IE7 Toolbar Mayhem

nikostheater writes "A user called anyweb tried to infect IE7 with as many toolbars as possible and it's interesting to see what happens and how secure IE7 is.." This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.

Is it really an infection if...

[Anonymous Coward]

You go to the website, and click multiple times to install something on purpose? Sometimes even downloading and running something? I'm not an IE apologist, or even an IE users, but it seems like infection is a bit strong.

Re:

[Fordiman]

Feh.

The slashdot post here is definately FUD. It gives the impression that IE7 happily installs all kinds of crap. In the article, however, the experimenter says multiple times that IE7 made doing this VERY DIFFICULT to do without noticing you're braking shit.

That's not to say some Typhoid User isn't perfectly capable of doing this anyways, but a Typhoid User should be encouraged very strongly to never ever log in as an admin, and charged through the nose for repair services.

Re:Is it really an infection if...

[Omnifarious]

It's only FUD to people who decide what it says based on their own biases and an unwillingness to read the article. I clicked through to the article, and even though it renders very badly on my browser for some reason, the parts I could read told me the IE was getting a lot better.

Someone clicking 'yes' to everything is not that far off from a typical user's behavior. Most people have no idea what any of that stuff means and not much of a desire to learn. They just want the computer to do what they think they told it to.

Re:

[TrekkieGod]

Oh, come on. First of all, the computer should never prevent you from doing something you want to do, regardless of how dangerous or stupid it might be. It should most definitely warn you that it is dangerous and stupid. If the user really does click 'yes' for everything, it should get installed. As long as you get stern warnings about it (and as long as an admin can prevent it from happening to work computers by locking it down), it's plenty secure.

That said, even clicking 'yes' on everything didn't

Re:

[Deathlizard]

Also keep in mind that Vista is being used here. Vista has it's own protection layer on top of IE7's. On XP it would be theoretically easier to infect, but either way, it's a much better improvement over IE6.

Regardless, there are still some troubling security holes in Vista IE7 that should be fixed, and this article does one hell of a job showing how it is exploited. I don't like how protected mode stays disabled after you install one toolbar. I'm also troubled that Windows Defender isn't mentioned at all i

Re:

[Fordiman]

"I don't like how protected mode stays disabled after you install one toolbar."

That only occurs if the toolbar in question disables it. The problem with installing any toolbar is that it is actually executing a binary on your system - meaning that it has full access to your computer, and even interface override control.

I wonder if there's any of those stupid toolbars that automatically clicks 'yeah, fine, do it' on any ActiveX warnings that pop up.

Re:

[Fordiman]

Heh. I'm not an MS fan (read some of my posts; I'm a linux geek and a member of the pirate party - no establishmentism here ^_^), but I'm also not a zealot.

Sure, it's humor, but the summary still gives slashdotters (who are of a generally 'MS Sucks' mind) the impression that IE7 will just allow this to happen. That's why I said the post was fud, but the article wasn't.

Meanwhile, Hey OCG! It's been a while since I've seen you posting around! 'Course, that's probably 'cos I've been too busy to go posting

Re:

[penix1]

I think you both are missing the true point to this article. The last page says it all when he rolled back and it got rid of all but one (yahoo) toolbar! Try that with IE6. The Yahoo toolbar staying does trouble me though. I can see those others reverse engineering the Yahoo toolbar just to see how it was able to survive the rollback. Still, it is much better than IE6.

B.

Re:

[Achromatic1978]

What's the point of this? A user should be able to screw themself over, once they're aware of and acknowledge the issues - ie dialogue boxes. What next, your rant about how you complain if your computer formats your hard drive if you click "Format" when the dialogue box comes up and explains that "this action will delete all data on this drive"?

Re:

[ajs]

From the article:

I wanted to see if IE7 was any better than that screenshot of IE6, how would it cope with a user that simply clicked 'yes/allow/next/accept' to everything that was presented to them.

Yep, you're exactly right. This is just an l^Huser problem. You might as well say that Firefox sucks because it will let you install extensions if you ask it to. For that matter, Linux sucks because you can install all kinds of software on it too!

