Norton Takes on Vista's User Account Control

re: Norton Takes on Vista's User Account Control

mikegalos@msn.com — Sat, 11 Oct 2008 13:46:44 GMT

PatriotB6007

It's actually even worse than that. In the example, if app XYZ is Internet aware as most apps are these days then you don't need a vulnerability in both the browser and XYZ.

You could have the case where XYZ phones home for an update and the XYZCorp update server has been spoofed (say a man in the middle attack). The XYZ app updates itself with the exploit with no prompt (the goal of the Symantec app) and now runs the exploit code.

So far, this wouldn't be something that UAC would have saved you from since you were expecting the update so you'd have said OK anyway. The problem, though, is that now the pwned XYZ is running the exploit with Admin privs and is able to do lots of evil nasty stuff with no UAC prompts to let you know that the app has been hijacked. This is where UAC would normally prevent damage but the "don't show again" neutered UAC happily lets the pwned app destroy your system without warning.

re: Norton Takes on Vista's User Account Control

mikegalos@msn.com — Sat, 11 Oct 2008 13:33:36 GMT

PatriotB6007

Exactly right.

It isn't as though the people at Microsoft didn't think about "mark this as safe". It's an obvious optimization. The problem is that it's also an insecure optimization.

Maybe Symantec has some really neat trick behind the covers that solves the problem.

Maybe.

But, nothing on their site suggests that they have. And that makes this tool potentially a serious security hole.

re: Norton Takes on Vista's User Account Control

gorath — Sat, 11 Oct 2008 13:15:28 GMT

How insane are Symantec?

Weren't they one of the loudest voices moaning about Vista's locked down kernel as well? And, therefore one of the main reasons why Vista x86 DOESN'T have a locked down kernel?

And people still trust these morons with their PC's security?

re: Norton Takes on Vista's User Account Control

PatriotB6007 — Sat, 11 Oct 2008 09:10:16 GMT

"Don't ask me again" is a very dangerous feature which leaves your system wide open for elevation of privelege attacks. As I commented on a ZDNet blog yesterday:

>>>

The problem with "don't ask me again" is that the system has to know that *you* specifically are the one taking the action requesting the prompt. I'm curious if these Symantec prompts make any attempt to determine this, otherwise it's a giant elevation of privelege hole.

Let's say there's an unpatched code execution vulnerability in my web browser and I go to a site that tries to exploit it. My browser runs at low integrity (IE) or regular/medium integrity (Firefox), and so I know that any exploit can't do anything administrative without my permission because a UAC prompt would need to appear first.

However, what if they try to launch something that I'd already said "don't ask me again" for? Is Symantec smart enough to know that the request didn't really come from me? It's really, really hard to determine the difference between the exploit case and a legitimate case.

talkback.zdnet.com/5208-12554-0.html

<<<

A reply from "davewood [MS]" (Microsoft employee it would seem) agreed, and mentioned that this also opens the door for application installers to pre-mark the apps they install in the "don't ask" category.

This enables the following elevation of privelege attack:

1. I run the installer for app XYZ.

2. The installer marks XYZ as "don't ask".

3. An attacker discovers upon two exploits, one in my web browser and one in XYZ.

4. I stumble upon a malicious site which uses the browser exploit to cause my browser (which is NOT running as admin) to launch XYZ.exe, feeding it specifically-formed data e.g. via a command line parameter of a file or URL to open.

5. XYZ silently elevates to Administrator, and the malicious data hits the vulnerability in XYZ and causes the attacker's code to run, with full administrative privileges. Pwned.

re: Norton Takes on Vista's User Account Control

lilserenity — Sat, 11 Oct 2008 08:02:35 GMT

I haven't switched off UAC and don't understand why it's regarded as annoying. Granted I have only used Vista on my main desktop PC since SP1, but I have found it no more 'annoying' than Mac OS X or Linux systems I also use. It pops up in about the same places, when you install something, or when you want to change a sensitive control panel setting.

That's been it. It certainly hasn't popped up in places where I wouldn't expect it. All in all, I can only imagine the people with the most problem with it are those who have run 2000/XP boxes with Administrator accounts (which is a heck of a lot) but to my mind, I have no reason to disable UAC.

