SuperSite Blog

People are over reacting about this big time. Seems most do not understand that UAC is NOT a security boundary.

Yes it's a security feature but it is NOT a security boundary. Huge difference!!

Hey Paul, I frequent your SuperSite very often and I have just recently realized I have been missing out on your blog as well. Unfortunately I have to disagree with the first post I've read where I, with all do respect, think you're ranting somewhat unfairly about "the" closed-source software company who really has made great strides communicating with its consumers directly with this initiative alone.

As such, I believe in time you'll find that it's completely reasonable to assume they were going to fix the integrity bug beforehand, because in all reality that would have made the entire method of exploiting it null in the first place, providing a completely legitimate base to their early comments. Not only that, in all practicality, it was a fairly obvious bug for Microsoft who has really put a large amount of effort and sincerity into security since the release of Windows Vista (along with Windows Defender and the upcoming virii protection).

In addition they also listened to everyone (to sweeten the deal) and made the extra change of always notifying with a prompt when the User Account Control setting is changed -- something which I find somewhat superfluous now [with the bug fix] at anything under the "Always Notify" setting. Regardless, that is my personal taste and I recognize that the additional change is definitely for the betterment of the "average" user's security.

What I will give you though is a clear ineptitude of communication on a certain level. If any Microsoft representative would have come out and notified people of the integrity fix the entire argument would have been softened and taken much less seriously, as it should have been, instead of assuming [blindly, somehow] that users would have Apple-esque faith (sorry for the bias!) or magically know of the upcoming fix.

At any rate, I listen to your podcasts and read your site regularly and I hope you continue to offer fair, balanced, and insightful commentary on Microsoft and its products, especially Windows 7. Looking forward to it.

Pingback from  Windows 7 Help & More

The worst part is that once RC rolls around, the bloggers will probably be up in arms again because they feel UAC is too annoying.

MS needs to have a prompt at install time that will ask users how secure they want to be any force everyone to set the slider then and there.

It's great that the Windows 7  testers and bloggers stood up loudly and proudly to Microsoft and told them in one voice.

"CHANGE THIS!"

Finally, they did and we'll see it in the RC. Very cool that my voice and the voice of so many bloggers and testers were not ignored. Just keep running the UAC at the highest setting until we have the RC.

Yes, Paul is right. Taking a step back it is hilarious. But in practicality, the UAC is a very important security feature, that Microsoft shouldn't treat lightly. I think Bryant's comments on Aero XP highlight this excellently.

www.aeroxp.org/.../the-real-issue-with-win7-uac

It makes me feel good that in the end, we do have some say about Windows 7. We do have some sway with Microsoft, since ultimately if they didn't listen, there are alternatives out there both from Apple and any Linux distro. I also want to thank Paul, Mary Jo, Bryant, and others out there not just taking Microsoft's "No" for the final answer.

"This is how small children behave."

Hey, robertsjoe...where are you? Here's another thing that Microsoft copied Apple on...you should be pointing that out to us.

--tayme

"The worst part is that once RC rolls around, the bloggers will probably be up in arms again because they feel UAC is too annoying."

I think that's why Microsoft has reacted this way. It's a touchy topic for them because whatever they do with UAC, it always seems to evoke an outcry from the blogger community. It's funny that with Vista, everyone hated UAC and now that they've tempered it in 7, people are craving for Vista's UAC. No, I'm not talking about the Long Zhengs and Rafaels. I'm talking about the people from Engadget, Gizmodo and other other such sites, who probably couldn't care less, but joined in the chorus, nevertheless, simply because they needed something at Microsoft to bash.

@subzero - Very well put. I am guessing that millions clicked on the feedback link in 7 and sent messages about this. It is good that the user community was vocal enough to make a difference and good that Microsoft listened.

--tayme

Paul, I think you put it nicelly and I whole heartedly agree. Good on Long Zhen and Rafeal for ensuring that Windows 7 will not be less secure than Vista.

It was great to see that the blog community got behind this to. A positive result all round.

Does this really matter?  The shipping product is changing and that's the point of a beta and an RC.  Paul, I think if anything, you're more off-base by claiming that the beta is somehow "done".  The haven't announced many product edition feature specifics, Windows Welcome Center isn't finished, localization isn't even close to being done, and the deployment tools won't even be released until after the RTM, making early corporate deployment a no-go until that's complete.  Why, Sysprep doesn't even roll back drivers with the Generalize option correctly.

It's not done.  Quit jones'n!  ;)

BTW Paul:  It's supposed to be spelled "frak" because it's meant to be a four-letter "f"-word, like that other one....