Re:

[Chris Tucker]

Try reading the fucking comment! Again! And paying attention to all the big words in the TFC. Maybe get a Mac user to help you understand what all the big words mean.

The fellow said exactly DICK about FireFox or Linux "automatically" installing anything.

Cheater512 is a living example of why we so desperately need a "Linux Bigot" comment moderation label.

Restore to default state

[HalAtWork]

I think it's useful as it shows whether or not IE7 can be restored to a default state after you hose your system with a bunch of crap. A typical IE7 situation may not be like this, but for admins and those repairing PCs, or even if -- heaven forbid -- IE7 has a flaw that is taken advantage of by spyware, if a user can restore it to full functionality.

Um...

[jb.hl.com]

If you're actively trying to install lots and lots of toolbars on your own computer, which you have admin access too, there's a very large chance you're going to succeed.

This is news?

Re:

[jb.hl.com]

Whoops... s/admin access too/admin access to/. Silly mistake :)

Re:Um...

[ziggyzig]

I think the better point is that at the end, even after screwing up IE 7 so badly, the author was able to remove all the toolbars with relative ease (save the Yahoo toolbar). The better question is why was the Yahoo toolbar allowed to stay? Can just anyone buy those rights?

Re:Um...

[whoever57]

I think the better point is that at the end, even after screwing up IE 7 so badly, the author was able to remove all the toolbars with relative ease (save the Yahoo toolbar

This does look like MS has improved security in IE. IE7 made some of the installations sufficiently difficult that a naiive user would not be able to complete them.

The real question is how long will this situation persist? Will spyware vendors find means to disable the security features of IE7, or will IE7 continue to be resistant?

Re:

[rbochan]

But does everything get removed from the registry, and the obligatory spyware that comes with these pieces of crap in the startup sequence? This hasn't been the case... ever. As more and more gets installed/uninstalled, the registry gets fatter and fatter, and the machine gets slower and slower. Granted the ginoumous system specs just to run Vista shouldn't notice too much of a slowdown, but still.
Once the registry gets fat, short of running one of those reg cleaners from the likes of McAffee, with the obli

Re:Um...

[meringuoid]

If you're actively trying to install lots and lots of toolbars on your own computer, which you have admin access too, there's a very large chance you're going to succeed. This is news?

He got repeatedly warned about what he was doing, had to click through an awful lot of 'Yes, I'm sure'-type dialogue boxes to do it, and at the end was able to wipe out pretty much all of the toolbars very easily.

This is indeed news. It looks like Microsoft are actually getting something right this time!

Re:Um...

[antifoidulus]

Yes, but that still isn't allowed to be stated in a slashdot summary... I mean think of the group think, won't someone PLEASE think of the groupthink!

Re:

[rbochan]

Yes, and those "nag click through's" were huge on Paul Thurrott's previous reviews of the Vista betas. It'll just be like the normal EULA's of today... people's eyes will glaze over and they'll just click the damn thing anyway to get it out of their way. I don't see it as being much of a difference from the status quo.

Re:

[asuffield]

This is indeed news. It looks like Microsoft are actually getting something right this time!

It has been demonstrated time and time again: showing dialog boxes to ignorant users does not constitute a security feature. Windows users are trained to click 'Yes', 'Continue', or 'OK' to every dialog that appears until it goes away. They do not normally read the text.

Re:Um...

[digidave]

Windows and IE security may be getting better, but there are two glaring holes evident from this article.

1. Vista Ultimate Edition's default user has administrative rights.

2. If you choose to accept to install something from the web, IE7's protected mode turns off until you restart the program. This could leave you vulnerable if you install a legitimate program (Google toolbar) and continue to browse the web.

Re:

[rayde]

it's news to those of us who may, at some time in the future, be forced with the task of cleaning up after a user who decided to go ahead and click YES at every prompt, and ended up with a browser like this.

Re:

[goldspider]

The problem is the dumbass user then, not IE. And dumbass users aren't news anywhere anymore, let alone on Slashdot.

Re:

[BKX]

I do such cleanings all the time. They invariably start with fdisk and end with a fresh install of firefox and thunderbird. And then I get paid.

