, from my research, the proxy API is still considered experimental: http://code.google.com/chrome/extensions/experimental.proxy.html
So perhaps support is forthcoming, but not there yet. But since I am a very forgiving person, I forgive you for your error in assuming the API was considered non-experimental, generally available, and that some extensions already made use of it, to supply me with one of the pet features I would like to see in Google Chrome.
As for lacking a master password, it is almost laughable you consider the fact that Chrome stores passwords in plain text on Linux an acceptable solution; in addition, I do find it laughable you consider kwallet and gnome keyring a reasonable solution for typical users.
You did do a good job, however, giving me a hearty laugh, and I congratulate you on reinforcing the kinds of stereotypes normal people have about chest-thumping uber-geeks.
their perceptions of what is important in a browser may differ from yours, and that their success in rapidly building browser market share based on what they have done with Chrome might be an indication that they aren't completely in the dark about what matters?
My whole point was the fact that I recognized their perception of what's important is different, but perhaps in your headlong rush to respond "because someone is wrong on the Internet!", that little bit of comprehension escaped you, Einstein.
I like Google Chrome, and I think the success of the browser so far is mostly deserved; however, that being said, the saying "past results do not guarantee future performance" comes to mind. I think Google needs to be careful when they justify not including basic features that a lot of people are asking for, but are perfectly happy adding APIs like those discussed in the article.
It makes me question their decisions and the future of the browser, and I'm sorry to say this to you, if you don't like me questioning their decisions, well, you're just going to have to suffer. Keep some tissues handy for your tears.
Google won't add basic features like proxy settings that aren't shared with the operating system, and a master password for your saved passwords, but they keep packing these kinds of features in.
I really don't understand why they're making the kinds of decisions they're making. It seems so random, like they stuff in whatever shiny they like, and then come up with weak justifications for skipping the rest.
I have two nieces who routinely waste about half the food they put on their plates -- which pisses me off for a number of reasons -- but both are died-in-the-wool animal lovers. "How can you shoot a moose? They are soooo cute and cuddly!!!"...while throwing away 8 oz. of steak every night at dinner.
I'm going to go out on a limb here and suggest that perhaps the parents should give them smaller portions of steak, and only give them more if they ask for it.
Or maybe the parents should quit feeding them something they obviously dislike.
Fully automatic means that you do nothing (as in you go to the website, and then you are infected with malware). How many buttons are you clicking, and how many times do you have to enter your password?
Let me state this in small, carefully chosen words, since you are apparently retarded.
The MacDefender/MacProtecter installer can be automatically downloaded and executed.
I did not say the malware itself gets automatically installed. The malware only gets installed if you step through the installer and enter your administrator password.
In case you missed the difference again, I said the installer can be automatically downloaded and executed.
Please do try to read and comprehend before you respond.
What is the google image search result you are clicking on?
I'm sorry, but it has been a few weeks since it happened, and I did not keep the link handy.
I can tell you that my wife and daughter were doing Google Image searches for something like "tinkerbell wings". She called me into her office when a strange installer window appeared out of nowhere.
I was absolutely and totally convinced she must have downloaded it and run it herself, so I quit the installer and I quit Safari.
Then I went back into Safari (brand new process), and performed the same search. I clicked on the same Google Image Search result my wife did, and the MacProtector installer automatically downloaded and automatically started executing. At broadband speeds, this happened in just a few seconds.
I was able to exactly duplicate this behavior with multiple friends who own Macs.
I find it a sad commentary on the state of Slashdot that the cold, hard, absolute truth I'm telling about this behavior is languishing in terms of mod points, and people that are saying I'm confused are modded +5. As if me, and my friends, and thousands of other people have some kind of shared hallucination.
Apparently, these days, merely changing the topic to "PARENT IS CONFUSED! MOD DOWN!" is enough proof by itself that the parent is confused, and enough to get modded +5.
Also, some of the usual "herp derp! you can't fix stupid!" comments are modded +5. As if those comments are somehow interesting or insightful.
Slashdot is very nearly not worth visiting anymore...
This is how it appears to work, but in reality the user must click a link to download the file (the link is called "scan").
No, no, no, no, no, a thousand times, NO.
I have tested the behavior I described on multiple machines. The user does not need to initiate the download.
Perhaps you encountered a less sophisticated version of the MacDefender/MacProtector Trojan that does force the user to click on a scan/download link of some kind first.
But what I have seen and tested on multiple machines myself is:
Safari -> Click on Google Image Search result -> Automatic download of malware installer -> Automatic execution of malware installer
Exiting the installer, of course, results in no harm done to your computer.
