[LINK] Study shows pop-up warnings are ineffective

Marghanita da Cruz marghanita at ramin.com.au
Tue Sep 30 10:08:09 AEST 2008 

Ivan Trundle wrote:
> 
> On 30/09/2008, at 9:46 AM, Marghanita da Cruz wrote:
> 
>> Ivan Trundle wrote:
>>> On 30/09/2008, at 5:33 AM, Roger Clarke wrote:
>>>> But this is link;  and there are people out there who aren't amateurs
>>>> like me.  Can someone confirm or deny the reliability of 'Cancel'
>>>> buttons?
>>> No reliability at all. It's possible to script a function to do  
>>> anything at all from a cancel button (if the user permits javascript  
>>> et al to operate).
>>> Whilst the DOM may try to interpret button action and behaviour, 
>>> there  is nothing to prevent someone from creating any action from 
>>> any button  with any name. The html you described is quite possible.
>>> Even using the window close widget (OS-dependent) can evoke an  
>>> undesirable action.
>>
>> But isn't this covered  the browser security functionality?
>>
>> ie while you may be able to download a file - pdf or exe 
>> opening/execution should be a different function.
> 
> Assuming that the code presents a known security issue that the browser 
> can detect and act upon, yes - this is correct.
> 
> However, there are enough unpatched and/or unintelligent browsers in use 
> to make malicious scripting a worthwhile exercise for nefarious types.
> 
> However, making 'Cancel' do something other than cancel, but which is 
> NOT malicious, is unlikely to be trapped. For example, a 'cancel' button 
> that offers another pop-up asking if you really, really, really want to 
> cancel...
> 

Yes but the question relates to what the cancel can or can't do?

The experience I have had of malicious sites, is they don't bother to ask. They
just start downloading.

It should not be possible for the browser to execute code on the local PC
outside the browser OS or at least this was the original concept.

Ofcourse, if the file is downloaded into a directory of executeables which are
automatically run when a computer is rebooted then you are in trouble.

> iT
> 
>>> May 2, 2006  (IDG News Service) -- Mozilla Corp. has released an 
>>> update to its Firefox browser, fixing a known security flaw in the 
>>> open-source software.
>>> The bug, reported last week, involves the way Firefox handles 
>>> JavaScript code. It could be exploited by attackers to crash an 
>>> unpatched browser and, in theory, could also provide them with a way 
>>> to trick the browser into running malicious code, Mozilla said in a 
>>> security alert
>>
> 


-- 
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202

More information about the Link mailing list