Re:

[operagost]

Hopefully, someday someone will realize you are ripping them off and refuse to pay you.

Honestly... fdisk? How, exactly, does MySearch affect your partition table?

Re:

[ElleyKitten]

FDisk is overkill, but the easiest way to deal with a computer massively infected with viruses and spyware and who knows what else is a reformat and reinstall of the operating system. If someone doesn't know how to do that, then how is it a ripoff for them to pay someone else to do that?

Re:

[X0563511]

Hmm, how do you advertise yourself? (looking into doing that myself (maybe a little more attempt to remove infection first) and was wondering the best way to go about getting business)

Re:Um...

[alanjstr]

It isn't that IE let him install toolbars. Of course it will if you click yes. The good news is that IE makes it more difficult.

The bad news is "once you accept ONE UAC prompt in IE7 it disables the protection for subsequent browsing until you completely restart IE7"

For crying out loud

[Overly Critical Guy]

Dear Microsoft apologists:

IT'S JUST A HUMOR ARTICLE. IT SAYS RIGHT IN THE ARTICLE THAT HE'S DOING IT ON PURPOSE TO SEE WHAT HAPPENS. NOTHING MORE.

Okay? Get it? We know it requires user action to infest IE7 with toolbars. That's not the point of the article, which is just to see what happens and laugh on a Sunday. For crying out loud, why does everyone think they have to leap forward and be some sort of heroic truthbringer to the poor Slashdot masses who won't understand the article? We're not idiots.

Re:

[jb.hl.com]

Dear Aptly Named Overly Critical Guy,

Nowhere in the article summary is this mentioned as humourous. It's therefore not entirely unreasonable to assume that it's a serious investigation.

Also, why the "Microsoft apologists" bit? It's a bullshit article with a silly premise, pointing it out as such isn't "apologising" for Microsoft at all.

Re:

[Fordiman]

*points* this guy didn't read the article!

Re:

[jelle]

You know what? A browser doesn't get any better by people using it. Popularity doesn't make something the best choice.

If the majority always made the right choices, it would be smart to be overweight: http://www.usatoday.com/news/health/2002-10-08-wei ght-usat_x.htm [usatoday.com]

Most people using IE don't know Firefox or Opera. There are probably more IE users that never heard of Firefox than there are Firefox users... I'd go even farther that there are more IE users who don't know what is meant by the acronym IE than th

What IF

[scenestar]

MSFT came up with it's own extension central of the *same quality of that of the mozilla foundation* (I know there is one out there allready).

Afaik these toolbars add "extra browsing enhancements". If MSFT told it's users that these bars are Teh evil if installed from some random adress I'm sure the "toolbars" will die out soon.

Re:What IF

[taskforce]

The problem is that MS actually makes one of these as well. I believe MSN offers a particularly annoying toolbar for IE.

Re:

[linuxci]

on the other hand we have browsers like Epiphany and Firefox which have extensions that add single easily moved buttons, search plugins or menu items (and hardly ever toolbars!).

It's worth also pointing out that some of the better designed toolbar extensions for Firefox such as the Google toolbar allow you to use ordinary firefox toolbar customisation so you can drag buttons off the Google toolbar onto other Firefox toolbars and hide the Google toolbar if you don't need it.

I do this so I can put the page ra

Re:

[WilliamSChips]

Not if they allowed you to add sites from which you could also add extensions, like Firefox. The antitrust was not because IE was bundled, it was because MS banned OEMs from bundling Netscape.

Failing by design

[patio11]

There is nothing to see here: he systematically disables all of IE7's protections, clicks past up to FOUR warning boxes to get some of the toolbars, and goes through the manual install process (!!) for some of them because IE was like "Uh oh, sorry, you look determined to shoot yourself in the foot and I just can't let you" and denied the install through the browser.

"Failing by design" Is Proper?

[EXTomar]

In school, a design professor never hesitated to point out, "If it is possible to 'break' the application as a concenquence of the selection made, then you must think of it like that. The number of people that are going to answer 'Yes' to "Do you wish to ruin your computer? Yes/No" is irrelevant since you shouldn't have offered them to chance to see that dialog in the first place."

