Security issue

[-=R@y-M@n=-]

Hello everybody,

First of all, this is an absolute fantastic screensaver!

But:

there is one major security issue. If the screensaver is active and you'll go to the settings window, pushing the website button wil bring you to......indeed....the serenscreen website.

The big flaw is that after that you'll have unlimited acces to browse to every site you want! Even if quiting the screensaver is protected by entering your password! It is also possible to "browse" to a network share and do nasty stuf if you want to!

I know for sure that there are people (including me) that won't use such a marvelous screensaver if it will leave the backdoor wide open!

I hope Jim will do something about it (before it is released anyway)

Regards,
Remon

[Jim Sachs]

Are you saying that on your system, when Windows launches MA3 as a screensaver, the password box doesn't come up when it shuts down to go online?

[-=R@y-M@n=-]

Jim,

no that is not the problem. The problem is that when the screensaver is running and you will go to the settings screen, pushing the "website" button, will open up your browser to go to the serenescreen website. After that it is easy to browse to other sites or go to network shares by entering an other URL......

Closing the browser will resume the screensaver. When leaving the screensaver it does lock the system (you do need to give a password to unlock Windows).
It must be possible (I guess) to "lock" the browser so it can't go to other sites (disable the URL field or something?).

regards, Remon

[Yodelking]

Remon, it works as it should on my computer, bringing up the password-box when I try to launch the website from within MA.
What operating system do you run?

[-=R@y-M@n=-]

vista on a HP elite book 2730p

default browser is Firefox

[jleslie]

...and you've set the screen-saver as password-protected in the control panel?

[-=R@y-M@n=-]

Yes, but it has nothing to do with leaving the screensaver. that is allright; Windows is locked and you have to provide your password.

The problem is during the screen saving. After going to the settings screen, pussing the "website" button, it is possible to browse wherever you want to browse using the poped up (in my case Firefox) browser.

[Dale]

Originally posted by -=R@y-M@n=-:

Yes, but it has nothing to do with leaving the screensaver. that is allright; Windows is locked and you have to provide your password.

The problem is during the screen saving. After going to the settings screen, pussing the "website" button, it is possible to browse wherever you want to browse using the poped up (in my case Firefox) browser.  

Where is the MA3Beta.scr file located? (folder, etc.). Did you "install" it?

Could you please describe, step-by-step, exactly what you are seeing, in detail.

1. How is MA3 getting into "screen saving" - automatically after some time? Or how?

2. During the screen saving, how do you get to the settings screen?

3. From the settings screen, how do you press the "website" button?

4. Exactly what happens next?

I know that seems obvious, but each of the first three things above has several different ways of happening. I'm trying to duplicate what you report, but I can't so far - so I need exact, specific, detailed instructions.

[Jim Sachs]

I don't have a Vista machine that's set up for the Internet, so I'll have to rely on you guys to confirm this. It's possible that Vista is not processing the Close message when the Website button is pushed.

Is anyone else having the problem where MA3 does not close when the Website button is pushed?

[Dale]

Nevermind - I'll leave that set of questions there, but I did manage to duplicate it.

Vista Ultimate 32-bit, SP-1, MA3Beta.scr in \windows\system32\, installed.

Set to be the screensaver, the box for displaying the login screen is checked.

Automatic activation, press space bar, move mouse to website box, left-click. Firefox comes up (oddly, leaving a small gap at the bottom). No request for password, etc.

That's the problem being reported. It's Vista-specific.

Closing Firefox (clicking on X-box in upper right) results in the "Locked" screen with the password box required.

[Jim Sachs]

Wow - looking through the code, I just can't figure out how this is happening. When the Website button is pushed, the whole program gets shut down - the Direct3D object is destroyed, all the 3D objects and textures are destroyed and their memory released, the multimedia timer is shut down, the sound buffers are released. It should be one dead parrot. After all that happens, the variable is checked to see if the user wants to go to the website. There should be no way that the program could come back to life afterward.

