Your Ad Here Your Ad Here
Results 1 to 4 of 4

Thread: "Very Severe Hole" In Vista UAC Design

  1. #1
    4play's Avatar knob jockey
    Join Date
    Jan 2003
    Location
    London
    Age
    35
    Posts
    5,530
    Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out from Microsoft officials that the default no-admin setting isn't even a security mechanism anymore. Joanna Rutkowska

    Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.

    "When you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

    ___________________________________________________________

    In simple terms microsoft have done everything possible to remove kernel access to all its users, implement a very low privileged user for internet explorer, then bombard their users with popups telling you eactly what the operating system is doing and go right ahead and completely destroy any decent security they have implemented by making all installers run as admin in the name of ease of use.

    bravo microsoft

    Source: http://blogs.zdnet.com/security/?p=29

  2. News (Archive)   -   #2
    Hairbautt's Avatar *haircut
    Join Date
    Jul 2004
    Location
    Florida
    Age
    20
    Posts
    11,028
    Wait for March Tuesday update?
    _________________________________________________________________________________________
    Last edited by Alien5; Jun 6th, 2006 at
    06:36 PM..

  3. News (Archive)   -   #3
    4play's Avatar knob jockey
    Join Date
    Jan 2003
    Location
    London
    Age
    35
    Posts
    5,530
    Quote Originally Posted by Hairbautt View Post
    Wait for March Tuesday update?
    I doubt they will be able to fix this with a quick patch next black tuesday. The problem is that so much old software and probably even new vista compatible software have become accustumed to being installed as admin.

    can you tell me honestly why the sims needed admin privildeges to install in xp. The answer is the designers of the game screwed up and had the game write registry keys and files to places in windows that need admin priveldges. It would be trivial to rewrite the game so it didnt need admin priviledges but who wants to do that.

    Now microsoft has been left with a tough choice. Do they force a decent user model into vista so that all applictions are installed as a user unless they really need admin level access (av, firewall....) but at the same time lose compatibility with badly designed software. I for one would be pestered like hell if my sisters couldn't get sims working on a shiney new pc. Microsoft seems to have chosen the second option of allowing all software to be run as admin for ease of use but makes their "this is our most secure os ever" look plain silly.

  4. News (Archive)   -   #4
    Poster BT Rep: +11BT Rep +11BT Rep +11
    Join Date
    Nov 2006
    Posts
    582
    It never ceases to amaze me how insecure the os's from good ole Redmond are. But honestly MS, if you're going to release yet another os chock full of security holes don't give me a line about how much you value security and how this is your more secure os yet. The sheer user base of windows installs and the compatibility nightmare of making them all run in sync makes any kind of security overhaul from microsoft infeasible. Unless they want to start from scratch, and leave behind all the legacy apps, windows will continue to be as insecure as ever. And to add insult to injury, MS is asking people to shell over big bucks to upgrade to a new untested os that will probably leave them less secure than xp.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •