You're reading it wrong
You're reading it wrong
Posted Sep 1, 2005 14:08 UTC (Thu) by Duncan (guest, #6647)In reply to: You're reading it wrong by alonz
Parent article: Banner ads: worse than you thought
Likewise. The checkbox allowing software installation was unchecked, by
my parsing. Does "Allow websites to install software unchecked" even make
sense? Who in their right mind would turn ON such a thing, or for that
matter, phrase a question in that manner as a programmer?
I guess the real resolution would be to have someone running Firefox
(preferably the MSWormOS version) verify the exact wording of the option,
but it appears to me, barring evidence to the contrary, that "unchecked"
refers to the box, and shouldn't be parsed as part of the option, since
it's outside the quotes indicating the wording for the option.
Of more interest to me, however, would be the exact mechanism the thing
used to run. Note that the list post does /not/ specify whether Java and
scripting were enabled or not, nor what plugins were present and whether
they were enabled (does Firefox allow general or per-site plugin
disabling, Konqueror, my normal browser does, so I assume Firefox does as
well). All the post specifies is that it was the latest MSWormOS version
of Firefox, that eXPrivacy was updated on critical updates, and that the
allow software installation option was unchecked (plus that NAV and etc
didn't catch it).
Thus, we are left wondering what mechanism was used to actually activate
the small exe. Was it a buffer overflow in the image libraries as our LWN
article implies, or yet another exploit in Java or scripting, or possibly
some plugin (Flash or the like) exploit? The library buffer overflow
thing is the most damning possibility, as tho most modern browsers allow
image toggling, browsing the web without images by default is an idea most
folks find distasteful, even if it /does/ save them from most ads and web
beacon tracing.
OTOH, while most folks have plugins/java/scripting activated, many
security conscious folks choose not to, by default. I know I've been
running without that sort of stuff on by default since my days as an
active IE4 public beta tester, loonnggg before I seriously considered
switching to Linux, when it was just coming up on the radar for me. Of
course, since I now choose to run freedomware only, not slaveryware, I
don't even /have/ most plugins installed, including Java (yes, I'm aware
of the free implementations, but I don't have them installed), so the only
active content I /can/ run is scripting, and that's off by default, tho if
the exploit only required images and scripting, if it were to target Linux
and a site such as say /. I regularly visit, it's possible I'd be
vulnerable.
Duncan
Posted Sep 1, 2005 16:52 UTC (Thu)
by JoeBuck (subscriber, #2330)
[Link]
Posted Sep 7, 2005 11:34 UTC (Wed)
by arafel (subscriber, #18557)
[Link]
The option is "Allow websites to install software". It has a check box to the left, and a button to the right which lets you edit a list of websites which are permitted to install software. The button to the right is disabled if the box is not checked.
In my case, the list contains only addons.mozilla.org. I don't remember whether I put that there or it came that way.
The language is confusing. I read the word "unchecked" to mean that the software would not be checked (e.g. for a digital signature) before running it; apparently your reading is that there was a check box that was not checked.
You're reading it wrong
>I guess the real resolution would be to have someone running FirefoxYou're reading it wrong
>(preferably the MSWormOS version) verify the exact wording of the option,
>but it appears to me, barring evidence to the contrary, that "unchecked"