Windows 7 Security Flaw is "By Design"

[LightWeightX]

Dammed if you do, dammed if you don't.

 

[nelson_nel]

You guys are retarded.... MS is absolutely right about this... If you are WRITING THE SCRIPT on your machine, then ya no kidding you have cricumvented and protection because you have done this intentionally......... your AV software is what needs to protect this UNCOMPILED script from even making it to the PC. Are you guys even really technical...

 

[TwoDigital]

How about this compromise (I copy this idea from Ubuntu...)

When the OS is installed, you enter a username (and maybe a password.) That user is *NOT* an administrator but has an attribute defined in system policies that they can 'sudo' admin access by clicking 'ok' in the UAC box or entering their OWN password if they set one. This way, the user can be protected by UAC if they wish and if they turn UAC off the system can prompt them whether or not they wish to be added to the admin group (with a reasonable description of the impact of such...)

You could still add yourself to the admin group manually if you wanted to... which would effectively bypass UAC I guess. Just make sure you don't turn off your "Can sudo to admin" flag since you then don't have access to turn it back on!!!

 

[TwoDigital]

Having some button available somewhere on the login screen would help too... so the user could log in as the default (hidden) administrator account in case they REALLY need to fix a messed up user account. You could ask the user upon install to enter a "recovery" password or something so they understand what the "administrator" account really is being used for.

 

[randomizer]

[citation][nom]nelson_nel[/nom]Are you guys even really technical...[/citation]
I ask you the same question. Do you really think this script is the only thing capable of penetrating your system? Did you read the article? This is a proof-of-concept script, not the only way of doing it. You could write a virus to do the same thing but completely silently (whereas this is quite crude) and the user would never know that UAC was disabled (except for the sudden lack of prompts).

 

[davidgbailey]

You're coming to a sad realization ... allow or deny?

 

[Christopher1]

[citation][nom]waikano[/nom]You know you guys are funny. You all hacked on Micro for UAC in the first place then you hack on them for allowing the user to "REALLY" disable the UAC. I guess when it comes to OSes Micro just can't win.[/citation]

I have to say I am getting that impression. There is a fix for this: make any change to UAC itself need to be confirmed via a UAC dialog.... but it might not be as 'easy' a fix as people are saying it should be.

 

[randomizer]

If M$ can implement a UAC prompt for every other menial task, they can do it for UAC changes as well.

 

[nelson_nel]

It is STILL up to the AV.... And if MS packages it's AV into the OS, EU fines them and users whine and complain. What a predicament. And no, obviously it is not the only thing that can compromise the system but how utterly irrelevant that the UAC could become disabled based on a KeySending script... I doubt Windows 7 is the only OS that this would happen on. Go create a "Robot" script on OS X and then see hwo much coverage that crap story gets. It's irrelevant because this story makes no message of the transport of the script to the end-user. Any virus that ORIGINATES on the end-user PC has not INTRUDED because it was created there. Non-point and mindless dribble. Next.

 

[neiroatopelcc]

I'm actually with microsoft on this one. Ye it can be exploited, but for that to happen, something or someone else must fuck up first. It's a bit like blaming your car maker for a blown engine, because you didn't bother checking your oil level or didn't bother getting the warning light fixed when you noticed it was broken.

 

[nelson_nel]

Agreed. Download the AWESOME keygen or crack and suffer the consequences. That wouldn't be labeled a Windows XP vulnerability either.

 

[FrustratedRhino]

Why is it that the same people that complain they hate UAC complain that UAC has an easy way to be worked around? Isn't that what they want?

UAC is a tool to HELP people. The fact this "hack" (btw calling it a security flaw is like calling a screensaver that displays a fake bluescreen a virus) is rather minor doesn't seem to bother the legions of apple fanatics seizing on any anti-microsoft fodder. These same people think firefox is more secure than IE regardless of facts.

 

[falconqc]

UAC is not a new concept. Spybot S&D had the whole "Program X want to apply change Y, Deny or Allow?"

