On Sat, 12 Dec 2009, Edward Ned Harvey wrote: >> So, you go to a web page, click "Download", then click "Install"; and >> you are surprised that it downloads and installs? > > Yes. And it's not stupid, and I don't need the mocking. > > Regardless of what text they write in the HTML button, they could write "Blow > up the world" and I would expect that button would be unable to blow up the > world. > > In the HTML form, you click "Download and Install" and then the executable is > launched in your OS. I thought the browser should not allow such a thing to > happen. > > If Google is able to launch an EXE on your computer, with admin privs, just > by clicking a harmless looking button inside a webpage, bypassing all the > usual "This webpage is trying to run a program" security dialogs, bypassing > the usual "This website is trying to download a file" confirmation and > security and download dialogs ...
are you sure that it ran with admin privs and didn't just use your normal ones? David Lang > How do they do it? Do malicious people use the same techniques to launch > malicious programs upon unsuspecting users? > > What if they had made a pop-up, paid advertisement on some site, and made the > "OK" button launch malware? What if they made the "Cancel" button launch > malware? > > I thought the browser provided more security than that. > > > _______________________________________________ > Discuss mailing list > Discuss@lopsa.org > http://lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
