unity-design team mailing list archive
-
unity-design team
-
Mailing list archive
-
Message #00907
Re: Possible security risk with update-manager
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paulo J. S. Silva wrote on 14/12/09 15:10:
>...
> OK, let me get this straight. Are you saying that all pop-up windows
> that appear to you in your browser have the window decorations around
> it?
Yes.
> Could you please visit:
>
> http://www.popup-killer-review.com/windowless-swf.htm
>
> This show that it is possible to add a flash application on top of a
> web-page without any decorations.Given enough skill it ca have the
> right look, doesn't it?
Yes, though it's still inside a browser window with a browser window
frame. This is not new: banner ads have been imitating Windows error
messages for over a decade.
> I do know any flash, so it would take quite
> some effort to create an example myself, but I think it is clear that
> what I talking about can be accomplished through flash.
Yes, but that's true for any window where the user is using the default
theme. It has nothing particularly to do with Update Manager. You could
cut out the middle-man and imitate a PolicyKit alert directly. You could
imitate an Empathy IM window that pretends to be a forgotten classmate
organizing a reunion and wanting your contact details. Or you could cut
to the chase and ask for profitable info directly:
<http://www.sharenator.com/Has_Your_Credit_Card_Number_Been_STOLEN_On_The_Internet/>
The only realistic defence I can think of against this would be to
randomize the theme used by each Ubuntu user, and to neuter the
browser's CSS System Colors implementation so that Web authors could not
tell what the theme was. That way, faked windows would almost always
look wrong.
>> As I wrote in <http://launchpad.net/bugs/332945>: "...assuming that
>> people will see a window that looks like the updates window, and
>> behaves like the updates window, but be able to tell that it's fake
>> solely because it opened automatically. I think that's quite
>> unrealistic, because it would require a much better memory for past
>> actions than people usually have. For example, if you open Update
>> Manager yourself but get a phone call and have to switch to another
>> task in a hurry, and don't return to Update Manager until the next
>> day, you may have no memory of opening it the previous day.
>> (Expecting people to then close it and reopen it, *just in case* the
>> already-open instance was a fake one, would be even less realistic.)"
>
> OK. This is true, given a sufficiently convoluted scenario the user
> may forget that he has called the update-manager or not once he goes
> back to the computer. However this is not the most likely scenario.
> Most likely the user will be there using the computer when a malicious
> window pops up in the middle of the web page (probably he will be
> browsing and have recently moved to the malicious page where the
> pop-up lives). Then he can think: "weird, I do not remember calling
> update-manager (or any other adminstration window)". In the current
> state of affairs the user thinks "Here goes update-manager again...".
> So even though not having the pop-up behavior in administrative tasks
> would help us explain to user how to behave when they see weird
> pop-ups in their computers.
>...
So, we disagree on how convoluted the scenario is. :-) Maybe I'm biased
by having a job where interruptions are common.
Cheers
- --
Matthew Paul Thomas
http://mpt.net.nz/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAksnR9MACgkQ6PUxNfU6ecoKqgCfUU02I/RsadnoQoNMDlzrFz0Z
YYsAn2lFcYVpNkR2c025BJ/a1bun0HqD
=lOyU
-----END PGP SIGNATURE-----
Follow ups
References