On Sat, 12 Dec 2009, Matt Simmons wrote: > Even if it ran with my local privileges, that isn't something that I would > want/expect my browser to be able to do.
being a little pedantic here. it may not be something that you would expect the browser to do (and I agree that this is a problem), but there is no reason to expect that the browser would be unable to do something like this. The browser is just another application (just like a flash or jave app running in the browser). unless you do something to limit what it can do, it can do anything that you can do, just like any other app you run. if you want to limit what an app is able to do, you need to either run it as a special user that is limited, or you need to use something like SELinux or AppArmor on linux to limit it. There are similar apps available on windows (look at host intrusion prevention systems, the top of the line ones can intercept every system call the app makes and limit it) David Lang > Ed, I take it you hadn't changed any of the default security settings to > prevent such an occurrence, right? I'm also at a loss as to how it > automatically executed. > > --Matt > > > On Sat, Dec 12, 2009 at 1:48 PM, <da...@lang.hm> wrote: > >> On Sat, 12 Dec 2009, Edward Ned Harvey wrote: >> >>>> So, you go to a web page, click "Download", then click "Install"; and >>>> you are surprised that it downloads and installs? >>> >>> Yes. And it's not stupid, and I don't need the mocking. >>> >>> Regardless of what text they write in the HTML button, they could write >> "Blow up the world" and I would expect that button would be unable to blow >> up the world. >>> >>> In the HTML form, you click "Download and Install" and then the >> executable is launched in your OS. I thought the browser should not allow >> such a thing to happen. >>> >>> If Google is able to launch an EXE on your computer, with admin privs, >> just by clicking a harmless looking button inside a webpage, bypassing all >> the usual "This webpage is trying to run a program" security dialogs, >> bypassing the usual "This website is trying to download a file" confirmation >> and security and download dialogs ... >> >> are you sure that it ran with admin privs and didn't just use your normal >> ones? >> >> David Lang >> >>> How do they do it? Do malicious people use the same techniques to launch >> malicious programs upon unsuspecting users? >>> >>> What if they had made a pop-up, paid advertisement on some site, and made >> the "OK" button launch malware? What if they made the "Cancel" button >> launch malware? >>> >>> I thought the browser provided more security than that. >>> >>> >>> _______________________________________________ >>> Discuss mailing list >>> Discuss@lopsa.org >>> http://lopsa.org/cgi-bin/mailman/listinfo/discuss >>> This list provided by the League of Professional System Administrators >>> http://lopsa.org/ >>> >> _______________________________________________ >> Discuss mailing list >> Discuss@lopsa.org >> http://lopsa.org/cgi-bin/mailman/listinfo/discuss >> This list provided by the League of Professional System Administrators >> http://lopsa.org/ >> > > > > _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
