Comments on: UAC in 7: Exponential Silent Attack Vector Multiplier http://winjade.net/2009/02/the-real-issue-with-win7-uac/ Just another WordPress weblog Wed, 17 Mar 2010 06:13:05 -0400 http://wordpress.org/?v=2.8.6 hourly 1 By: AeroXperience » Blog Archive » Microsoft lists UAC hack as malware http://winjade.net/2009/02/the-real-issue-with-win7-uac/comment-page-1/#comment-694 AeroXperience » Blog Archive » Microsoft lists UAC hack as malware Fri, 31 Jul 2009 02:15:04 +0000 http://www.aeroxp.org/2009/02/the-real-issue-with-win7-uac/#comment-694 [...] I covered the latter in an older post of mine where I explain how this flaw essentially raises the vectors of attack [...] [...] I covered the latter in an older post of mine where I explain how this flaw essentially raises the vectors of attack [...]

]]> By: David T. http://winjade.net/2009/02/the-real-issue-with-win7-uac/comment-page-1/#comment-690 David T. Wed, 11 Mar 2009 17:29:07 +0000 http://www.aeroxp.org/2009/02/the-real-issue-with-win7-uac/#comment-690 The only reason Microsoft is doing any of this with Windows 7 is because of the mass of ignorant users who complained about Vista's UAC being intrusive. MS needs to ignore them. UAC is as intrusive as threats are numerous and persistent. Chew on that for a minute. The only reason Microsoft is doing any of this with Windows 7 is because of the mass of ignorant users who complained about Vista’s UAC being intrusive. MS needs to ignore them. UAC is as intrusive as threats are numerous and persistent. Chew on that for a minute.

]]> By: Bryant http://winjade.net/2009/02/the-real-issue-with-win7-uac/comment-page-1/#comment-692 Bryant Sun, 08 Feb 2009 17:40:05 +0000 http://www.aeroxp.org/2009/02/the-real-issue-with-win7-uac/#comment-692 @Jon, you're right about the FUD. That closing statement was more intended for if Windows 7 went RTM with that flaw still in existence, but now that it has been cleared up, life should be good. @Jon, you’re right about the FUD. That closing statement was more intended for if Windows 7 went RTM with that flaw still in existence, but now that it has been cleared up, life should be good.

]]> By: Jon http://winjade.net/2009/02/the-real-issue-with-win7-uac/comment-page-1/#comment-693 Jon Sun, 08 Feb 2009 04:36:15 +0000 http://www.aeroxp.org/2009/02/the-real-issue-with-win7-uac/#comment-693 "max out UAC on Windows 7 the immediate second you finish installing it and do not connect Windows 7 to the internet until you do. Yes, you should be that paranoid" Paranoia is useful under critical cases where there is statistically significant chance of getting caught with your proverbial pants down. Realistically, however, the chance of this happening immediately after an install is probably less than being struck by lightning. The first thing you'd have to do with your browser would be to immediately browse to some non-mainstream untrusted site (www.pleaseinfectme.com?) WITH a version of IE8 (which is what will presumably ship with W7) that happens to have some severe security flaw. The chance of each of those events happening independently are already relatively low. I run my Vista in administrator mode with UAC completely off, no A/V, *and* I use IE7.. I've yet to get malware, and I click on pretty much any link I'm given... seriously, I think you're exaggerating the issue. I'd be fine with recommending that users max out their UAC settings, but really, being connected to the internet for a few seconds won't kill you; the FUD is not necessary. You remind me of my system security professor, who notably said, "if you want to be secure, unplug your computer." “max out UAC on Windows 7 the immediate second you finish installing it and do not connect Windows 7 to the internet until you do. Yes, you should be that paranoid”

Paranoia is useful under critical cases where there is statistically significant chance of getting caught with your proverbial pants down. Realistically, however, the chance of this happening immediately after an install is probably less than being struck by lightning. The first thing you’d have to do with your browser would be to immediately browse to some non-mainstream untrusted site (www.pleaseinfectme.com?) WITH a version of IE8 (which is what will presumably ship with W7) that happens to have some severe security flaw. The chance of each of those events happening independently are already relatively low. I run my Vista in administrator mode with UAC completely off, no A/V, *and* I use IE7.. I’ve yet to get malware, and I click on pretty much any link I’m given… seriously, I think you’re exaggerating the issue.

I’d be fine with recommending that users max out their UAC settings, but really, being connected to the internet for a few seconds won’t kill you; the FUD is not necessary. You remind me of my system security professor, who notably said, “if you want to be secure, unplug your computer.”

]]> By: SolidJediKnight http://winjade.net/2009/02/the-real-issue-with-win7-uac/comment-page-1/#comment-691 SolidJediKnight Thu, 05 Feb 2009 23:29:48 +0000 http://www.aeroxp.org/2009/02/the-real-issue-with-win7-uac/#comment-691 Mary Jo, I agree 110%! Bryant, great article. I took the liberty of posting on the Engineering Windows 7 blog, to let Sinofsky and company know that this kind of potential vulnerability shouldn't be tolerated in Windows 7. There should be a Zero Tolerance for potential vulnerabilities that can be taken care of. Granted, nothing is bulletproof. However, If we have some sort of additional defense to prevent anything except a user authorizing the UAC to shutdown, that would be significant progress. I learned VB in high school. Imagine how many kids that if through their studies and playing around with script could compromise Windows 7? It really does beg the question as to what can be added to seemingly legit programs. The incidents with trojans hiding in pirated but working copies of iWork and Photoshop CS4 should be a red-alert for Mac users. This incident should be a yellow alert for Windows 7 Beta testers and potential customers until resolved. Mary Jo,

I agree 110%! Bryant, great article. I took the liberty of posting on the Engineering Windows 7 blog, to let Sinofsky and company know that this kind of potential vulnerability shouldn’t be tolerated in Windows 7. There should be a Zero Tolerance for potential vulnerabilities that can be taken care of. Granted, nothing is bulletproof. However, If we have some sort of additional defense to prevent anything except a user authorizing the UAC to shutdown, that would be significant progress. I learned VB in high school. Imagine how many kids that if through their studies and playing around with script could compromise Windows 7? It really does beg the question as to what can be added to seemingly legit programs. The incidents with trojans hiding in pirated but working copies of iWork and Photoshop CS4 should be a red-alert for Mac users. This incident should be a yellow alert for Windows 7 Beta testers and potential customers until resolved.

]]> By: All about Microsoft mobile edition http://winjade.net/2009/02/the-real-issue-with-win7-uac/comment-page-1/#comment-689 All about Microsoft mobile edition Wed, 04 Feb 2009 19:59:38 +0000 http://www.aeroxp.org/2009/02/the-real-issue-with-win7-uac/#comment-689 [...] adds more food for thought to the UAC discussion, concluding: "I love Windows 7, but when a team closes a report on a critical demonstrated security bug as 'by design,' I don’t know what to think." posted by Mary Jo Foley February 4, 2009 @ 6:27 [...] [...] adds more food for thought to the UAC discussion, concluding: “I love Windows 7, but when a team closes a report on a critical demonstrated security bug as ‘by design,’ I don’t know what to think.” posted by Mary Jo Foley February 4, 2009 @ 6:27 [...]

]]>