[-=R@y-M@n=-]

Dale,

You are absolutely right! The steps you describe are exactly the same as I followed. I couldn't describe it better (no really, I couldn't, English is not my native language ).

Thinking top of my head now but isn't it possible to include a small custom made HTML browser inside the screen saver instead of relying on the normal browsers? Something Winamp does when looking up information about artists? I'm no expert but i guess it can be better controlled?!?

[Jim Sachs]

No, that would be a nightmare. I just need to find a way to make sure the program closes.

[-=R@y-M@n=-]

OK, won't argue with the big boss

besides, I don't have any programming skills so actually I don't know what I'm talking about.

by "closing the program" you do mean "making sure people can't browse to another site when pushing the website button" or "you should first unlock windows before you can continue"?

edit: looking at Dale's answer above, you do want it to first give the password before continuing to the site.

[Jim Sachs]

The first order of business when the Website button is pushed is to close the program. What happens after that depends on several factors. If MA3 had been in Windowed mode, or had been started by clicking the icon, or it had come up as a screensaver but Password-protect had not been turned on, then a browser window should open. But if MA3 had been started automatically by Windows and Password-protect is on, then the password box should come up before the program exits and starts the browser window.

[-=R@y-M@n=-]

These are the reasons I'm no developer (or ever become one). People should always admire people like Jim.

Anyway it is really fun to watch the development of such a great project That's why I especially registered here to report this "feature".

[Jav400]

Glad to have you as a member, and if no one else has beaten me to it yet:

Welcome to our Forum.

[Dale]

Originally posted by Jim Sachs:

Wow - looking through the code, I just can't figure out how this is happening. When the Website button is pushed, the whole program gets shut down - the Direct3D object is destroyed, all the 3D objects and textures are destroyed and their memory released, the multimedia timer is shut down, the sound buffers are released. It should be one dead parrot. After all that happens, the variable is checked to see if the user wants to go to the website. There should be no way that the program could come back to life afterward.  

Just in case I wasn't clear - MA3 does **NOT** come back to life. Firefox comes up as a browser window. There is "nothing" underneath that window - if I click on [-] minimize, it minimizes to a small box, with an otherwise-black screen. If I click on "Restore Down" it gets smaller, with an otherwise-black screen.

Clicking on [X] Close brings up the password dialog, with no sign of MA3 running anywhere.

Footnote: I think under some conditions "black screen" might actually be "empty desktop", but that's somewhat immaterial.

[Dale]

Originally posted by Jim Sachs:

The first order of business when the Website button is pushed is to close the program. What happens after that depends on several factors. If MA3 had been in Windowed mode, or had been started by clicking the icon, or it had come up as a screensaver but Password-protect had not been turned on, then a browser window should open. But if MA3 had been started automatically by Windows and Password-protect is on, then the password box should come up before the program exits and starts the browser window.  

In Vista-Personalize-Screen Saver, it's "On resume, display logon screen" of course.

Yes, what you said is what *SHOULD* happen (and apparently what does happen in XP). However, on my Vista system, what *DOES* happen (under exactly the conditions you describe, with that box checked) is that the browser comes up. There's not a good way to check, but it's my belief (based on timings) that MA3 closes and then the browser opens. Only after the browser closes, does the login screen (password box) come up.

As partial confirmation - with MA3 running, when I wiggle the "mouse", it is clear that FIRST MA3 closes (displaying a screen without icons), and THEN the login screen comes up.

As a test, with the browser open by pressing "space bar" and then selecting website, I pressed Ctrl-Alt-Del. The login screen came up. Logging in gave the normal desktop with no browser open.

=============
One big exposure with the browser window open, is the "Open File" selection on the file pulldown. That allows access to edit (or delete or add) essentially any file (given Vista protections, etc. etc.)

[-=R@y-M@n=-]

Dale,
I'm really happy about the way you "translate" the problem to understandable English. Reading is easy, writing is a whole other thing for me. I'm sure your effort will help making things more clear for Jim (and anybody else). In other words: thanks!

Jav400,
yes, you've beaten everybody else
Thanks for a warm welcome.