Comment 300 for bug 332945

Matthew Paul Thomas wrote:
Uwe Schilling: Update Manager doesn't ask for your password unless and until you actually click "Install Updates". So you would then be relying on people to think "Well, it's asking me for my password just like it usually does when I click that button, but I won't enter it this time because I didn't open the window myself to begin with". That seems far too indirect and obscure to be a realistic defence.

I don't understand the point you are making here. Of course, people first have to click the "Install Updates" button, but that doesn't make any difference. I'll try to clarify my point: suppose some malvolent webpage opens a pop-up which looks just like the update manager, telling you that there are updates to application xyz. Since the real update manager also opens via a pop-up process, people will not suspect anything and click on the "Install updates" button, not noticing that this is actually a webbrowser window and then enter their password when asked for it. In this way, the webpage gets your system password for free and can do whatever it wants with it, be it a login via ssh or installing a key logger or whatever.

My point is that many people will not notice that it is not the "real" update manager appearing on the screen, because the pop-up window just looks like it. And since the real update manager now also opens via pop-up, the they won't even be suspicious and type in their password. If it really had been the "real" update manager, they will probably never get to know....