Comments on: UAC in 7: Silent Attack Vector Multiplier (redux)

By: AeroXperience » Blog Archive » Microsoft lists UAC hack as malware, kinda

Thu, 30 Jul 2009 19:26:24 +0000

[...] those involved in the Windows 7 community may know, Microsoft has failed to fix a crucial flaw in the User Account Control feature of the operating system which allows a specific whitelist of [...]

By: SolidJediKnight

SolidJediKnight — Fri, 19 Jun 2009 10:31:38 +0000

This is the one issue where Microsoft is definitely stuck between a rock and the hard place. A too aggressive UAC like in Vista is highly unpopular. However, to us enthusiasts/techno saavy crowd, a towned down UAC isn’t secure enough. Do you please the masses or do you “dumb it down to double your dollars” as rapper Jay Z once rhymed. In many cases, if you want success, the original intention is going to get toned down. That has been and always will be the price for success. Essentially and just on principle, I agree with you guys that a strong UAC should be win Windows 7, I completely understand why Microsoft HAS no choice but to dumb it down. It gives way too much ammunition for the anti-Microsoft/hard core Mac fans/hard core Linux fan crowd to bash away and let it stick.

I think Microsoft’s counter attack should be working with other background and otherwise silent defenses within Windows. If the internal defense, stronger firewalls, whitelist/blacklist defense, and other methods should be part of the solution, the hardware layers of security also have to be strengthened too. Microsoft has to keep attacking security in ways that are invisible but still very relevant to protecting users from themselves. Howerver, a lot of the reason why Windows has so many problems is that the vast majority of the userbase is very ignorant in how PC’s work and how to browse safely. Many of Windows issues wouldn’t be as much of an issue if PC fundamentals, PC ethics, intermediate PC education, and advanced PC skills were taught to our children in Elementary, Middle School, and High School as part of the mandatory curriculum.

However, there are some people saying that the x64 version of Windows 7, that this RCE doesn’t even work. That this might be limited to just 32 bit versions of Windows 7. While I do appreciate the war being waged, this is a very fine line we have to walk here.

By: Jug

Jug — Mon, 15 Jun 2009 07:44:40 +0000

I don’t think Microsoft will try to deny anything that they’ve said, they just won’t comment on it. Inofficially, I suppose they’re simply changing why UAC is there, as I fail to believe they have already forgot why they added UAC…

By: VeraBlue

VeraBlue — Sat, 13 Jun 2009 04:17:51 +0000

Since day one, when I first touched build 6801, I always set UAC to the “always notify” setting… my reasons for doing so should be apparent. Through what is basically a marketing gimmick, Windows 7 is less secure than Vista. MSFT should of have left the settings as they were in Vista, set to “always notify”. Under normal circumstances, when set to the highest level the UAC dialogue rarely pops up.

By: Sam Johnson

Sam Johnson — Fri, 12 Jun 2009 20:03:33 +0000

So much for ‘less annoying to be secure’ as a selling point. This is definitely not okay and I cannot believe Microsoft will not change it; they did well fixing the other issue earlier this year.

By: Bryant

Bryant — Fri, 12 Jun 2009 19:20:16 +0000

Crap. Good point about robots.txt. /saves page

By: Yert

Yert — Fri, 12 Jun 2009 18:56:05 +0000

You forget that they can change their robot.txt file to have the Internet Archive delete the archived pages. Keep a local copy.

And I find it interesting that Russinovich won’t even call it a security feature. Elevation is first and foremost about security, and users who were actually concerned about the concept of LUA, not having to go with XP’s Run As when on a Limited Account was a godsend. Thankfully you can still turn on UAC if you want the security; the issue now is that the default is branded as safe when perhaps it should not be.