Most of the UI systems I've studied tell me that if the design has a "need" to ask the user to consider doing something bad, t

Re:"Failing by design" Is Proper?

[the.Ceph]

Now we just aren't being reasonable. If Microsoft didn't allow people to install these things every post here would be calling it anticompetitive and complain about how they don't give the user choices. I'm pretty sure I could make a "Log all credit card numbers and email them to me" extension for Firefox and if someone really wanted to install it I bet it would let them.

The fact of the matter is it isn't always obvious if something is going to break functionality, making a user aware that it might and giving them the choice is IMHO better than telling them they can only run signed software on their computer.

Re:

[jZnat]

Just because it doesn't allow you by default doesn't mean you can't do some sort of force install. Most programs involving installation (e.g. dpkg, rpm) have some sort of --force option that ignores all warnings, errors, etc. If a user wants to install something and they're sure that it's okay to do so, they can manually force it to install.

You Misunderstand: Feature Good, Process Bad

[EXTomar]

Toolbars themselves are a good feature add. By design, "plug-ins" allows for extension of the framework in ways the user wants. I'm all for Microsoft or Mozilla or Opera to have a way to install plugins! What is bad is the way Microsoft goes about doing this with their rules and exceptions which lead to a confused user.

By design or miracle, "warning dialogs" are somewhat minimal in Mac or Linux but in Windows its all over. "Are you sure you want to do this? Yes/No" over and over again causes "fatigue" where users just dismiss it for the sake of making it go away. I've seen users who just click and dismiss things that are clearly warnings and indicators that something is wrong. Why? Because they see it dozens of times and its nonsense as far as they can tell. The reason they never hit "No" is because it stops what they were doing. They would rather be encumbered by a flakey IE than not do what they wanted and frankly these errant users have a point.

The point is worth repeating: Adding a toolbar to IE7 isn't a bad thing. The real problem is the way the process works and it isn't getting better for Vista. For each plugin there should be one and only one confirmation. If it fails **any hard defined requirements** then it the plugin is not installed. They should not be asked to elevate their privilages. They should not be asked if they want to activate secondary controls (Active X). They should not be asked if the install can modify the registry.

Why does any toolbar need 'elevated privilages' at all to install or work? IE is supposed to be an issolated framework that is user dependant. Why does a toolbar need another control hosted outside of itself (violates sandbox)? Why does any toolbar need to access the registry (again violates sandbox)? None of this stuff seems necessary at all for toolbars to function. Why bother asking the user "Yes/No" questions on things that are "violations"?? In most normal cases, when a program violates the rules it doesn't allow it. Why is IE different?

Re:

[Fordiman]

There is news here:
IE7 is more secure because he HAD to disable a whole bunch of shit to get it to do the dumb shit that IE6 did.

Just 'cos the summary's fud doesn't mean the article is.

Re:

[nine-times]

Seems to me the big news here is the ease with which the offending software was removed. Apparently Microsoft has done something right there.

Host took out Pictures

[jafiwam]

Looks like the host took out the pictures.

(Some were large JPGs.)

Interesting text nonetheless.

There was a video of some guy recording his browse by infection of IE a while back that was very revealing. Just visited a site and his computer was infected, he proceeded to try to pull the stuff out and noted the techniques the spyware authors used to keep a user from being able to uninstall it.

The critical difference in security though is not what the user can do (as he or she is probably running as administrator anyway) but what can be done without their permission. That's where the work needs to go. Not stopping someone from doing something they have to agree to (no matter how nefarious the wording is).

"Here's the picture

[mikesd81]

Picture [linux-noob.com]. All I did was right click where the image should be and selected view picture.

Re:

[SanityInAnarchy]

The critical difference in security though is not what the user can do (as he or she is probably running as administrator anyway) but what can be done without their permission.

You're talking about real security. On Windows, we still have "security" like anti-virus, which is designed to assume that the user doesn't have a clue.

Not stopping someone from doing something they have to agree to (no matter how nefarious the wording is).

The trick is making sure they know what they're agreeing to. If you have t

Re:

[Snover]

The person you're probably thinking of is Ben Edelman [benedelman.org]. A couple videos are here [benedelman.org] and here [benedelman.org]. Pretty interesting stuff.

