“I’ve read many articles about Internet Explorer 7’s new security features and coupled with the imminent release of Vista this got me interested. I recall seeing a rather funny screenshot (which I found on the internet), which showed Internet Explorer 6 in Windows XP stuffed full of spyware/toolbars/etc. I wanted to see if IE7 was any better than that screenshot of IE6, how would it cope with a user that simply clicked ‘yes/allow/next/accept’ to everything that was presented to them. In addition, I wanted to see how the User Account Control reacted to this, and in the end, could I restore IE7 to it’s former glory.”
Well, windows did in this case present the user with warnings, and defaulted anything to Do Not Install…
This user sincerely _wanted_ to get the toolbars installed, and even went through great extents to install them (actually manually downloaded and installed smileycentral’s)…
So even though MS actually has improved a lot, this guy thinks it’s cool that he can install a bunch of plugins…
Never thought I’d be the one defending Microsoft, but this article is completely useless…
I don’t think the point was that IE’s security is terrible, I think he just wanted to have some fun and see how much he could screw up IE. I know somebody who enabled all the toolbars of word (on a mac), which I guess would be similar to this; they covered most of the screen, so I got a pretty good laugh out of it. One of the toolbars actually acted as a launcher for other MS apps…
You seem to have made the assumption that the article is attacking MS despite the fact that the author repeatedly emphasises in bold text that IE7 made it very difficult to install these pieces of malware (and adware), and further that it was very easy to clean up.
The article seems to be pretty positive about IE7 to me.
I would not say the article is useless. I clean up computers for people frequently and I can tell you the average user will install any toolbar into IE. If they don’t know what it is they allow it. The fact that it can be reset without having to spend a couple of hours manually cleaning out the junk is definitely good news for me.
It seemed to me he was just trying to see what the limits were. I have seen just about all that garbage on computers. Not mine, of course, but some people think toolbars are really cool and the more the merrier.
Well, windows did in this case present the user with warnings, and defaulted anything to Do Not Install…
Not the case, user WILL ALWAYS CLICK YES
This user sincerely _wanted_ to get the toolbars installed, and even went through great extents to install them (actually manually downloaded and installed smileycentral’s)…
So even though MS actually has improved a lot, this guy thinks it’s cool that he can install a bunch of plugins…
User does that if he wants it or not.
Never thought I’d be the one defending Microsoft, but this article is completely useless…
And I’m as much linux guy as I can be… so? His article did much better presentation than any MS presentation of IE7 so far.
He presented the only thing I need from browsers. To clean up after users mess it up.
Not even one single article so far didn’t spike urge or even a slight intention to move on IE7 for me. Well, this one did. And the result? My IE users (10%) will be upgraded as soon as possible, my FFox users (90%) will stay where they are and I will still use epiphany.
Did you read the article before jumping to the conclusion that it contains some sort of anti-Microsoft slant? If anything, the difficulty of installing those toolbars reflects positively on the changes in Vista, as does the ease with which the article’s author was able to remove the toolbars.
The cynic in me suspects that installing crap on Vista/IE 7 will become a lot easier once that platform starts being specifically targeted – but the linked article was pretty matter-of-fact/even-handed about the current situation.
The author did a great job of showing the extent that IE7 could be *hosed* and then reset back to a near default state with a couple of clicks.
I don’t see myself switching from Firefox anytime soon but for IE users the reset ability may make the browser worth upgrading.
The Yahoo toolbar survived the settings reset… If one toolbar can manage it, pretty soon they will all work out how it’s done, therefore making the reset useless.
In a case like this, you can run Internet Explorer (No Add-ons), which should start a clean browser instance and allow you to kill any unwanted applications that run in normal mode.
Wrong, because I’m pretty sure Yahoo! has a hook that reinstalls itself on startup of the user profile.
Must be a slow weekend.
Microsoft should advertise this; clearly IE7 has enough extension diversity to rival Firefox.
It’ll be happening to Firefox soon enough. Mozilla have made it too easy for install packages to bypass the user in installing extensions and toolbars into Firefox.
They have? On all the computers I use, Firefox waits a few seconds before I can click the “Install” button…
Diversity? All those toolbars do the same types of things. Firefox extensions all have different purposes and are completely and individually removable.
Additionally, they put a timer in install boxes: you can cancel it immediately, but you can’t install it until you’ve read the warning. Very safe.