@alamfour:

It would only be less secure than Vista if you lowered the slider below that of Vista's setting.  Even with this fix, it will still mean trouble having it at the lower level by default....

>>He's nicer than I am<<

And your headline is nicer than Mary Jo's about the same problem.

The beta program worked beautifully.  The Microsoft beta testers found a problem.  Microsoft does not seem to understand the success.

Microsoft's ridiculous response makes me question their management team's competence.      

Viva Rafael Rivera and Long Zheng.

@Waethorn

It is less secure than Vista because the bar is lowered by default. An average user will not know how to change UAC to be more or less secure. The average user sites down in front of a PC to work or play not to tweak their system.

This change insures that while UAC will be less annoying than Vista was it won't compromise security.

I must say, Paul, I totally disagree with this post.

The first change (making the UAC applet run as high integrity) very well could have already been in the works. Rafael already stated on his blog that "birdies" told him the rundll32.exe issue has already been taken care of in internal builds - changing the UAC applet is a similar change. Do you have any other inside information to suggest otherwise?

You also claim that MS is not admitting that the feedback had anything to do with the changes, but what about this quote from the E7 blog?

"The second change is due directly to the feedback we’re seeing."

Seems like a pretty direct admission that they are reacting as a direct result of community feedback to me.  Now, sure, there's a bit of PR-speak going in to that post, but what do you expect from a large corporation?

Personally, I'm happy that Microsoft is actually taking user feedback this seriously. You may not be totally happy with how they've run the development process of Windows 7, but isn't this a step in the right direction from previous Windows releases?

Paul, that was actually a well written post by Jon and Steven over at the Engineering Windows 7 blog. And jonathanmarston is right - they do credit users for at least one of the changes. The first one, they say, was a bug. in the UAC code.

"The first change was a bug fix and we actually have a couple of others similar to that—this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we’re seeing."

Now, you can either choose to believe them and enjoy the product or you can complain about how they're not givine bloggers their due. Your choice!

Hopefully, we can all concentrate on the other hot topic now: the Windows 7 SKUs! (And of course, any topic that robertsjoe or --to a lesser extent-- Ocean deem worthy of discussion.)

its nice to see that it reckons its mistakes LOL :)  why dont you guys shift to linux atleast ......

"This change insures that while UAC will be less annoying than Vista was it won't compromise security."

Only security as far as the OS design.  The user still won't understand the consequences of their actions.  Vista did it right.

I hope the OPK has options to change the default UAC level, because I intend to move it up.

BTW:  Has there been ANY news about Morro lately?

I wonder if Mike's "consulting" job has to do with that....

I really think that the easiest option for Microsoft is to just take the existing Defender/Forefront Client Security UI, do a new colour scheme, rebrand it with a different logo, and just clean up the FCS agent installation routine (it's too complicated for the average Joe).  

Pretty simple.

Oh, and FCS installs and works fine on the Windows 7 beta.

@Waethorn - "I wonder if Mike's "consulting" job has to do with that...."

No, he is working on some voice recognition stuff, I think...

--tayme

@Waethorn - You are right...until users learn to understand what they are answering "Yes" to, that there will still be issues. Until users learn to use safe browsing habits...like staying away from P O R N sites, there will still be issues. As long as the mosquitos are still out there and people don't use Deep Woods Off, they will still get bitten and some will get malaria...regardless of if they are wearing long sleeves(Windows) or short sleeves(OS X/Linux).

--tayme

@Waethorn: Actually it is "frack" not "frak" as the word Paul is using is from a television show that called Battlestar Galactica.

"You are right...until users learn to understand what they are answering "Yes" to, that there will still be issues."

Some people ask me "why is Vista so annoying?".  When I explain UAC to them, they understand it.

"More annoying" = more secure IMO.

Microsoft still maintains that as a security best practise, no user should run day-to-day as an admin.  In that scenario, UAC is ideal, and Windows works just like *nix.

Also, I'm glad that they changed the behaviour of SBS 2008 so that users don't have to be local admins anymore.  That was a big problem.  Now user permissions work as they should.

Now let's take away more users' civil liberties!!!  :P

"Actually it is "frack" not "frak" as the word Paul is using is from a television show that called Battlestar Galactica."

If you mean the old one, I have no idea, but for the new show, the producers have already stated that it is supposed to be a "four-letter f-word".

www.sfgate.com/.../article.cgi

It appears that Microsoft is suffering from a chronic infection with the malware identified as:

"W32_gBushMistakeIncapable.A

After an eight year exposure it is no longer possible to perceive, let alone admit, mistakes....:-)

"And your headline is nicer than Mary Jo's about the same problem."

