It is well known now that User Account Control (UAC) in Windows 7 is more customizable than in Windows Vista. With several levels of notification, the system can be "tamed" so that it doesn't ask for permission to do every task. However, the default setting that most people will run has an inherent flaw that will allow a malicious script or program to trick users into disabling UAC, without causing a UAC security prompt to occur.
Vista users complained about UAC, so Microsoft offers four levels of notification in Windows 7. The default option is “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. A security certificate is used to distinguish Windows settings from third-party software, thus preventing prompts when changes are made to these settings.
The problem lies with the fact that when a user alters UAC settings, it is considered a "change to Windows settings" by the default notification level. Therefore UAC's notification level can be altered, or even disabled altogether, and the user would not be prompted to actually consent to it.
A basic proof-of-concept VBscript has been made public that demonstrates how simple it is to disable UAC automatically. A sequence of keyboard inputs is emulated to perform this simple task, alongside Sleep and Run methods. It is also possible to force a restart after UAC has been toggled off to force the user to run with full administrative rights. Malicious programs can then freely alter the system now that they have sufficient privileges to do so.
It would be simple for Microsoft to fix this security hole before the OS ships out. All that is needed is to force a UAC secure desktop prompt to occur whenever UAC settings are changed, regardless of current level of notification. The user would then have to click "yes" to render their system open to attack, so while the fix is not bullet-proof, it is better than requiring no user intervention at all.
Microsoft responded to the publication of this security flaw stating that in order for this vulnerability to be exploited, a user's computer would have to contain malicious code already, which means other security software has failed to prevent this or the user has explicitly allowed it. Also, on Microsoft Connect, submissions made regarding this flaw were all closed and labeled as "By Design."
It is important to note that only users that are part of the Administrative user group will be vulnerable, as Standard users will require an administrative password to make these changes (whether they are initiated by the user or by scripts). However, since the default user group is Administrative, most home users, especially those with only a single user account, will be vulnerable.
Why pay for software that is a piece of crap, and that you know that their are problems with viruses and spyware. Normal users will have to spend money (more or less 100$) to format and reinstall their Windows.
When they fix some security issues, they have enough people working there to think a step forward (If a virus does that, it will do this.....) I guess they like to pay engineers to do nothing...
anyhow good luck microsucks
Used to be errors and malfunctions were "undocumented features" lmao
"Yes, support? Why does my coffee cup holder keep going back into the computer?" lmao
"Yes, we built the vault with that big hole on purpose. That way customers can make withdrawals or deposits without having to stand in line. It's not a problem though, cause nobody can steal any money unless they walk through the front door first..."
i dont get your point. bank vaults have a big gaping hole, othewhise how you get in and out of the vault. ;-) the point is you have to have someone that you trust controlling access to the vault and its content, like some nice internet security suite... and even with that you know that people might break in ,nothing is perfect.
UAC prevents programs having adminitrative priviliges all the time, so that any damaging tasks would cause a prompt before they can happen. By disabling UAC, programs run with perpetual administrator rights and can do anything unless stopped by other software.
?not bad? yeah, i like my work to be interrupted every keystroke with some popup asking me if it was ok for me to press the key, i thought we all agreed some time ago what an annoyance that was and agreed to use popup blockers.
Wow. What a perfectly accurate real world representation of what is going on. Completely realistic.
I am not a MS fan or what, i have used linux and other OS as well and i can tell you...they are far from perfect.
I guess people just like to follow what the majority, and always pick on what is common and widely used/wellknown and underground things are cooler.
Microsoft already sacrified security over convenience; case in point, as mentioned, users are Administrators by default. Then there is how, from the start, they let third party software developers on very long leash, or no leash at all, on developing software for Windows. Software needing to install/run a service for no apparent reason? True, if third party developers want to be as invasive as they want, there is little to stop them. But since users are accustomed to such low standards, they won't complain, won't look harder for alternative software.
I don't mind if MS breaks compatibility with older software on new Windows, as long the standard has significantly improved. Ofcourse, it's better if Windows execute such software in a sandbox. Sandbox. Speaking of which, not only does Vista doesn't have a sandbox feature, it made the system incompatible with a lot of sandbox software (ie, sandboxie).
Microsoft, listen: just because a user has allowed a software to run, doesn't have to mean that he/she is on his/her own. Provide a powerfull sandbox feature or let others develop powerfull sandbox solutions (the kind that even allows installation of drivers in the sandbox. scr3w DRM drivers).
Actually "windblows security" is a oxymoron.
"If you can't make it good, at least make it look good." by m$'s Billyboy