I agree with you about Firefox. I use Firefox most of the time and you can bet I was quite surprised to find adware that installed itself into Firefox. At first I had no idea, thought they were just popups from the sites I was visiting, then noticed it didn’t matter which site I was on they kept popping up and all had the same name in the title bar. I couldn’t believe it. There was no way it could have happened. A quick google search confirmed my suspicions and sure enough I wasn’t the only one with such problems. Somehow or some way NSIS media had found a way to bypass the install procedure for Firefox and installed adware onto my machine.
If you were to read the first link on Google after searching for “nsis media” like I did here, you will see that it wasn’t Firefox that allowed this to be installed.
http://www.google.com/search?q=nsis+media&ie=utf-8&oe=utf-8&rls=org…
with IE6 toolbars were added whether you wanted them or not…
I wonder if after IE7 is on the market long enough, coders will start making that possible again.
I know somebody who enabled all the toolbars of word (on a mac)
That must’ve been pre-Office:Mac 2004 then.
Must be a slow weekend.
The news is IE7 is doing a pretty good job at fending off toolbars and such, and that it can easily be reset to its original state.
I have already read the article after finding it on Slashdot.org. I have also read like 90% of the comments there. The general consensus on the /. forum is that this article simply isn’t news. I agree with them, not in an effort to question the OSNews administrators, but simply because the only thing anyweb accomplishes is corrupting his browser, intentionally. Can’t anyone do that? Granted there are some nice points to the article, such as how IE can fix itself and it is much more difficult to install toolbars. But that is really it. No big breakthroughs or anything…
🙂
heres another version of the article with screenshots,
http://www.windows-noob.com/forums/index.php?showforum=33
cheers
anyweb
no pictures server dead or to slow ?
If users are going to click Yes/OK to anything that is presented to them, there’s just not a whole lot MS can do for them.
On one hand, if you take away the user’s ability to install applications, the OS is pretty much worthless. But if you *do* give them the ability, then it’s pretty much open season. I don’t know of *any* OS that could withstand the user blindly doing anything he/she is told.
Ah well, if they can put a stop to the rootkits and drive-by installs, then anybody who’s had a 15-minute lesson on security should be ok.
Like others have said, this article isn’t an attack on IE. It’s just a cool experiment.
But what is troubling is that after the reset, the Yahoo toolbar lives. I mean the ‘reset’ button is supposed to disable all plugins, like clearing the cache is supposed to delete all cache files. What gives?
It’s also weird that yahoo is the one that lives. I am assuming it’s not trying to pull any tricks to live, while many of the others would. I wonder if MS has a list of ‘nice’ toolbars that it won’t delete by default?
This could be why…
http://www.microsoft.com/presspass/press/2005/oct05/10-12MSNYahooMe…
I prefer Linux over Windows for a number of reasons, including security. However, if you insist on screwing up your system, you can. As a Linux user, I still use common sense, to avoid compromising my system. If you are trying to prove you can mess up IE, what’s the point? Linux will also warn you about hosing your system (try deleting your kernel-image), but if you insist, you can hose it.
Seriously – anyone who is – sorry to say this – stupid enough to use IE * cannot be helped.
It’s a very dangerous ride with Microsoft – anyone knows that. Don’t be so foolish and thinki Micrsoft is going to change. They won’t.
No risk, no fun? That would make those those who don’t ride the MS ride are dull boys?
The most telling problem was at the beginning. The default user is still Administrator. When is MS going to figure out that running as Admin is like running as root. Its just a bad idea all around. Of course the weakest link is still the users. I know IT faculty whose laptop is full of random crap and takes 10 minutes to boot up. So how is the average user suppose to cope?
In Windows Vista the user runs their account similar to Linux systems having limited user rights and requiring an Administrator password to install additional software or gain access to certain directories. Now I’m sure there will be some Windows users just out of laziness or simply lack of understanding security will attempt to use UAC (User Account Control) to try and circumvent the security measures implemented.
So quick the criticize without rudimentary fact-checking. Take a look at UAC and Protected Administrator. Sure, you’re “admin” by default but programs you launch don’t get admin rights until you click through one of the UAC prompts. If you’re running as a limited user, then you have to enter a password in UAC, but other than the lack of a password requirement, Admin on Vista is treated like a Standard User.
I personally run as Admin on Windows (with UAC off) and often run as root on linux. Why? Because I know what I’m doing and I want to have access to any setting as quickly as possible. Particularly on Linux, which I mostly just play around with, I want to have the keys to the kingdom. Security worsens the user experience and if it’s not necessary then it should be disabled. Unfortunately, for most users it is necessary so we get annoyances like UAC.