FTA

[big_groo]

"And considering what I put Internet Explorer 7 through, the reset tool did a very very very good job, see below, just one toolbar left, and it was Yahoo's, maybe that's a telling result ?"

We'll see how well this works a year after release. That said, it's about damn time MS did something about IE.

Reminds me of...

[celardore]

The screenshot reminds me of my mother or my sisters computer every time I go over there. They're always ending up with crap like "mycoolsearch", I did an adaware search and got something like 600 items the first time I tried it. I got fed up, and installed firefox and made IE less obvious on the computers.

I go back two weeks later, and now firefox has a mycoolsearch toolbar! Arrg.

Re:

[matrixhax0r]

Sounds like they are infected by CWS (Cool Web Search).

This is in fact one of the worst spywares you can get. Quite a few variants can be deemed rootkit like.

Re:

[SamSim]

Ah, Firefox has arrived!

Security?

[paranode]

Really? The guy pretty plainly states that he ignores all the warnings and clicks yes/allow/next/install no matter what it says. So he is ignoring the security warnings and installing it anyways just to see how cluttered it will become. Not really a test of IE7's 'security' any more than running a rootkit on linux (as root) is a test of its 'security'.

Re:

[gEvil (beta)]

I agree with what you're saying, but it could be argued that he was mimicking the behavior of the typical computer user...

Re:

[DerekLyons]

I agree with what you're saying, but it could be argued that he was mimicking the behavior of the typical computer user...

Sure - if the 'typical computer user' in the wild bore any relation to the 'typical computer strawman' of Slashdot myth and legend. (That's not to say complete damm fools don't exist - they do. But they are no more 'typical' than the average Slashdot user.)

Re:

[rbochan]

...That's not to say complete damm fools don't exist - they do. But they are no more 'typical' than the average Slashdot user.

Really? Because I see 5 or 6 every single week. People that just click on whatever button to get it out of their way are everywhere. Their virus/trojan/spyware-laden machines are my bread and butter.

Re:

[DerekLyons]

...That's not to say complete damm fools don't exist - they do. But they are no more 'typical' than the average Slashdot user.

Really? Because I see 5 or 6 every single week.

I see - you make your point by telling only half the story. Because you don't tell us what percentage of total machines you see each week those 5 or 6 constitute.

People that just click on whatever button to get it out of their way are everywhere.

Sure, they are 'everywhere', but 'everywhere' != 'typical'. Even by the

Re:Security?

[nine-times]

You're right to criticize. On the other hand, hitting "yes/allow/next/install no matter what it says" sounds like an accurate approximation of what 90% of users will do. So I guess it still asks the question, if "increased security" means that there are a couple more pop-ups that I have to click "yes" on, how effective will that "increased security" be?

Re:

[nine-times]

Of course, now that I've RTFA, it looks like what he's proven is that IE's new "reset" feature works fairly well, which is a big improvement on IE's security.

Re:

[paranode]

Because of a Windows issue with running every user as Admin by default. That problem is going to exist whether it's IE7 or Firefox or anything else.

toolbars anyone?

[gEvil (beta)]

The images don't seem to be loading on the site, but why do I get the feeling it's going to be somewhat reminiscent of this? [codinghorror.com]

So how is this a security issue?

[jorghis]

So whats with the submitter implying that allowing third parties to install toolbars is a security hole? The article even said they went looking for them and clicked "yes/install/whatever" to every window they were presented with.

The only possible way to prevent this (and why would you want to prevent users from using their favorite toolbars?) would be to completely disallow downloading toolbars from the internet in IE.

By the way, did the submitter actually refer to Google toolbar as an "infection" with th

Re:

[cyber-vandal]

We could still bash them for taking so long though :P

Toolbar Wars...

[__aaclcg7560]

It won't be long before every toolbar you download will want 80% of the screen space. As they say in real estate: location, location, location.

Your Point?

[prichardson]

I read as much of the article that would load, and I don't think that there are any points against IE here. Users should be able to override security measures on THEIR system. I would much rather Microsoft not cater to the really stupid.