The software downloads and opens the installer if you agree to 'scan' your computer, but it certainly doesn't install.
Merely browsing to a web page, like clicking a link on a Google Image Search result, automatically downloads and runs the installer. I've tested this on multiple machines.
Click on search result -> automatic download of installer -> automatic execution of installer.
Yes, immediately exiting the installer results in no harm to your computer.
IMHO, Apple is taking the bull by the horns and not only fixing the problem personally but also not charging an annual fee for the privilege of cleaning your system. Well done.
Unless and until Apple disables the setting on Safari that causes the MacDefender Trojan to be automatically downloaded and executed just by visiting a malicious web page, Apple has not done a good job, in my opinion.
Until then, malware authors can continue to abuse the "download safe content" feature in Safari. Hopefully, recent events will help educate users that they should immediately quit any installers that get automatically downloaded and executed that they did not ask for.
What defence is there against the end users downloading and running MacDefender and giving up the Admin password?
A big part of the problem is Safari's default settings. Safari will automatically download and run the MacDefender installer. This, in itself, is harmless (you can quit the installer), but that default behavior in Safari makes it that much easier for malware authors.
Apple needs to acknowledge that Safari's default setting to automatically download "safe content" needs to be disabled.
You do realize this malware trojan still cannot infect you unless you give it your admin password? The fact that Safari opens up attachments that are considered safe is bad enough, yes but it does not expose a user to this issue. The user does that themselves by offering up their admin password.
Apple should make this even easier for Mac users. Safari should just pop up a window that says:
Install malware? [ Yes ] - [ No ]
Even then, I'm sure many of the denizens of Slashdot would defend Apple. "It's not Apple's fault! The users are clicking Yes! They would be perfectly safe if they'd just click No! Haha, stupid users!"
We need to not forget that Apple/Safari includes a very dangerous option whose default setting is "help the malware authors and screw the users".
When the installer you mentioned is executed, it prompts the user for a password, and goes through the motions of installing the software, which requires a few steps. At any step the user can stop it without and completely avoid the issue.
I know that, and nothing I said suggested otherwise.
We're talking about an intermediate process that requires user attention and intervention, not an automatic installation, as you are suggesting.
In no way did I suggest the installer completes the installation process. I said the malware installer is automatically downloaded and executed. I did not say it ran to completion. Please work on your reading comprehension.
It seems you are misinformed.
On the contrary, it sounds like you are incompetent at reading comprehension.
Is it possible to protect a user from themselves? If a user chooses to install some software and it turns out to be rogue then that's not the fault of the OS, it is the nativity of the user.
Unfortunately, if you're using Safari's default settings, it will download and run the MacProtector malware installer automatically. Safari considers the.mpkg "safe content", thus the fully automatic download and install of the MacProtector malware installer by merely visiting a web page.
Of course it's true that a truly determined user will trash their system, but Safari, using its default settings, makes it much easier for the malware people to trick users into installer their Trojan.
Apple should change the default settings on Safari.
Slashdot Mirror
Today's machines are over a hundred times faster than they were 10 years ago
Wow, how did you overclock your CPU to 100 GHz?
Take Azureus for example - built in Java, but separate downloads for OSX and Windows.
That's because Azureus isn't 100% Pure Java. They decided to use SWT instead of Swing for the UI. SWT uses a lot of "native code". Of course you end up needing separate installers.
The software company I work for targets Linux, Windows, AS/400, HP-UX, Solaris, and AIX. In our non-trivial experience, Java is shockingly and impressively portable.
The "world" hasn't moved on anywhere. Most people browse web, because they want to browse the web. If a web page has a game, or a similar application, it will work within the page. It does so NOW, with no problems on FF 3.6.x which when going by your logic is some outdated piece of crap since it hasn't "moved on with the world" and optimized for web apps only.
Straw man.
Issue is that some retarded ultra-hip designers who live in the world of "tomorrow is today" decided that there is nothing but web applications, and any and all features designed for myriad of other uses of web, that easily encompass 90% of worldwide web usage (I could reasonably argue 99%+ since most web applications nowadays are pages with certain active elements, that are optimized to be viewed as a WEB PAGE because that's what they are) should just be canned so that the hip stuff could look marginally better.
