Home Register Arcade Gallery Chatroom Members Today's Posts Log In
Go Back   Inside: SereneScreen Fan Forum > SereneScreen Products > Marine Aquarium 3 for Windows
Notices

Reply
 
Thread Tools
Old 01-18-2009, 02:29 PM   #1
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
Exclamation Security issue

Hello everybody,

First of all, this is an absolute fantastic screensaver!

But:

there is one major security issue. If the screensaver is active and you'll go to the settings window, pushing the website button wil bring you to......indeed....the serenscreen website.

The big flaw is that after that you'll have unlimited acces to browse to every site you want! Even if quiting the screensaver is protected by entering your password! It is also possible to "browse" to a network share and do nasty stuf if you want to!

I know for sure that there are people (including me) that won't use such a marvelous screensaver if it will leave the backdoor wide open!

I hope Jim will do something about it (before it is released anyway)

Regards,
Remon
-=R@y-M@n=- is offline   Reply With Quote
Old 01-18-2009, 06:50 PM   #2
Jim Sachs
Developer
 
Jim Sachs's Avatar
 
Join Date: Dec 2000

Location: Southern Oregon
Posts: 9,791
Are you saying that on your system, when Windows launches MA3 as a screensaver, the password box doesn't come up when it shuts down to go online?
Jim Sachs
Creator of SereneScreen Aquarium
Jim Sachs is offline   Reply With Quote
Old 01-19-2009, 04:08 AM   #3
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
Jim,

no that is not the problem. The problem is that when the screensaver is running and you will go to the settings screen, pushing the "website" button, will open up your browser to go to the serenescreen website. After that it is easy to browse to other sites or go to network shares by entering an other URL......

Closing the browser will resume the screensaver. When leaving the screensaver it does lock the system (you do need to give a password to unlock Windows).
It must be possible (I guess) to "lock" the browser so it can't go to other sites (disable the URL field or something?).

regards, Remon
-=R@y-M@n=- is offline   Reply With Quote
Old 01-19-2009, 04:46 AM   #4
Yodelking
yodeler
 
Yodelking's Avatar
 
Join Date: Mar 2002
1 Highscore

Location: Staffanstorp, Sweden
Posts: 294
Remon, it works as it should on my computer, bringing up the password-box when I try to launch the website from within MA.
What operating system do you run?
Yodelking - För god att kolsyra!
Yodelking is offline   Reply With Quote
Old 01-19-2009, 06:45 AM   #5
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
vista on a HP elite book 2730p

default browser is Firefox
-=R@y-M@n=- is offline   Reply With Quote
Old 01-19-2009, 07:22 AM   #6
jleslie
Engineer
 
jleslie's Avatar
 
Join Date: Aug 2002

Location: London, UK
Posts: 1,279
...and you've set the screen-saver as password-protected in the control panel?
jleslie is offline   Reply With Quote
Old 01-19-2009, 07:44 AM   #7
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
Yes, but it has nothing to do with leaving the screensaver. that is allright; Windows is locked and you have to provide your password.

The problem is during the screen saving. After going to the settings screen, pussing the "website" button, it is possible to browse wherever you want to browse using the poped up (in my case Firefox) browser.
-=R@y-M@n=- is offline   Reply With Quote
Old 01-19-2009, 09:08 AM   #8
Dale
Banned
 
Join Date: Jun 2005

Location: Western Missouri
Posts: 960
Originally posted by -=R@y-M@n=-:
Yes, but it has nothing to do with leaving the screensaver. that is allright; Windows is locked and you have to provide your password.

The problem is during the screen saving. After going to the settings screen, pussing the "website" button, it is possible to browse wherever you want to browse using the poped up (in my case Firefox) browser.  
Where is the MA3Beta.scr file located? (folder, etc.). Did you "install" it?

Could you please describe, step-by-step, exactly what you are seeing, in detail.