I guess I am used to this kind of prompting.

re: Norton Takes on Vista's User Account Control

animositysomina — Sat, 11 Oct 2008 05:32:46 GMT

Are you guys sure the screenshots we've already seen for Windows 7 UAC settings will make this utility moot? I don't think so because I haven't seen any Win 7 screenshots showing options like "don't display this UAC prompt for this application again" and this is what Norton's UAC utility is trying to achieve. Which may make it extremely useful utility for Win 7 despite what Sir_Timbit says

re: Norton Takes on Vista's User Account Control

whiplash55 — Sat, 11 Oct 2008 05:15:37 GMT

I guess I have give them credit when credit is due. The latest Symantec Antivirus 2009 does not slow down my computer any more than AVG 8.0. I think they're starting to get it.

re: Norton Takes on Vista's User Account Control

subzerohitman721 — Sat, 11 Oct 2008 03:16:14 GMT

I switched off Symantec in 2003, and this is just another reason to boycott Symantec.

And turning off the UAC? How foolish can you be? It also deactivates several other safety features within Vista, leaving you more vulnerable. How in the hell can you make an argument about Vista and the UAC, when today's 50 additional patches to Leopard brings this year's grand total of OS-X patches to over 250! (Since Symantec also deals with Mac security, it makes it a very relevant discussion point.) Yet we have these morons running around saying to switch off of Vista? Don't make me laugh.

If anything Symantec needs to know its role and fix its junky anti-virus solutions. Thats why people would rather use AVG or One Care Live, because it doesn't bring your computer down to limping with an injury speeds. With so many free solutions that run better, Symantec doing this crap just makes it more and more irrelevant.

Paul, I'd do this little Symantec tool in virtualization with a virtualized Vista. I wouldn't want Symantec running in any decent system.

re: Norton Takes on Vista's User Account Control

Sir_Timbit — Sat, 11 Oct 2008 00:40:20 GMT

Really, just how useful is this product? I've been wary of Symantec stuff for a couple of years now, if only because they need to offer standalone uninstallers because their built-in ones can't do the job. And the screenshots we've already seen for Windows 7 UAC settings will make this utility moot.

re: Norton Takes on Vista's User Account Control

mikegalos@msn.com — Fri, 10 Oct 2008 22:23:33 GMT

RunTimeError

I don't think in terms of "one of my own"

I think of it as the equivalent of somebody in the auto industry saying, "I do not use seat belts for my cars. I am quite capable of making informed decisions about how I drive without some idiotic, poorly designed tool getting in my face and disrupting my driving all too often. "

Encouraging people to turn off safety features for no better reason than bravado is irresponsible. (And, in this case, shows a lack of understanding about both how UAC works and the things it does besides the security prompts)

re: Norton Takes on Vista's User Account Control

yert — Fri, 10 Oct 2008 21:57:08 GMT

What’s more, because the UAC may give a false sense of security since other processes can still access the desktop, it actually raises security concerns.

This is a straight out lie. UAC runs on a Secure Desktop by default. Microsoft should sue Norton for this false advertising that could damage their brand.

And if Norton can't understand UAC, what makes you think they could do one better?

Najlepsze Programy, Recenzje, Informacje. » Blog Archive » Norton Takes on Vista's User Account Control

Fri, 10 Oct 2008 21:52:51 GMT

Pingback from Najlepsze Programy, Recenzje, Informacje. » Blog Archive » Norton Takes on Vista's User Account Control

Norton Takes on Vista's User Account Control

Norton Takes on Vista's User Account Control — Fri, 10 Oct 2008 21:43:16 GMT

Pingback from Norton Takes on Vista's User Account Control

re: Norton Takes on Vista's User Account Control

lotsamystuff — Fri, 10 Oct 2008 20:57:33 GMT

"You even beat down on your own."

I'm sure Waethorn does. Regularly.

(I know. Childish. But really, that was just too easy.)

re: Norton Takes on Vista's User Account Control

RunTimeError — Fri, 10 Oct 2008 19:41:29 GMT

Mike and Weathorn.

Sheesh. You just just can't stop can you. You even beat down on your own.