Umm, not really:

blogs.zdnet.com/microsoft

In fact, she has better words for Microsoft than Paul does:

"Kudos to the Windows brass for showing that the Windows beta process isn’t just for show. And kudos to Long Zheng and Rafael Rivera for keeping the pressure on the Windows team to do the right thing."

:-)

"W32_gBushMistakeIncapable.A"

That sounds like the new one that is out there - W32_bObamaChangeNotHappenning.A

It enters your system promising that it is going to change things for the better and not just use the same old tactics as in the past...then starts appointing old malware like Melissa and Slammer to do the dirty work.

--tayme

W32_gBushMistakeIncapable.A, W32_bObamaChangeNotHappenning.A

Ugh, they're both just derivatives of the W32_AllPoliticiansSuck.A trojan that is far more dangerous and pervasive.

@kenmcnamee - So true!!!

--tayme

@kenmcnamee:

That was funny... and true. :-)

"W32_gBushMistakeIncapable.A"

That sounds like this one:

OSX_AppleCanDoNoWrong.A

and the follow up:

OSX_ItsNotApplesFaultYouHaveNoProtectionAgainstMe.B

Why are we bashing Apple?

are you surprised at all by this??? look at what MS just did to the Xbox 360, they broke it with there HDMI update on Tuesday and now 360's everywhere are either RROD or like mine the HDMI just doesn't work anymore and I'm forced to use the component cables. everyone on multiple forums are complaining about it including myself and calling and MS is saying that they will fix it for 99 bucks!! total BS  I have never had an issue with my 360 and now after the Tuesday patch my HDMI is broke!! MS is the biggest bunch of backtracking lieing people I have ever seen!

Ars ran a post claiming that Windows 7 was going to go for $200...

They've now retracted it.  I wonder if they felt some pressure from MS...

Here is what they said:

lifehacker.com/.../windows-7-pricing-starts-at-200

"That sounds like this one:

OSX_AppleCanDoNoWrong.A

and the follow up:

OSX_ItsNotApplesFaultYouHaveNoProtectionAgainstMe.B"

Geez. These "OSX is just as insecure as Windows" claims are really interesting in that they avoid a little thing that we call "data".

There are no, none, zero, zilch, nada, null, bupkus, examples of any propagating worm, virus or malware for OSX in the wild, period, ever. Such things infest Windows computers in the millions, Macs none at all.

Note well: "In the wild" and "propagating". These are two terms that make a security issue of any sort MATTER. This may come to OSX someday, but in 10 years there are no examples.

There are---of course---examples human engineering trickery that get people to type in their admin password. There are numerous "theoretical vulnerabilities", there are controlled contests "pwn this Mac", but no examples at all, ever, anywhere or at any time in the history of OSX of the "in the wild propagating" strain.....the only one that matters.

So the real threat is the

Win_FUDSinceWeHaveNothingUsefulToSay.A

@chuckb84 - Actually, the real threat is the lack of speed in which Apple has responded to vulnerabilities. They have a track record that is well documented and have not improved on it. One day, if the OS X user community, which I am part of, does not use safe browsing, firewall, and other safegaurds, it will bite them in the A S S. Myself, I'm not worried...I am covered. I know plenty of OS X users that and have read the opinion of others, even here on this Windows centric site, that say they don't need any of that...it don't matter. Go ahead and be complacent about security...eventually it will get back at you.

--tayme

"There are no, none, zero, zilch, nada, null, bupkus, examples of any propagating worm, virus or malware for OSX in the wild, period, ever."

Then you're not looking too hard.  Two were released in the last two weeks.

"Ars ran a post claiming that Windows 7 was going to go for $200..."

Oooh, may I start a rumor too? Please?

I've heard from my sources within the company that Windows 7 cases will be plated with 7 kt gold. And Starter will cost $950 and not $200. My sources are more reliable than Ars' sources.

>>Oooh, may I start a rumor too? Please?

I've heard from my sources within the company that Windows 7 cases will be plated with 7 kt gold. <<

This isn't credible.  The Ars stuff *could* be true.  

This comment makes some sense:

lifehacker.com/.../windows-7-pricing-starts-at-200

    Windows Vista Ultimate with SP1 from Amazon, $234.99:

    [www.amazon.com]

    List price: $339.99

    -

    Windows 7 Ultimate from ARS Technica rumor mill,\

      $319:

      Probable street price for W7 Ultimate: ~$220

    -

    The ARS Technica prices seem to be in line with how      

    Microsoft prices Vista.

