Announcement

Collapse
No announcement yet.

User Access Control (UAC)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User Access Control (UAC)

    Continuing discussion from the Vista thread on this love-it-or-hate-it feature.

    Just the other day on Slashdot I saw this story:

    UAC Whitelist Hole In Windows 7
    http://tech.slashdot.org/article.pl?.../03/07/1323201

    Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'
    Dude, seriously, WHAT handkerchief?

    snooggums' density principal: "The more dense a population, the more dense a population."

    Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

  • #2
    Re: User Access Control (UAC)

    End it! End it! (if they are going to make it messier and messier)
    |TG-18th| Acreo Aeneas
    TG World of Tanks Clan Executive Officer
    Former 9th & 13th

    Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
    Still can't say it? Call me Acorn then. -.-





    SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

    TG Primer and Rules

    Comment


    • #3
      Re: User Access Control (UAC)

      god i hate UAC before is turned it off it took up to 20 mins for the pr instalation package to load. Then i read about turning it off and bam everything loads up much faster.

      i say microsoft should loose it!

      Comment


      • #4
        Re: User Access Control (UAC)

        Most people that have common sense and know what they are doing to their computer have no need for UAC. UAC is IMO for the people that just have no idea of what the heck they are doing with their computer to keep them from installing something that is potentially damaging to their PC.
        For new users or computer illiterate people UAC may be a miracle but for the people that have some clue to what they are doing it is a huge headache.

        Comment


        • #5
          Re: User Access Control (UAC)

          When I install something on Linux, I su to root and install. For all normal use, I run as a regular user.

          UAC was supposed to be MS' way to compromise and give you mortal and Administrator privilege at the same time. The UAC popup is similar to the requirement that you su in Linux to install things.

          If you're installing something on Windows, disable UAC for the duration of the installation, and then enable it again.

          The problem isn't users who don't know what they're doing. The problem is holes in Windows and its applications that malware could drive a truck through.

          For example, there was a known vulnerability in Adobe Acrobat Reader back in January, and not until today did Adobe release a fix. Meanwhile, knowledgeable users like me had to fret about the PDF files passing through our firewalls from trusted business partners, each being a possible malware bomb. All the AV programs, even the ones I had the most respect for, allowed files through with a test infection.

          UAC means that a trojan horse can only affect one's own files, not the whole system. It means that attempts to compromise system files are immediately detected and alerts pop up. That's security I can heartily get behind.

          The issue in my first post is that MS has crippled UAC to satisfy people who would rather have convenience than security. Too bad if the rest of us continue to get spam from those individuals' infected zombie computers.
          Dude, seriously, WHAT handkerchief?

          snooggums' density principal: "The more dense a population, the more dense a population."

          Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

          Comment


          • #6
            Re: User Access Control (UAC)

            Those zombie computers probably don't even have a firewall or anti-virus. Those same users will find UAC annoying, feel that they don't need AV or firewall software (because they think they are surfing safe - like my mother who falls for every spam website), and they'll be behind a new zombie PC in another month without knowing it.
            |TG-18th| Acreo Aeneas
            TG World of Tanks Clan Executive Officer
            Former 9th & 13th

            Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
            Still can't say it? Call me Acorn then. -.-





            SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

            TG Primer and Rules

            Comment


            • #7
              Re: User Access Control (UAC)

              Corporate computers with firewalls and AV get infected. It's why corporate computers get locked down so tight, to keep the newbs from bringing a trojan horse inside the secure walls. But sometimes IT can't say "no" to the horses, because the horses are required for business to proceed. That was the case with PDF files for the last 3 months. It's the case with MS Office files (which for a time were the source of many macro viruses).
              Dude, seriously, WHAT handkerchief?

              snooggums' density principal: "The more dense a population, the more dense a population."

              Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

              Comment


              • #8
                Re: User Access Control (UAC)

                Scratch, are you saying that is Linux ruled the world there would be no security holes?
                Iím not racists, I have republican friends. Radio show host.
                - "The essence of tyranny is the denial of complexity". -Jacob Burkhardt
                - "A foolish consistency is the hobgoblin of little minds" - Emerson
                - "People should not be afraid of it's government, government should be afraid of it's People." - Line from V for Vendetta
                - If software were as unreliable as economic theory, there wouldn't be a plane made of anything other than paper that could get off the ground. Jim Fawcette
                - "Let me now state what seems to me the decisive objection to any conservatism which deserves to be called such. It is that by its very nature it cannot offer an alternative to the direction in which we are moving." -Friedrich Hayek
                - "Don't waist your time on me your already the voice inside my head." Blink 182 to my wife

                Comment


                • #9
                  Re: User Access Control (UAC)

                  Originally posted by El_Gringo_Grande View Post
                  Scratch, are you saying that is Linux ruled the world there would be no security holes?
                  I don't think he's saying that at all. As with anything that is used by billions (don't want to use "hugely popular"), there is be bugs, flaws, and problems. If Linux and Windows' roles were switched around, Linux would have its own fair share of security-related holes.

                  Partly to blame are application developers as some will rush out their products before having thoroughly tested them in conjunction with other programs, users, etc.
                  |TG-18th| Acreo Aeneas
                  TG World of Tanks Clan Executive Officer
                  Former 9th & 13th

                  Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
                  Still can't say it? Call me Acorn then. -.-





                  SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

                  TG Primer and Rules

                  Comment


                  • #10
                    Re: User Access Control (UAC)

                    Thanks, AA. Applications do bear as much responsibility as the OS. That's why I was pointing out Acrobat Reader as the latest huge security hole.

                    MS is trying to get the holes shut, but it doesn't help if users drill them back open, whining that security is too annoying and is getting in the way of getting their jobs done. (Like changing your desktop wallpaper 6 times a day.) Changing your OS won't fix user attitudes. (Linux might be more secure only because its userbase values security more than most Windows users.)

                    As I mentioned in the Linux thread, the advantage of Linux and open source is that when things break, you have some hope of fixing it, without waiting for the secretive programmers of your vendor to do so. Adobe took 3 months to get a fix out for Reader. Had it been open source, someone could have released a patch the same day, and the many eyes of the Internet could review it for issues (including hiding another virus in the patch). In fact a 3rd party did release a patched DLL, but you had to trust that 3rd party not to do anything sneaky with this new binary.

                    And note that open source doesn't have to mean free. I get source to most of the MS Visual Studio libraries (except for stuff encumbered with 3rd party licensing that MS and other compilers aren't allowed to release to their customers), and I've made my own fixes to VC6 stuff. The same was true when I was a Borland user, and when I used Analog Devices' DSP C++ compilers. (I contributed quite a lot of fixes back to ADI, so they'd come around and ask my company to review their future development plans.)
                    Dude, seriously, WHAT handkerchief?

                    snooggums' density principal: "The more dense a population, the more dense a population."

                    Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

                    Comment

                    Connect

                    Collapse

                    TeamSpeak 3 Server

                    Collapse

                    Advertisement

                    Collapse

                    Twitter Feed

                    Collapse

                    Working...
                    X