Archived

This topic is now archived and is closed to further replies.

PHYR

followup M5 on windows 10 Security Issue

13 posts in this topic

On windows 10 build 15046(and previous builds also), Maxthon has a serious security issue, serious enough that NO ONE SHOULD INSTALL OR USE  MAXTHON 5 until it is fixed. The problem is on M5 boot. A windows popup ask if you want to allow M5 to run. The problem is 2 fold, 1: the popup appears after  M5 is already running, 2: regardless if you select to allow or not, M5 continues to run. The expected behavior is that the popup appears before M5 is allowed to run and that if you select not to run it doesn't.

Windows Defender is every users first line of defense against malicious software and viruses and if M5 cannot be trusted to implement it properly, MAXTHON 5 SHOULD NOT BE TRUSTED IN ANY WAY.

i hope the devs take care of this at once, this isn't a skin issue that can be placed on the back burner indefinitely.

 

Share this post


Link to post
Share on other sites

Don't run into conclusion so quickly.(especially you are a mod) What's the pop up? Is it from windows defender? Why Maxthon shall not run if the pop up says it shall not? A screenshot will be more helpful.

Share this post


Link to post
Share on other sites

A bit alarmist, isn't it?

I've checked with 3 different scanners and Maxthon is no threat so what's your point?
Could it be a windows 10 issue?

Defender is not the best defense either to use.

Personally, I like webroot but there are plenty of others to check with.

Share this post


Link to post
Share on other sites

This is quite interesting. It only seems to occur when you set MX5 to be the default browser. It seems it's trying to set that property at each start which is what causes the UAC popup.

But it is questionable why the program is allowed to start before the UAC prompt is acknowledged. With the few other programs i've tested they all don't start until the dialog is acknowledged, and if selecting NO, the program won't start.

Or could be that MX5 is calling on something else to change the default program which what is actually being blocked, but the actual browser is ok to run. Although the path to the file in the dialog says otherwise.

If you run as admin you will get a yellow UAC prompt, selecting NO won't allow MX5 to run.

Note this is testing with the portable version only.

MaxthonSnap20170304153012.png

Share this post


Link to post
Share on other sites
8 hours ago, 7twenty said:

This is quite interesting. It only seems to occur when you set MX5 to be the default browser. It seems it's trying to set that property at each start which is what causes the UAC popup.

But it is questionable why the program is allowed to start before the UAC prompt is acknowledged. With the few other programs i've tested they all don't start until the dialog is acknowledged, and if selecting NO, the program won't start.

Or could be that MX5 is calling on something else to change the default program which what is actually being blocked, but the actual browser is ok to run. Although the path to the file in the dialog says otherwise.

If you run as admin you will get a yellow UAC prompt, selecting NO won't allow MX5 to run.

Note this is testing with the portable version only.

 

It does seem to work running as admin on the exe. too. The popup displays before opening and won't open if you click no button.

If Mx5 is set as default browser there is no popup except when running as admin(Although blue again in my case)

SO MX5 IS TOO SECURE!!!????

I wasn't able to capture the image of the popup, how did you manage that 7twenty? Neither Mx snap nor prntscrn worked for me.

Unlike 7twenty, admin popup is blue too, perhaps because I'm running the latest win10 build(15046)

11 hours ago, MaxthonJeff said:

Don't run into conclusion so quickly.(especially you are a mod) What's the pop up? Is it from windows defender? Why Maxthon shall not run if the pop up says it shall not? A screenshot will be more helpful.

I just think it should be fixed as a very top priority.

It's the same popup as 7twenty shows, I can't capture it.

 

Share this post


Link to post
Share on other sites
1 hour ago, PHYR said:

(Although blue again in my case)

Seems this may have changed in the last(?) build 15048. I can only get it in blue now as well? Although was running 15046 when I posted that. Slightly confused?!

1 hour ago, PHYR said:

I wasn't able to capture the image of the popup, how did you manage that 7twenty?

Running in a VM, so was taken from the host system.

1 person likes this

Share this post


Link to post
Share on other sites
7 hours ago, 7twenty said:

Seems this may have changed in the last(?) build 15048. I can only get it in blue now as well? Although was running 15046 when I posted that. Slightly confused?!

Running in a VM, so was taken from the host system.

Hasn't changed for me with build 15048, it's still blue. Although I do believe I have seen the red popup on earlier builds. It may also be related to system colors(themes) but I don't think that would change by updating build.

Share this post


Link to post
Share on other sites

My guess its default browser issue. On win10 it's difficult to set default browser within the app itself. The dev team is trying several ways to do it. This version of win10 seems changed its policy again. The UAC actually blocked a process to set default browser . The normal browser process is not affected. 

Share this post


Link to post
Share on other sites
2 hours ago, PHYR said:

It may also be related to system colors(themes) but I don't think that would change by updating build.

No, it's not theme theme related. The UAC prompts have been blue as long as i can recall. May have been more yellow ones in testing previously, but never taken that much notice. The different colours are meant to indicate the threat level.

Blue - verified program/developer with digital licence
Yellow - unsigned executable without digital licence
Red - unknown program/untrusted publisher

That's based on some quick searching, things may have changed since as most info is still from Win7.

1 hour ago, MaxthonJeff said:

 The UAC actually blocked a process to set default browser. The normal browser process is not affected. 

Seems like I was on the right track.

Do the other browsers have the same issues? Are they doing something different?
 

Share this post


Link to post
Share on other sites

They changed in win10, didn't know they reverted to previous colors recently. Maybe it wasn't intended.

3 hours ago, 7twenty said:

No, it's not theme theme related. The UAC prompts have been blue as long as i can recall. May have been more yellow ones in testing previously, but never taken that much notice. The different colours are meant to indicate the threat level.

Blue - verified program/developer with digital licence
Yellow - unsigned executable without digital licence
Red - unknown program/untrusted publisher

That's based on some quick searching, things may have changed since as most info is still from Win7.

Seems like I was on the right track.

Do the other browsers have the same issues? Are they doing something different?
 

Other browsers don't have the issue.

Share this post


Link to post
Share on other sites
3 hours ago, PHYR said:

Other browsers don't have the issue.

Clearly Maxthon needs to look in to this as it's obviously not a windows problem but solely related to MX

Share this post


Link to post
Share on other sites
22 hours ago, PHYR said:

They changed in win10, didn't know they reverted to previous colors recently. Maybe it wasn't intended.

Other browsers don't have the issue.

Other browsers just give up to set default browser within itself. We think it's not the best we can offer and still working on it.

Share this post


Link to post
Share on other sites