If Microsoft didn't allow people to override those controls I can just see a lot of internal applications breaking in a lot of businesses.

There's a lot wrong with Windows (which is why I chose not to use it), but from what I can tell from this article, the security on the upcoming version of IE might not be one of them (for once).

No one chastises Linux for allowing you to "sudo rm -rf /". I suppose it would be nice if IE prompted for a password.

Re:

[plover]

His point was that everything was a stock "default" install, and he just answered "Yes / OK / Accept" to any prompt that came up.

Vista still installs the user as Administrator by default. IE still lets you install all of the badness. Again, IE can't judge 'adware' vs 'desirable software', and your point is valid: it shouldn't make that decision for you.

Your example of No one chastises Linux for allowing you to "sudo rm -rf /". is a great example of the point. As we all know, in Linux a default instal

Re:

[jimicus]

VMS uses a security model that is much closer to Windows than unix; yet, it is rarely hacked.


Get real. In this day and age, VMS is rarely FOUND on the public internet. Yeah, sure, there are organisations still using it, but most of those organisations are using it for things which are so critical that there is no way they're going anywhere near the Internet.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[joe 155]

One thing that a lot of people are missing here is that when he clicks through for something that he wants to install (as we all might) he (so long as he doesn't re-start IE) doesn't have to click again to say it's ok to install more. This is a pretty bad fault, what if whenever you'd used su - or sudo in linux it ran the whole environment as root from then on without warning you? I think we might complain.

Other than that IE7 seems to be looking ok, maybe I wish it might have pressed the security prob

Re:

[jimicus]

but from what I can tell from this article, the security on the upcoming version of IE might not be one of them (for once).

Vista may have had a lot of attention from various quarters, but I bet you anything you like it's not even had 10% of the attention XP has.

I'm reserving judgement on the security standpoint for at least a year after release. (My boss, bless him, has saved me the trouble of having to propose that at work by already stating that he doesn't like the idea of upgrading straight away and wou

In Episode II...

[OnyxIR]

We can expect to see him simulate a viral attack, this will envolve him formatting his hard drive while running IE, removing it and hitting it multiple times with a hammer.

Im not sure what we can expect from that, but I sure cant wait to see!

SlashDotted

[Anonymous Coward]

Mirror [mirrordot.org]

Re:

[MynockGuano]

This guy seems to have done a masterful job of making his page impossible to mirror properly. >8\

what I'm getting here

[dioscaido]

Secure = Administrator on the machine should be blocked from installing google toolbar?

Truth is, he should have tried to see how much damage he can make as a standard user without providing Administrator credentials. Being and admin and clicking through all the warning dialogs is like running as root in linux and being surprised you can install software...

Hate to whine, but why do these articles make it into slashdot? It seems like often the other technical subjects discussed here are well moderated, and the articles thought provoking. But as soon as someone with a fleeting command of the english language lays down any thoughts that are anti-Microsoft, it immediately makes the front page.

Doomish Naysayings

[JustNiz]

I wonder if it actually removes the downloaded toolbar files from your HD and registry, or if it just hides them from the ie display. I mean could they still be in the system and doing stuff behind the scenes? (such as planting virusses or opening backdoors, or even just using CPU/memory/disk?).

Its bad that the auto-cleanup thing didn't remove Yahoo. Either Microsoft explicitly made an exception for Yahoo or Yahoo found a workaround (I'm not sure which is worse). If yahoo can do that then so will all the ot

The result is really interesting

[stikves]

Actually, as everyone has already pointed out, disregarding FOUR (max) security warnings to install software is not "a security" test. However what he does at the end is very interesting.

I did not expect all those applications (where some of them had direct access to file system and registry) could be removed by a single click (and a confirmation).

So we learn three new strong points of IE7 (added to what IE6 already provides):

• Every installation requires confirmation (actually several of them) with a big warning dialog
  
• If the installation requires access to file system or registry, it will require another specific confirmation (in a special secure mode)
  
• IE has the capabilty to clean all the crap with a single reset button now
  

I'll personally continue to use Firefox, however I'm glad to see IE getting secure, because every now and them I have to use some "bad designed" site which only works on IE. And now I can be more assured about the security of my system.