[Citation needed]
Mandatory car analogy: designers decide that gasoline and diesel cars can no longer have a standard fuel inlet standardized for a pump. Instead they should have a barrel-sized opening on top of the fuel tank, and user should fill the barrel at pump, then lift it and dump contents into the car tank. Reasoning being that electric cars don't need pumps either and electric cars are the future and so all pumps should be scrapped anyway as useless, and anyone using one "hasn't moved on with the world".
If you really can't figure out how to make Firefox 5 look very similar to how Firefox 3.6 looked, perhaps you should stop using computers.
"Web application" could be coded to work natively on my machine, thank you very much. Browser should first and foremost be exactly what the name suggests: a "browser", program to browse web pages. Not a software platform. We have windows/linux/max os/etc operating systems for that.
Web apps offer a lot of advantages which many people and companies choose to leverage. Easier deployment across N seats; ability to access critical business apps via desktop, tablet, smartphone, etc.; server-side storage of critical business data; etc.
If you must run some application inside a browser, that's all fine and dandy. But that's just an additional feature, which should never overshadow the actual purpose of the program.
The world has moved on. Web browsers are application platforms as well as just web browsers.
You forgot to bitch about his mentioning of browsers having tailfins. What the heck was he thinking, right?
Nope. I agree with the break too much, use too much fuel, and tail fins parts!
And that chrome would mean you would then be able to tell the difference between a fradulent phishing window from haxxors.r.us.ru and your account payment window from bigbank.com. But you'd rather do away with that and create a fiction where everything is just "an app" which you trust equally well because...?
Whoops, miscommunication. I am not advocating that web browsers remove all chrome so that you cannot tell the difference between a fraudulent phishing window and the real thing.
I am glad for your response, though. You bring up a very good point. I would prefer it if web apps could never break out of their containing window. That way, users could always easily detect a fraudulent window or dialog box by merely minimizing the browser window, and seeing if the suspected fraudulent window was still on the desktop.
So I actually think we are on the same page and want the same things.
Whatever happen to UI consistency? "Back in the day" UIs used to use the same toolkits, have their menus and toolbars all in the same spot and work consistently across applications. Today all those UI elements are kind of splattered around the application and there is really no consistency where you can find something anymore. There are also things in modern UIs that I really don't get, Firefox4 for example will present you different menus depending on if you click it with a mouse or if you activate it with the keyboard. What's the point in that? Didn't we figure out that changing menus where a really bad idea back when Windows tried it many years ago? Once up-on a time the menu was full of all the stuff the application could do, now its like playing hide and seek with the functions an application might have and hiding them from the user is really not helping.
Web browsers are a special case, because they are increasingly being used to run web applications.
If web browsers were to keep all the chrome of a regular application, you end up with a pretty cluttered display: a full blown application (the web app) within a full blown application (the web browser). Yuck.
I, for one, am pleased that web browser UIs are increasingly getting out of the way so that I can concentrate on the web app they are hosting. However, web browser makers might be able to please everyone by making sure users can re-enable a thick, more traditional and consistent UI.
Browsers have now reached the maturity of 1950s American cars. They more or less work, still break too much, use too much fuel, and have lots of chrome and tailfins.
Unless you've been living under a rock, it should be obvious that browsers have been trending toward less chrome (i.e., a less distracting UI) by removing a lot of UI clutter. The comparison to 1950s American cars seems completely wrong, at least where the UI is concerned.
Chrome does support this via an extension API (chrome.proxy).
I don't see any extensions that use the proxy API so that you can keep proxy settings separate from the OS. Can you recommend one? Or hasn't one been created (yet)?
A while back, Google added integration with kwallet and gnome keyring, which, does this without requiring a separate master password for the browser; OTOH, simply using saved passwords and having appropriate security on your OS user account would seem to be an adequate approach for dealing with this concern.
I use KeePass myself, and don't really want my browser keeping passwords for me; however, I know people that do. For non-technical users, downloading and installing yet another application to keep passwords for them -- passwords they'll only use on web sites while in their web browser -- can be a non-trivial challenge and annoyance. Also, I'm not sure how your suggested approach will help Chrome OS users at all.
This really does smell like one of those basic features Google should consider. Many or most non-technical users will probably cope by using the same password on all the web sites on which they have accounts -- the exact opposite of the kind of security Google claims they consider important.
Of course, the moment you mentioned kwallet and gnome keyring (of all things) suggests you're probably completely out of touch with normal users already. I'm sure next you'll be telling me how people should be compiling their own kernel and learning Emacs so they can edit textual configuration files.
Have you considered that, aside from your errors regarding what features they have supposedly skipped,
I bet your immature and condescending approach to communication wins you lots of friends and respect.
