Download only can be openend, not saved. Security risk?

Discussion in 'other software & services' started by Eagle Creek, Nov 21, 2010.

Thread Status:
Not open for further replies.
  1. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Hi!

    Recently I downloaded Java from sun.com. Then I noticed the following:
    http://www.nucia.eu/forum/attachment.php?attachmentid=8428&stc=1&d=1286982788
    As you can see: there’s no “save” button, you only can run (“uitvoeren”) the file.

    What’s this? Let’s take Firefox: when downloading an .exe file, you cannot open this from the web. You first need to save it (and give your AV a chance to scan), and then open the file.
    I also thought IE had some kind of protection for high risk file extensions.

    However. Sun has made some kind of change at their website, making it impossible to save the file before opening it. The only option you have is either take it or leave it (run or cancel the whole download). I don’t want to open a random .exe file from the web, even when I know the website. Shouldn’t this be considered a security hazard? Especially when websites owners can decide this?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    do you have the link to that web installer, to see it can be replicated or if there is a workaround? I agree in principle it is a bad practice to force users to run instead of saving it first.
     
  3. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    strange, from java.com all can be saved in IE8/9

    21-11-2010 16-15-30.png 21-11-2010 16-13-24.png
     
  4. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    I reproduced the issue 1 minute ago. It still happens to me.
    Tested on: Windows 7 IE8 ánd Windows 7 IE9.

    I go to www.java.com (get redirected to java.com/nl), click "gratis Java-download" (Free Java download), click the button again, and there it is (http://www.java.com/nl/download/windows_ie.jsp?locale=nl&host=www.java.com).

    I also tested with IE9, and Save is here. But not with IE8, at multiple Windows 7 pc's.

    The file that's being offered in IE8 is: "JavaSetup6u22.exe". IE 9 however gets "jre-6u22-windows-i586-iftw-rv.exe". This is a difference.
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    replicated it in IE but not FF. I suspect because of javascript being enabled in IE but not FF.
     
  6. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
  7. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    Great. Now that Sun is doing this, it becomes "acceptable" and one more way to allow the miscreant social engineers to trick users into installing malware. WAY TO GO SUN!!!

    I only use on demand scans, and do LUA/SRP. So now if I want to update java, I have to login as admin, start my browser and navigate to their site and run the executable directly instead of save and scan as a limited user? Doesn't sound like an improvement in security to me.
     
  8. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    I didn't see anything special in the code, seems like a IE 8 'feature'.

    "Open in new tab" works as it should(i.e gives the save option)

    gratis.PNG


    ~~~~~~~~~~

    It's Oracle now btw.
     
    Last edited: Nov 21, 2010
  9. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Yeah, it's a 'feature' :rolleyes:

    nosave.PNG
     
  10. Fiat_Lux

    Fiat_Lux Registered Member

    Joined:
    Nov 1, 2010
    Posts:
    180
    Gasp! - Yeah! - I just found out when I investigated this... Sun used to provide through FTP also but I can't find that now. (old links listed do not work) o_O

    P.S.
    If Oracle bought Sun I imagine they must have paid a bundle because I can't see Sun sell for cheap.
    Sun was a great company and no matter what I don't think that Oracle will be as great as Sun was (attitude wise)(my personal opinion).
     
    Last edited: Nov 21, 2010
  11. Fiat_Lux

    Fiat_Lux Registered Member

    Joined:
    Nov 1, 2010
    Posts:
    180
    By the way :
    You can download and save from the Dutch Java page , just use the link underneath the red picture "Gratis Java-Download" where it says :
    "Niet het goede besturingssysteem? Klik hier voor alle Java-downloads." (then you will get access to manual downloads)
     
  12. katio

    katio Guest

    How could you miss that news, under a rock at the time:p? 7.4 billion...

    Oracle is the better company, economical speaking.
    Sun couldn't manage their balancing act of offering open source software for free and yet making money with their server and service biz.

    Fans of Sun's free software have already seen the true face of Oracle. As a consequence opensolaris and openoffice have been forked to remain free and independent from Oracle so it doesn't look too bad. Java of course is a bit of an uncertainty with the Google/dalvik lawsuit.

    Sorry for OT. Will leave it at that.
     
  13. Fiat_Lux

    Fiat_Lux Registered Member

    Joined:
    Nov 1, 2010
    Posts:
    180
    No , just doesn't read, listen, or see the news that much generally unless it comes up while I surf the net. (I am not very happy with a lot of the socalled news)
    Yeah ! , my point exactly. That was my point , Sun was not just there for the money alone , I think that they were about much more... I'll miss them..
     
Loading...
Thread Status:
Not open for further replies.