Re:

[JonnyCalcutta]

As someone pointed out above though, does it actually clean up the crap, or does it just stop it displaying? If its the former I agree it is impressive, but given that many tool bars are just a front for installing less savoury items like spyware, browsing trackers or adware I think I'll hold judgement until someone more knowledgable checks it out.

There is also the point that many toolbars are installed deliberately (as I say, that is the point) so an average user will click yes at security confirmations.

Re:

[stikves]

Well, if the "crap" actually install something on the system, except from the browser toolbar, another explicit warning is displayed, including the path detail, which tells about what's happening, there is also more info link on the dialog.

(For example, something like: The program wants to modify registry, key: HKEY_LOCAL_MACHINE\..., etc).

So if the user still clicks ok on this prompt (and the other 2 before, and one after that) the crap will be given access to the system.

And you may say, there are some peo

There is some 'news' in the article

[I'm Don Giovanni]

One thing that the author encountered in his tests was that once a user says OK to a UAC dialog in IE, then IE turns off "protected mode" and that mode remains off until IE is shutdown and restarted. "Protected mode" prevents IE from writing anywhere in the filesystem except the cache (without explicit implicit user permission, such as the File-Save dlg), so malware installed on top of IE can't do any harm. But if "Protected mode" is off, then the IE process can write to any place allowed by the permissions of the user, meaning that malware running within IE's process can do the same. This might be a legit bug in IE7 (which hasn't reached RTM yet, so there's still time to fix it, if it is indeed a bug).

Missed point ...

[ProfM]

After reading several comments on how this isn't news (because disabling protections to install stuff is easy) ... the point that was COMPLETELY MISSED that was in the article, was that the "IE Reset" function actually worked, sans Yahoo.

This, I believe is the main point of the article, because this will help EVERYONE keep junk off of IE. Not that it deletes anything, but allows the clutter to be easily fixed.

Re:Missed point ...

[jalefkowit]

the point that was COMPLETELY MISSED that was in the article, was that the "IE Reset" function actually worked, sans Yahoo.

If Yahoo has already figured out a way to defeat the "IE Reset" function, isn't it logical to expect that within a year of IE7/Vista's release, this knowledge will be common to all spyware/malware authors?

A function like "reset browser settings" either works, or it doesn't. There is no middle ground. If there is a way to get it to do anything other than roll back all changes, it doesn't work.

ribbon bar redux?

[Speare]

This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.

Wasn't that the complaint with Word's "ribbon bar"? It's also my beef with a lot of GUIs that are attempted on small devices with 320x240 resolution or worse.

Damn, have we gotten so desperate?

[writermike]

It's pretty clear that this particular article isn't really an attempt to disparage Microsoft's new security surrounding IE7. (Or, if it is, then it does a pretty lousy job, what with all the "Yes, I really want to install this you damn, stupid browser" stuff.)

So, it gets posted to /. with a wink-and-a-smile. But is there really anything here? Anything? No?

Honestly, when are we to see the first article about how Steve Ballmer refused Linus Torvald's rest-room offer of a handshake only to have the readers fi

Jumped the shark

[suv4x4]

Quite on topic with the kind of article we're given here, I'd like to run a little improvised poll/research here.

When do you think Slashdot jumped the shark? That is, versus giving us actual news that matter about OSS and IT, we started getting 80% of this crap like this one.

Thanks in advance for your opinions!

The world is going to end!

[Jon.Laslow]

Holy crap! I never thought I'd see the day when nearly all of the posts in a thread about a Microsoft product would be *defensive*! Time to clean out the fallout shelter!

Mirror.

[Janek Kozicki]

Ok, I managed to wget the final screenshot, enjoy: http://cosurgi.googlepages.com/iemess2.jpg [googlepages.com]

Re:

[jargon82]

First thought

Will the 75 popup blockers block the popups that the 219 non-popup blocking toolbars produce?

Well...

[robpoe]

Seems as though he went to some fairly benign sites and installed a bunch of not-so bad toolbars. Not that I'm saying that the toolbars he installed are clean and rosy, but wtf.