1. How is MA3 getting into "screen saving" - automatically after some time? Or how?

2. During the screen saving, how do you get to the settings screen?

3. From the settings screen, how do you press the "website" button?

4. Exactly what happens next?

I know that seems obvious, but each of the first three things above has several different ways of happening. I'm trying to duplicate what you report, but I can't so far - so I need exact, specific, detailed instructions.
Dale is offline   Reply With Quote
Old 01-19-2009, 09:25 AM   #9
Jim Sachs
Developer
 
Jim Sachs's Avatar
 
Join Date: Dec 2000

Location: Southern Oregon
Posts: 9,791
I don't have a Vista machine that's set up for the Internet, so I'll have to rely on you guys to confirm this. It's possible that Vista is not processing the Close message when the Website button is pushed.

Is anyone else having the problem where MA3 does not close when the Website button is pushed?
Jim Sachs
Creator of SereneScreen Aquarium
Jim Sachs is offline   Reply With Quote
Old 01-19-2009, 09:29 AM   #10
Dale
Banned
 
Join Date: Jun 2005

Location: Western Missouri
Posts: 960
Nevermind - I'll leave that set of questions there, but I did manage to duplicate it.

Vista Ultimate 32-bit, SP-1, MA3Beta.scr in \windows\system32\, installed.

Set to be the screensaver, the box for displaying the login screen is checked.

Automatic activation, press space bar, move mouse to website box, left-click. Firefox comes up (oddly, leaving a small gap at the bottom). No request for password, etc.

That's the problem being reported. It's Vista-specific.

Closing Firefox (clicking on X-box in upper right) results in the "Locked" screen with the password box required.
Dale is offline   Reply With Quote
Old 01-19-2009, 10:02 AM   #11
Jim Sachs
Developer
 
Jim Sachs's Avatar
 
Join Date: Dec 2000

Location: Southern Oregon
Posts: 9,791
Wow - looking through the code, I just can't figure out how this is happening. When the Website button is pushed, the whole program gets shut down - the Direct3D object is destroyed, all the 3D objects and textures are destroyed and their memory released, the multimedia timer is shut down, the sound buffers are released. It should be one dead parrot. After all that happens, the variable is checked to see if the user wants to go to the website. There should be no way that the program could come back to life afterward.
Jim Sachs
Creator of SereneScreen Aquarium
Jim Sachs is offline   Reply With Quote
Old 01-19-2009, 10:11 AM   #12
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
Dale,

You are absolutely right! The steps you describe are exactly the same as I followed. I couldn't describe it better (no really, I couldn't, English is not my native language ).

Thinking top of my head now but isn't it possible to include a small custom made HTML browser inside the screen saver instead of relying on the normal browsers? Something Winamp does when looking up information about artists? I'm no expert but i guess it can be better controlled?!?
-=R@y-M@n=- is offline   Reply With Quote
Old 01-19-2009, 11:18 AM   #13
Jim Sachs
Developer
 
Jim Sachs's Avatar
 
Join Date: Dec 2000

Location: Southern Oregon
Posts: 9,791
No, that would be a nightmare. I just need to find a way to make sure the program closes.
Jim Sachs
Creator of SereneScreen Aquarium
Jim Sachs is offline   Reply With Quote
Old 01-19-2009, 11:33 AM   #14
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
OK, won't argue with the big boss

besides, I don't have any programming skills so actually I don't know what I'm talking about.

by "closing the program" you do mean "making sure people can't browse to another site when pushing the website button" or "you should first unlock windows before you can continue"?

edit: looking at Dale's answer above, you do want it to first give the password before continuing to the site.
-=R@y-M@n=- is offline   Reply With Quote
Old 01-19-2009, 11:48 AM   #15
Jim Sachs
Developer
 
Jim Sachs's Avatar
 
Join Date: Dec 2000

Location: Southern Oregon
Posts: 9,791
The first order of business when the Website button is pushed is to close the program. What happens after that depends on several factors. If MA3 had been in Windowed mode, or had been started by clicking the icon, or it had come up as a screensaver but Password-protect had not been turned on, then a browser window should open. But if MA3 had been started automatically by Windows and Password-protect is on, then the password box should come up before the program exits and starts the browser window.
Jim Sachs
Creator of SereneScreen Aquarium
Jim Sachs is offline   Reply With Quote
Old 01-19-2009, 12:45 PM   #16
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
These are the reasons I'm no developer (or ever become one). People should always admire people like Jim.