I wasn’t criticizing the previous poster but actually correcting him by pointing out that Microsoft is attempting with the next release of Windows (Vista) to improve security by restricting user access.
As for your comment on wanting to run everything as Administrator/Root access 24/7 that’s entirely up to you. Though there’s a difference between being responsible with keys to the kingdom and leaving one’s door/gate/bridge wide open with no one guarding the entrance.
Sorry, I wasn’t claiming that you criticized anything. I was responding to the same person you replied to.
Remote (non-trojan) exploits normally happen through software that is listening for incoming connections. Most of the worm exploits target services that run under service accounts (like LocalSystem), so it makes no difference which user I am running as. A quick look through NetStat shows that the only app that’s listening from my user account is Thunderbird.exe.
The only way I could get a virus by running as admin is if I navigate to a webpage with an IE7 exploit or install a piece of malicious software. Running as a limited user won’t help against the installing software case (I believe that all the things I’d really care about keeping private are within my user account and that there are enough elevation of privilege attacks that infecting my account will eventually lead to a compromise of my system). I also don’t visit scuzzy corners of the internet, so unless OSNews gets hacked and starts spewing viruses, I’m fairly safe.
The only attacker at the gates is my ignorance. If I can keep that at bay, I don’t need walls and fortifications.
Ok, it resets the settings but does it also remove the settings on Startup the “Run” key and does it remove the browser helper objects from the registry? If the answer is no then your system is still bloated with spyware and slowdowns because they all load on start up.
Please, I am not attacking MS here. I think they’ve done a superior job with Vista and IE7 and it just shows that it tries to prevent everything from being installed by itself. Of course, they shouldn’t make it impossible to install third party software otherwise as the other user posted, it will be useless and people will complain about monopoly/strict control about what can/cannot be installed. It just shows it’s all up to the user and this is the case with ALL OSes. Even on MacOS 10, the OS would not stop the user from running a bad file if the user wishes to do so.
Edited 2006-10-08 20:52
LOL,
Bonzi Buddy (spyware) juggling coconuts. Hey, at least you get some entertainment while Bonzi steals your data and serves you ads.
I bet the author had a blast removing all that garbage. 😛
Most entertaining thing I’ve seen all day.
It illustrates two things:
-Users are stupid – they will click anything to see an ape juggling coconuts because it’s just so darn cute.
-Whoever can solve the problem of the “YES reflex” on dialog boxes should get a Nobel Prize.
So it looks like Vista or not, we can all continue to visit friends and relatives and uninstall junk that they’ve “somehow” installed.
Recently there has been some news here and there about how spyware manufactuers are getting around popup blocking software, in both IE and Firefox. While I havent seen a signifficant rise in the popups I see, I have seen a few.
The point is, this shows that MS is at least trying to make IE7 safe. That is something we should be looking at. Will they figure out a way to circumvent this, well probably when you have such a large portion of the market people naturally will find exploits.
The author of this article didn’t mention the Malicious Software Removal Tool which I think when combined with IE7 might have a significant impact in spyware/junkware on Windows computers.
Just seems to me that with freedom comes responsibility. It’s like if you supersize every meal you eat and don’t exercise you are probably going to get fat. Same basic principle here that if you ignor your responsibility you are going to pay the price.
It would though be good for MS to do as much as possible to continue to sandbox IE. That includes programs that are ‘run’ by the user when downloaded. MS certainly seems to be headed in a mre secure direction. I won’t IE7 yet, though.. I want to see a proven track record.
“The author of this article didn’t mention the Malicious Software Removal Tool which I think when combined with IE7 might have a significant impact in spyware/junkware on Windows computers. “
Hmmmm, I don’t think so.
The problem with Windows computers is that no end users (at all) get to audit the software. If an end user has any “Freedom” at all to install software, then that user is given no opportunity at all to act “Responsibly” because he or she has no means to ascertain the integrity of the software he or she is about to install.
With open source software there is at least an opportunity for (at least some of the savvy) end users to examine the software, and to reject it if it contains anything which is not in the ineterests of users. If savvy end users can see it, understand it, compile it for themselves to check it, and they still use it themselves, then one can conclude it is written in their own interests.
Closed-source software? Forget it. You have no idea what is in it.