In any case, from my research, the proxy API is still considered experimental: http://code.google.com/chrome/extensions/experimental.proxy.html
So perhaps support is forthcoming, but not there yet. But since I am a very forgiving person, I forgive you for your error in assuming the API was considered non-experimental, generally available, and that some extensions already made use of it, to supply me with one of the pet features I would like to see in Google Chrome.
As for lacking a master password, it is almost laughable you consider the fact that Chrome stores passwords in plain text on Linux an acceptable solution; in addition, I do find it laughable you consider kwallet and gnome keyring a reasonable solution for typical users.
You did do a good job, however, giving me a hearty laugh, and I congratulate you on reinforcing the kinds of stereotypes normal people have about chest-thumping uber-geeks.
their perceptions of what is important in a browser may differ from yours, and that their success in rapidly building browser market share based on what they have done with Chrome might be an indication that they aren't completely in the dark about what matters?
My whole point was the fact that I recognized their perception of what's important is different, but perhaps in your headlong rush to respond "because someone is wrong on the Internet!", that little bit of comprehension escaped you, Einstein.
I like Google Chrome, and I think the success of the browser so far is mostly deserved; however, that being said, the saying "past results do not guarantee future performance" comes to mind. I think Google needs to be careful when they justify not including basic features that a lot of people are asking for, but are perfectly happy adding APIs like those discussed in the article.
It makes me question their decisions and the future of the browser, and I'm sorry to say this to you, if you don't like me questioning their decisions, well, you're just going to have to suffer. Keep some tissues handy for your tears.
Google won't add basic features like proxy settings that aren't shared with the operating system, and a master password for your saved passwords, but they keep packing these kinds of features in.
I really don't understand why they're making the kinds of decisions they're making. It seems so random, like they stuff in whatever shiny they like, and then come up with weak justifications for skipping the rest.
I have two nieces who routinely waste about half the food they put on their plates -- which pisses me off for a number of reasons -- but both are died-in-the-wool animal lovers. "How can you shoot a moose? They are soooo cute and cuddly!!!"...while throwing away 8 oz. of steak every night at dinner.
I'm going to go out on a limb here and suggest that perhaps the parents should give them smaller portions of steak, and only give them more if they ask for it.
Or maybe the parents should quit feeding them something they obviously dislike.
Fully automatic means that you do nothing (as in you go to the website, and then you are infected with malware). How many buttons are you clicking, and how many times do you have to enter your password?
Let me state this in small, carefully chosen words, since you are apparently retarded.
The MacDefender/MacProtecter installer can be automatically downloaded and executed.
I did not say the malware itself gets automatically installed. The malware only gets installed if you step through the installer and enter your administrator password.
In case you missed the difference again, I said the installer can be automatically downloaded and executed.
Please do try to read and comprehend before you respond.
What is the google image search result you are clicking on?
I'm sorry, but it has been a few weeks since it happened, and I did not keep the link handy.
I can tell you that my wife and daughter were doing Google Image searches for something like "tinkerbell wings". She called me into her office when a strange installer window appeared out of nowhere.
I was absolutely and totally convinced she must have downloaded it and run it herself, so I quit the installer and I quit Safari.
Then I went back into Safari (brand new process), and performed the same search. I clicked on the same Google Image Search result my wife did, and the MacProtector installer automatically downloaded and automatically started executing. At broadband speeds, this happened in just a few seconds.
I was able to exactly duplicate this behavior with multiple friends who own Macs.
I find it a sad commentary on the state of Slashdot that the cold, hard, absolute truth I'm telling about this behavior is languishing in terms of mod points, and people that are saying I'm confused are modded +5. As if me, and my friends, and thousands of other people have some kind of shared hallucination.
Apparently, these days, merely changing the topic to "PARENT IS CONFUSED! MOD DOWN!" is enough proof by itself that the parent is confused, and enough to get modded +5.
Also, some of the usual "herp derp! you can't fix stupid!" comments are modded +5. As if those comments are somehow interesting or insightful.
Slashdot is very nearly not worth visiting anymore...
This is how it appears to work, but in reality the user must click a link to download the file (the link is called "scan").
No, no, no, no, no, a thousand times, NO.
I have tested the behavior I described on multiple machines. The user does not need to initiate the download.
Perhaps you encountered a less sophisticated version of the MacDefender/MacProtector Trojan that does force the user to click on a scan/download link of some kind first.