Anyway it is really fun to watch the development of such a great project That's why I especially registered here to report this "feature".
-=R@y-M@n=- is offline   Reply With Quote
Old 01-19-2009, 01:12 PM   #17
Jav400
Administrator
 
Jav400's Avatar
 
Join Date: Dec 2000
22 Highscores

Location: Tennessee
Posts: 9,725
Glad to have you as a member, and if no one else has beaten me to it yet:

Welcome to our Forum.
Jav400 is offline   Reply With Quote
Old 01-19-2009, 02:42 PM   #18
Dale
Banned
 
Join Date: Jun 2005

Location: Western Missouri
Posts: 960
Originally posted by Jim Sachs:
Wow - looking through the code, I just can't figure out how this is happening. When the Website button is pushed, the whole program gets shut down - the Direct3D object is destroyed, all the 3D objects and textures are destroyed and their memory released, the multimedia timer is shut down, the sound buffers are released. It should be one dead parrot. After all that happens, the variable is checked to see if the user wants to go to the website. There should be no way that the program could come back to life afterward.  
Just in case I wasn't clear - MA3 does **NOT** come back to life. Firefox comes up as a browser window. There is "nothing" underneath that window - if I click on [-] minimize, it minimizes to a small box, with an otherwise-black screen. If I click on "Restore Down" it gets smaller, with an otherwise-black screen.

Clicking on [X] Close brings up the password dialog, with no sign of MA3 running anywhere.

Footnote: I think under some conditions "black screen" might actually be "empty desktop", but that's somewhat immaterial.
Dale is offline   Reply With Quote
Old 01-19-2009, 03:21 PM   #19
Dale
Banned
 
Join Date: Jun 2005

Location: Western Missouri
Posts: 960
Originally posted by Jim Sachs:
The first order of business when the Website button is pushed is to close the program. What happens after that depends on several factors. If MA3 had been in Windowed mode, or had been started by clicking the icon, or it had come up as a screensaver but Password-protect had not been turned on, then a browser window should open. But if MA3 had been started automatically by Windows and Password-protect is on, then the password box should come up before the program exits and starts the browser window.  
In Vista-Personalize-Screen Saver, it's "On resume, display logon screen" of course.

Yes, what you said is what *SHOULD* happen (and apparently what does happen in XP). However, on my Vista system, what *DOES* happen (under exactly the conditions you describe, with that box checked) is that the browser comes up. There's not a good way to check, but it's my belief (based on timings) that MA3 closes and then the browser opens. Only after the browser closes, does the login screen (password box) come up.

As partial confirmation - with MA3 running, when I wiggle the "mouse", it is clear that FIRST MA3 closes (displaying a screen without icons), and THEN the login screen comes up.

As a test, with the browser open by pressing "space bar" and then selecting website, I pressed Ctrl-Alt-Del. The login screen came up. Logging in gave the normal desktop with no browser open.

=============
One big exposure with the browser window open, is the "Open File" selection on the file pulldown. That allows access to edit (or delete or add) essentially any file (given Vista protections, etc. etc.)
Dale is offline   Reply With Quote
Old 01-19-2009, 03:45 PM   #20
-=R@y-M@n=-
Registered
 
Join Date: Jan 2009

Posts: 8
Dale,
I'm really happy about the way you "translate" the problem to understandable English. Reading is easy, writing is a whole other thing for me. I'm sure your effort will help making things more clear for Jim (and anybody else). In other words: thanks!

Jav400,
yes, you've beaten everybody else
Thanks for a warm welcome.
-=R@y-M@n=- is offline   Reply With Quote
Reply
Go Back   Inside: SereneScreen Fan Forum > SereneScreen Products > Marine Aquarium 3 for Windows




Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


All times are GMT -6. The time now is 01:17 AM.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.