Just a moment … that last isn’t quite true. With closed-source software, you know from experience that it is written in the interests of the supplier of the software, and you also know (eg. Sony rootkits, WGA, DRM etc, etc) that very often those interests are not the same as yours as an end user, even when the supplier of the software is supposedly reputable.
So when you come right down to it, who gets to audit the software in the “Malicious Software Removal Tool”, and in whose best interest is the “Malicious Software Removal Tool” actually written? Or IE7, for that matter, same argument would apply. If you are an end user, these proprietary programs are (sometimes) not designed and written to your benefit.
Edited 2006-10-09 05:09
Sigh…
You really believe it’s impossible to audit software because you can’t see the code? How about the system footprint of the software? How about logging memory/disk/cpu/threads usage? How about monitoring network traffic of software? That’s auditing too.
Yes you CAN audit and evaluate software even though you can’t see one line of its code. In fact you could say this story is an audit or evaluation of IE7.
Also you say no users of Windows can audit code but that’s not true because there is a ton of open source software that runs on windows.
You say “So when you come right down to it, who gets to audit the software in the “Malicious Software Removal Tool”, and in whose best interest is the “Malicious Software Removal Tool” actually written? Or IE7, for that matter, same argument would apply. If you are an end user, these proprietary programs are (sometimes) not designed and written to your benefit.”
Sounds like speculation to me. MSRT is a tool to be used. It may not be perfect but it can help. I didn’t imply it was perfect. I’ve never seen perfect software in the 23 years I’ve been using computers. I said it ‘might’ help. It might, or it might not. So far I’ve found the Internet a very good resource to determine the trustworthiness of softwares.
Edited 2006-10-09 08:40
Sigh!
“Sounds like speculation to me. MSRT is a tool to be used. It may not be perfect but it can help. I didn’t imply it was perfect. I’ve never seen perfect software in the 23 years I’ve been using computers. I said it ‘might’ help. It might, or it might not. So far I’ve found the Internet a very good resource to determine the trustworthiness of softwares.”
It is more than just mere speculation.
WGA exists – it is not in the interests of end users.
DRM exists – it is not in the interests of end users.
Sony rootkits exist – it is not in the interests of end users.
Format lock-in exists – it is not in the interests of end users.
Non-support of standards (such as ogg and png and in particular ODF) exists – it is not in the interests of end users.
“Secret sauce” networking protocols exist – it is not in the interests of end users.
MSRT misclassifying malware as not exists – it is not in the interests of end users.
There is no speculation about it. It is cold hard fact.
“So far I’ve found the Internet a very good resource to determine the trustworthiness of softwares.”
This is the Internet. It is telling you (as patiently as it can) that proprietary software is not necessarily written in your best interest if you are an end user. It is telling you (as patiently as it can) that certain prominent proprietary software vendors are already reliably documented as writing software that is not in the best interest of end users, even though the end users eventually are expected to pay for it.
You can audit LoseThos source from Windows if you use the LTZ.EXE program to uncompress it. (Copy the files from the CD-ROM to a hard drive directory and type “Ltz -cursor .” at the windows command line when parked in the directory where you placed the losethos files. The source for LTZ is also included so you can inspect that too ;-). It compiles with Visual C.
http://www.losethos.com
LoseThos source will not compile on other platforms, though it should be understandable to someone familiar with C. Standards are nice but prevent innovation. LoseThos starts with a clean slate.
I’m commenting because y’all seem to be providing delsional feedback.
Good to see IE7 makes it harder. Hopefully the protected mode actually works well, how it’s supposed to.
—-
On another note, hal is going off on another one of his tangents. Being able to ignore certain users would be great.
Mmmm if Yahoo can survive I wonder what Cool Web Search will do to IE 7.
However, IE7 did try to protect the user and what OS can protect itself against the determined idiot. To quote or probably miss quote Einstein only 2 things are infinite the Universe and Human stupidity and I’m not sure about the former.
If Linux was used by the WOW a cool cursor brigade – you think it couldn’t also be brought to it’s knees? Well I suppose they might forget the root password.
I’ve thought about doing that to my browser a couple of times, but just the idea of it- too much trouble. I saved those pics so I can link to them and say
“Hey, check out how i got IE set up! Rad huh?”
Edited 2006-10-10 08:40
http://wwjunk.boldlygoingnowhere.org/pics/IE2.jpg
-Brandon
Edited 2006-10-10 16:21