The truth is, if you are stupid enough to download and install a virus/trojan/spyware or whatever else on your computer and you don't have proper protection, you deserve what is happening to you.

I like the fact you can get better control over UAC, but I think Microsoft should set the default to the Vista default.

Just think of UAC as a condom, Windows as your junk and the Internet as a cheap hooker. Believe me, you want UAC, BADLY.

 

[neiroatopelcc]

[citation][nom]falconqc[/nom]UAC is not a new concept. Spybot S&D had the whole "Program X want to apply change Y, Deny or Allow?"The truth is, if you are stupid enough to download and install a virus/trojan/spyware or whatever else on your computer and you don't have proper protection, you deserve what is happening to you.I like the fact you can get better control over UAC, but I think Microsoft should set the default to the Vista default. Just think of UAC as a condom, Windows as your junk and the Internet as a cheap hooker. Believe me, you want UAC, BADLY.[/citation]

I don't know if uac would've helped my parents, but I just spent most of my evening yesterday trying to rid their system of a virus like something. Kaspersky (legal and updated) didn't find anything, but I could see userinit.exe had malicious code, so I replaced that file, and found a number of .bat and .sys files in %systemroot%\system32 that appearently were used to connect to a variety of ftp servers and download trojans (which kaspersky DID catch), which is why I knew something shady was going on. Thing is - I don't think uac would've caught this, cause not even rootkitrevealer found anything suspicious.
Perhaps UAC would've helped, but ultimately I don't think there's anything that can truely protect ignorant people from getting virus - especially not if they get it before their chosen antivirus company does.

 

[neiroatopelcc]

Btw they were running xp, so uac wasn't available, but I don't think vista is any more secure with regards to trojans and virus that people already let past their firewall/router.

 

[falconqc]

[citation][nom]neiroatopelcc[/nom]...[/citation]

Obviously you can't protect against everything. A virus can (and most likely will) get on your computer even if you have UAC and antiviruses running. AV can't protect against viruses they don't know about. UAC is just there to make you stop and think for a second. Did I really ask to install this? Do I trust this publisher? Is it necessary for that program to have admin access?

Of course, no system is perfect. If you just go around click allow without looking you might as well turn the thing off. And of course, like you said, theres always the chance something might slip through without even triggering the protection on your computer.

Either way, 99% of the time, the best (or worst) AntiVirus is the person using the computer.

 

[neiroatopelcc]

Ye I agree completely with you. Which brings us to the real security flaw. As already complained about when vista was released, microsoft is creating careless users. They bother you a million times about everything you want to do. So much that most people don't truely read what a box sais, but only see something they have to click yes or no to. Working with computers many hours a day I know that this applies to both people who know stuff and people who yet have to learn. Often I'm helping someone and all of a sudden they ask what the computer was just warning about - and I'd alraedy confirmed something that I didn't even realize I had. Cause I know which window looks how. I don't stop and wonder why it's asking, cause I'm expecting it to ask all the time anyway. And people who don't know what the windows mean will click yes or no depending on how badly they want to execute something. Someone like my granny wouldn't know what it was asking anyway, and will just say yes or no basicly 'random'. She doesn't understand english anyway, so chances are even if she'd stop and read it, she'd fail.
And uac keeps annoying people, so they'll just click continue until it stops ....


On another note - I hate UAC!
Server systems don't come localized in my language, and appearently there's a problem using remote desktop on 2008 server systems. Basicly I can't sit on a danish xp 32 and use the built in client for remote desktop and actually work! The problem is that I can't type \ which requires me to hold "Alt Gr" and hit the key you guys do on your us layout, and it won't be parsed properly. So I have to change to us keyboard layout first to do stuff. But every time uac has stepped in to stop me from opening the windows deployment service or something else, it'll reset to danish keyboard and I end up having to change to english keyboard EVERY TIME I click something.

 

[Guest]

also a feature the messenger spam!!!!