[opensource] New Web Browser

Brian Swaney swaney.29 at osu.edu
Thu Oct 25 18:21:53 EDT 2007 

ActiveX seems to work in them, but with a prompt. The nice thing is that 
they added a "What's the risk?" option to the menu that pops up, to 
explain (albeit vaguely) what the risk is, but it still works when 
allowed. I haven't had IE6 on my XP partition for a while (well, used 
it; I formatted a few times), so I don't know how it works in that one 
for sure. Supposedly IE7 is safer, so I upgraded right away, although I 
always use Firefox.

Regardless of what exactly ActiveX can do right now, the main purpose of 
my article was the browser. The school is acting like a content 
producer, in that they're afraid of what users can do with their 
computers, but they're trying to make the students use them, so they 
dish out restrictive software. The software, like anti-piracy 
mechanisms, is not very effective at its job and if anything, merely 
annoys the honest students who are genuinely interested in learning the 
content. The school still offers it as an option to professors though. 
If they start relying on that to stop cheating, the problem is going to 
get worse, along with the frustration of students having to use this 
program. My proposed solution is that the online testing without the 
browser be an option, with whatever (non-ActiveX) restrictive scripts 
they feel like, but secure testing be taken in person. No crapware 
browser. If they /absolutely/ must have their new program, then it 
should be done in some specifically designated testing zone, where it's 
quiet, closely monitored for cheating, and non-admin privileges are 
limited, sort of like the computers in Mirror Lake Cafe, only with 
Respondus instead of IE6. No installing it on home computers, no saying 
"well, if you run Linux or don't have a computer then just take it in 
the lab", nothing of that sort. It won't even work.

Personally, I think some of its operating system hooks are worse than 
the ActiveX installer. The browser /can/ malfunction. I'm not sure I 
want to say exactly how I froze it in my tests just yet, but it can 
freeze. Normally, when a program freezes, you close it with [Ctrl] + 
[Alt] + [Delete], but the makers thought students "couldn't be trusted" 
with that ability, so the program hooks the OS to block that and alert 
you that you're not permitted to run programs such as the task manager. 
I then blocked the task manager from being disabled with McAfee's access 
control thing, and it saw it couldn't block it, so it closed the window 
immediately (within 1/4 seconds at the most) upon opening. Now, suppose 
a test's source is poorly written and the page freezes, the connection 
lags, or something of that sort, the user has to shut off the computer 
to escape, and probably fails the exam in the process. I know it's sort 
of an unreasonable risk to consider, since almost everyone will be doing 
this from a lab or dorm (on OSU's own network), making this extremely 
hard to create, but what if the connection is hijacked (or browser's 
built-in homepage)? I don't know what security alerts the browser pops 
up, and it certainly doesn't display the URL or security certificate, so 
a user could easily fall for a school-credential-based phishing attack, 
and have no way of knowing it, though if someone were that determined, 
the victim probably wouldn't have much hope anyway I suppose.

Even if the user doesn't have another computer or virtual machine, all 
someone has to do is send them an instant message in an unrecognized 
(non-proprietary) program (like Pidgin, from my example) with a link in 
it, the user clicks the link, and the default browser (even Firefox, 
which I'm sure is recognized) opens right up, then they type google.com 
or something... and, well you get the idea. It's not very hard to open 
other windows on the browser, just frustrating with the full-screen 
window that hides the taskbar.

-Brian Swaney


Marc Uhrich wrote:
> I'm responding to both Brian and Adams comments here.....
>
> What Paul means by "context of your username" is the permission
> structure of the user account logged onto the computer at the time.  For
> example, if you logged into a lab computer where there are a lot of
> restrictions the code the active X control runs will be limited by these
> restriction.  If you are running your computer with administrator
> privileges, like most windows users, the active X control can do *pretty
> much* anything it wants.  
>
> This is a fundamental issue between convenience and security.  Active X
> controls allow people to write really sophisticated web applications,
> but opens them up to severe vulnerabilities.  Microsoft has figured out
> this glaring security hole and made some attempts to mitigate it in IE
> 7.   As far as I know, IE 7 on both Windows XP and Windows Vista
> disables Active X controls and disables the prompt to install them.
> Prior versions prompted but naive or uninformed users would just click
> yes to make things work and circumvent this control.  It's nice to see
> that they might limit active X code in IE7+ instead of just "hiding it".
> To be honest, I haven't been following it much.
>
> All of this reminds me of the famous quote in Spiderman "with great
> power, comes great responsibility".  Using the countless spam messages
> and continuous net attacks we get here at the Graduate School as an
> indicator, I don't think the general internet community is, or will be,
> ready for the responsibility. 
> Marc Uhrich
> Systems Engineer @ OSU Graduate School
> 247 University Hall, 230 N Oval Mall
> Columbus, Ohio  43210
> (614) 292-0600
>  
>
> -----Original Message-----
> From: opensource-bounces at cse.ohio-state.edu
> [mailto:opensource-bounces at cse.ohio-state.edu] On Behalf Of Adam C.
> Champion
> Sent: Thursday, October 25, 2007 2:33 PM
> To: opensource at cse.ohio-state.edu
> Subject: Re: [opensource] New Web Browser
>
> Wow. I thought ActiveX scripts ran in a "sandbox" within the client's IE
> browser, like Java applets do in any browser. I know IE 7+ in Vista
> places restrictions on scripts and "active Web content", but users of
> previous Windows versions can't download IE 7+! So other versions of IE
> run ActiveX scripts with the user's permissions? Yikes.
>
> I can think of many ways these "features" can be abused, and potentially
> open up security vulnerabilities...
>
> -Adam
>
> Paul Betts wrote:
>   
>>> but how does it "lock down" students' *entire* interaction with the 
>>> OS (e.g., prevent them from closing or minimizing the browser)?
>>>       
>> If they're running their own ActiveX control, they can do *anything 
>> they want*. They are running arbitrary C++ code in the context of your
>>     
> username.
>   
> _______________________________________________
> Opensource mailing list
> Opensource at cse.ohio-state.edu
> http://mail.cse.ohio-state.edu/mailman/listinfo/opensource
>
> _______________________________________________
> Opensource mailing list
> Opensource at cse.ohio-state.edu
> http://mail.cse.ohio-state.edu/mailman/listinfo/opensource
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.cse.ohio-state.edu/mailman/private/opensource/attachments/20071025/6adffeb6/attachment.html

More information about the Opensource mailing list