But what I have seen and tested on multiple machines myself is:
Safari -> Click on Google Image Search result -> Automatic download of malware installer -> Automatic execution of malware installer
Exiting the installer, of course, results in no harm done to your computer.
Apple does not have a setting that automatically downloads files when visiting a website.
You are incorrect. I have tested this on multiple machines.
Safari -> Click on Google Image Search result -> Fully automatic download of malware installer -> Fully automatic execution of malware installer
Immediately exiting the installer program results in no harm to your computer, however.
You are confused. Safari does not automatically download the trojan just by visiting the page, you have to click on one of the download buttons.
No. It is you that is confused. I have tested this on multiple machines.
Safari -> Click on Google Image Search result -> Fully automatic download of malware installer -> Fully automatic execution of malware installer
If you exit the installer, however, nothing bad happens to your computer.
I am trying to hammer these facts home because there is so much misinformation on the subject.
I would like to emphasize that the user does not need to manually initiate the download.
The software downloads and opens the installer if you agree to 'scan' your computer, but it certainly doesn't install.
Merely browsing to a web page, like clicking a link on a Google Image Search result, automatically downloads and runs the installer. I've tested this on multiple machines.
Click on search result -> automatic download of installer -> automatic execution of installer.
Yes, immediately exiting the installer results in no harm to your computer.
IMHO, Apple is taking the bull by the horns and not only fixing the problem personally but also not charging an annual fee for the privilege of cleaning your system. Well done.
Unless and until Apple disables the setting on Safari that causes the MacDefender Trojan to be automatically downloaded and executed just by visiting a malicious web page, Apple has not done a good job, in my opinion.
Until then, malware authors can continue to abuse the "download safe content" feature in Safari. Hopefully, recent events will help educate users that they should immediately quit any installers that get automatically downloaded and executed that they did not ask for.
What defence is there against the end users downloading and running MacDefender and giving up the Admin password?
A big part of the problem is Safari's default settings. Safari will automatically download and run the MacDefender installer. This, in itself, is harmless (you can quit the installer), but that default behavior in Safari makes it that much easier for malware authors.
Apple needs to acknowledge that Safari's default setting to automatically download "safe content" needs to be disabled.
You do realize this malware trojan still cannot infect you unless you give it your admin password? The fact that Safari opens up attachments that are considered safe is bad enough, yes but it does not expose a user to this issue. The user does that themselves by offering up their admin password.
Apple should make this even easier for Mac users. Safari should just pop up a window that says:
Install malware? [ Yes ] - [ No ]
Even then, I'm sure many of the denizens of Slashdot would defend Apple. "It's not Apple's fault! The users are clicking Yes! They would be perfectly safe if they'd just click No! Haha, stupid users!"
We need to not forget that Apple/Safari includes a very dangerous option whose default setting is "help the malware authors and screw the users".
When the installer you mentioned is executed, it prompts the user for a password, and goes through the motions of installing the software, which requires a few steps. At any step the user can stop it without and completely avoid the issue.
I know that, and nothing I said suggested otherwise.
We're talking about an intermediate process that requires user attention and intervention, not an automatic installation, as you are suggesting.
In no way did I suggest the installer completes the installation process. I said the malware installer is automatically downloaded and executed. I did not say it ran to completion. Please work on your reading comprehension.
It seems you are misinformed.
On the contrary, it sounds like you are incompetent at reading comprehension.
So people downloaded some software claiming to be legitimate, but it actually did something bad (such as `rm -rf /`) and it's Apple's fault?
Whose fault is it that Safari's default settings cause the malware installer to be automatically downloaded and executed?
You are misinformed. Perhaps you should rectify your own ignorance before attempting to point out other people's faults.
Is it possible to protect a user from themselves? If a user chooses to install some software and it turns out to be rogue then that's not the fault of the OS, it is the nativity of the user.
Unfortunately, if you're using Safari's default settings, it will download and run the MacProtector malware installer automatically. Safari considers the .mpkg "safe content", thus the fully automatic download and install of the MacProtector malware installer by merely visiting a web page.
Of course it's true that a truly determined user will trash their system, but Safari, using its default settings, makes it much easier for the malware people to trick users into installer their Trojan.
Apple should change the default settings on Safari.
It prompted you to download and install something.
If you're using Safari's default settings, Safari will download and run the malware installer automatically.
However, you're safe if you quit the installer.
You have to A) be stupid enough to download it
Actually, you don't have to be stupid enough to download it.
Safari's default settings cause the MacProtector malware installer to be downloaded and executed automatically.
However, you are safe if you quit the installer.