Why not take Vista / IE7 to some not so great sites. Like some of the more underworld (note, I didn't say illegal) porn sites, or better yet, crack sites that (still) try to use the WMF vulnerability and other tricks. Maybe I'll do that in a VM session .. but *yawn* I'm not in the mood right now..

And hell, the product is still BET

Normal behaviour.

[miffo.swe]

If the normal workflow in IE7 is having to click a lot of yes/allow/ok popups thats what people will do. Thats not better security, its just a way of handing over the responsibility of the security to the users. For an OS targeted at baffoons thats not really a bright idea. Thanks to this Microsoft will just blame any security problem as a user error not having done anything to fix the bad security in IE.

IE toolbars are a plague

[williambbertram]

Those toolbars are a plague. Does every company in the world need a toolbar? It has nothing to do with filling a need for anyone, it's pure marketing trash. In the early days of IE6 there was literally no defense against them, and some of them were practically impossible to remove (hotbar, cool web search). The anti-spyware tools (at the time) were horribly inadequate; using Ad-Aware and Spybot with up to date definitions back then would only remove some of the toolbars. My company spent a lot of money

Re:

[GregVernon]

The problem with your statement in relation to the article is that Anyweb, intentionally installed every single toolbar that ended up corrupting his browser. I do not doubt your statements about how websites install toolbars without permission nor do I doubt that this is a problem. So, personally, I think you are right. Microsoft has issues with security, everybody knows that.

But simply put, due to the manner in which the author installed the toolbars, and the great lengths he went to do so (in some case

Gimme a screen shot of Firefox please

[140Mandak262Jamuna]

Now go to mozilla's website. Download and install every damn extension there is for Firefox. Take a screen shot and post it please. I am no MSFT supporter. But TF(antastic)Article is just stupid.

I don't get the fud tag

[stinky wizzleteats]

It looks to me like IE7 did pretty damn well (and this is coming from a linux/firefoxista). The author actually had to use firefox during the process and (unrelated) toolbars were actually installed in his firefox browser.

Sit back and behold...

[hysterion]

...the Man with a Thousand Toolbars [hcooh.ch] (2002).

Hiding the menu bar below other clutter

[Sloppy]

The first picture is hilariously absurd, but what really shocked me was the second one, and he says

Pretty standard. Nothing much to write home about.

This is the first time I had seen MSIE7, so maybe it's old hat and "standard" to everyone else, but I thought the "clean" picture was provocative. Why? Look at it: the menu bar isn't even at the top of the window; the url and back/forward arrows are. Are they trying to slow down the user and make them hunt for things? Is this normal and default for MSIE and recent Microsoft applications, for the menu bar to be somewhere other than top? Or had this user already diddled with some settings to make MSIE look bad?

Re:

[IANAAC]

It either is 80% or is not 80%. It is NOT like 80%. Am I the only one irrated by this?

Eh... I can't see like any, 80% or not. Page is dead.

"Like" here means approximately

[tepples]

It either is 80% or is not 80%.

Or it is approximately 80 percent, which I see as a legitimate use of "like 80%".

Re:Hmmm...

[A beautiful mind]

No. Like 25% other slashdotters are also irritated.

Re:

[SanityInAnarchy]

It either is 80% or is not 80%. It is NOT like 80%.

While what you say may be true of the browser window itself, I doubt CmdrTaco actually measured it. Thus, 80% is a guess, and saying "like 80%" means "appears to be approximately 80%, but I don't really know."

What would you rather he say in this situation?

Am I the only one irrated by this?

I hope so. I hope you're the only one so hypersensative to the word that like==blond. Save your pedantry for where it's really warranted, like misuse of apostrophie

Re:

[SanityInAnarchy]

Um... Isn't quite a bit of software "insecure" by default?

In short: No.

Long answer: IE seems to actually have saner defaults now. It still has the occasional buffer overflow that gives full access to the system.

I currently use IE. I don't get spyware. It's called proper security settings.

One of my proper security settings, while on Windows, is to use Firefox for all web browsing, only resorting to IE Tab for Windows Update.

Again, it's got to do with IE inevitably having some security hole that doesn