"This isn't credible.  The Ars stuff *could* be true.  "

Oh, yes. If I had been anonymous, maybe my statement would've been credible.

arstechnica.com/.../rumor-pricing-for-the-windows-7-editions.ars

"Update: Upon further reflection, we regret posting this rumor. The source was anonymous and not one of our usual, trusted tipsters."

So, stop being silly Ocean.

"  The ARS Technica prices seem to be in line with how      

   Microsoft prices Vista. "

That's the whole idea. When you want to start a rumor, make sure it's at least believable. Send it to enough rumor crazy sites and maybe one of them will publish it.

Ars is no rumor site...and they put the post back out there.  They un-retracted their retraction.

arstechnica.com/.../rumor-pricing-for-the-windows-7-editions.ars

....in other news:

Steve Wozniak just married Linus Torvalds in California in the first-ever Segway marriage.  IBM is broadcasting it in RealVideo G2 format via OpenSolaris on Hyper-V Server R2 beta on their new DeepAK WOPR-a system.

Ok, it's on the intertubes.  It must be true!

>>Steve Wozniak just married Linus Torvalds <<

Nope.  According to the same intertubes:

Steve:

Spouse(s) Alice Robertson (1976-1980)

Candice Clark (1981-1987)

Suzanne Mulkern (1990-2004)

Janet Hill (2008-***************Present******************)

Linus:

Spouse(s) Tove Torvalds

Some detailed information about Microsoft copying Apple's Dock. Including Microsoft's numerous infringements on Apple's patent.

www.appleinsider.com/.../exploring_windows_7_on_the_mac_the_taskbar.html

@Ocean:

I never said they were divorced.  Polygamy is legal in the state of California after all.

robertsjoe is their love-child too.

School must have let out early today for some reason...

--tayme

Pingback from  Links for February 6, 2009 &laquo; Steve Mullen&#8217;s Blog

>>robertsjoe is their love-child too.<<

Interesting.  Which gave birth?

"@Ocean:

I never said they were divorced.  Polygamy is legal in the state of California after all.

robertsjoe is their love-child too."

:-)

Ocean is right though. When there's conflicting information on the net, which is often the case, go with the one that supports your image of the individual / company in question. So, if you're Ocean or robertsjoe, all pro-Microsoft news is made up.

"Which gave birth?"

He was stillborn.

How many times do I have to say that I am a windows user who has never owned a Macintosh?

Good job Paul, Rafael, and Long and other Windows bloggers of note. And a tepid "good on ya" Microsoft for doing the right thing even though you won't admit it.

As long as we're posting random links for no reason, www.infoworld.com/.../Gone-in-2-minutes-Mac-gets-hacked-first-in-contest_1.html

chuckb84 said,

"Geez. These "OSX is just as insecure as Windows" claims are really interesting in that they avoid a little thing that we call "data".

There are no, none, zero, zilch, nada, null, bupkus, examples of any propagating worm, virus or malware for OSX in the wild, period, ever. Such things infest Windows computers in the millions, Macs none at all."

10 seconds of research and totally wrong.

Worms, virus and malware in the wild for OS-X.

February 16, 2006 - 1st every Mac OS-X trojan discovered in the wild. OSX/Leap-A or OSX/Oompa-A.

October 2008. iPhone users vulnerable to to URL spoofing attack.

ithreats.wordpress.com/.../iphone-vulnerable-to-url-spoofing-attack

November 2008 - OSX/Jahlav, OSX/Lamsev.A, OSX DNSChanger in the wild.

community.ca.com/.../new-trojans-strike-os-x.aspx

ithreats.wordpress.com/.../about-recent-osx-trojan

Some were even evading anti-virus.

ithreats.wordpress.com/.../osxjahlav-evading-scanners-detection

January 22, 2009 - OSX.Trojan.iServices.A released in tthe wild in pirated copies of iWork 2009.

ithreats.wordpress.com/.../update-iworkservices-not-just-a-trojan

January 27, 2009 - OSX.Trojan.iServices.B found in pirated Photoshop CS4. Variant Krowi found installs DivX.

ithreats.wordpress.com/.../latest-os-x-threat-krowi-installs-divx

Rogue software malware? Check.

ithreats.wordpress.com/.../macsweeper-first-rogue-application-in-mac

Need more information on 2008 OS-X threats. I got ya some.

ithreats.wordpress.com/.../os-x-vulnerability-in-2008

As you can see, there are plenty, credible, and real threats to OS-X. None at all you say Chuckb84? Just ask the 20,000 or so who found the hard way that OSX.Trojan.iServices.A was very real.

If you wish to roll the dice without anti-virus, then maybe you've already acquired OSX.ignoranceisbliss.A. I hear this one is very contageous.