Microsoft response to UAC 'issue'

Twitter Trackbacks for Microsoft response to UAC 'issue' - SuperSite Blog [winsupersite.com] on Topsy.com

Fri, 28 Aug 2009 21:28:43 GMT

Pingback from Twitter Trackbacks for Microsoft response to UAC 'issue' - SuperSite Blog [winsupersite.com] on Topsy.com

4sysops - Windows 7 UAC vulnerabilities

4sysops - Windows 7 UAC vulnerabilities — Fri, 06 Feb 2009 23:15:17 GMT

Pingback from 4sysops - Windows 7 UAC vulnerabilities

Windows 7 Help & More

Windows 7 Help & More — Fri, 06 Feb 2009 02:48:43 GMT

Pingback from Windows 7 Help & More

4sysops - visionapp vRD 2009 released - Windows 7 UAC issue - Windows 7 RTM - Vista SP1 and XP SP3 blocker tool expires

Tue, 03 Feb 2009 01:13:23 GMT

Pingback from 4sysops - visionapp vRD 2009 released - Windows 7 UAC issue - Windows 7 RTM - Vista SP1 and XP SP3 blocker tool expires

Links for February 2, 2009 (Ground Hog Day) « Steve Mullen’s Blog

Links for February 2, 2009 (Ground Hog Day) « Steve Mullen’s Blog — Mon, 02 Feb 2009 20:56:06 GMT

Pingback from Links for February 2, 2009 (Ground Hog Day) « Steve Mullen’s Blog

WinPatrol v16 Monitors Changes to UAC « BFC Blog

WinPatrol v16 Monitors Changes to UAC « BFC Blog — Mon, 02 Feb 2009 12:04:54 GMT

Pingback from WinPatrol v16 Monitors Changes to UAC « BFC Blog

Security Cadets » WinPatrol v16 Monitors Changes to UAC

Security Cadets » WinPatrol v16 Monitors Changes to UAC — Mon, 02 Feb 2009 02:58:23 GMT

Pingback from Security Cadets » WinPatrol v16 Monitors Changes to UAC

re: Microsoft response to UAC ‘issue’

shark47 — Sun, 01 Feb 2009 19:38:20 GMT

Oh dear. I just ran the code that Raf has posted on his blog. The scary part is, like Long Zheng says, that even a low privileged application can turn off UAC. This is serious. I hope Microsoft fixes it before Windows 7 is RTMed.

re: Microsoft response to UAC ‘issue’

Victek — Sun, 01 Feb 2009 18:11:48 GMT

"This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level."

This is an example of if you say something with sufficient self-confidence and assertiveness it will cause others to suspend common sense and agree, but it's still wrong. In fact it's offensively stupid.

re: Microsoft response to UAC ‘issue’

timiteh — Sun, 01 Feb 2009 17:51:26 GMT

I understand why Microsoft gave the opportunity to tamper UAC with Windows 7 but it is the wrong approach.

A significant share of people who have been complaining about UAC,since Vista release, were among those who complain about the lack of security of pre Vista version of Windows.They would be also among those who would complain the loudest about the security problems brought by the optional tampering of UAC. Thus they would complain whatever Microsoft did. Considering this the best Microsoft can do is to do what is right. In the context they should let UAC behave like it behaves with Vista or even make it more "annoying" by requiring password for some critical tasks even for administrators.

Then Microsoft must find smart and innovative way to deal with the problems linked to legacy Windows versions behavior and legacy applications which are,among other things, responsible of the true troubles linked to UAC.

I hope that they will find them before releasing Windows 8.

re: Microsoft response to UAC ‘issue’

realtestman — Sun, 01 Feb 2009 17:31:14 GMT

tayme, you mentioned that OS X lets you lock the system settings so that you require a password and you stated that it would be nice if Windows did the same. Windows already does. If you make everyone use a limited account, then if they change a setting they will have to put in a password. No changes to Windows are needed.

re: Microsoft response to UAC ‘issue’

whiplash55 — Sun, 01 Feb 2009 15:49:45 GMT

@subzerohitman

I believe you can get the Norton UAC tool stand alone .www.nortonlabs.com/.../uac.php I have to say after being a Norton hater for years the 2009 version is quite good. I think it might use less resources than the new AVG with seemed to have gained a little bloat. If I pay for security software I like Eset NOD 32 been using it for years, and it has always done a good job.

re: Microsoft response to UAC ‘issue’

DRWAM — Sun, 01 Feb 2009 14:51:22 GMT

Sub, MS was referring to me, and people like me. We're the doofuses that install stuff without much thought. Even though I scanned the 'free disc utility' twice, I still installed a trojan. It was my fault. So maybe MS is not too far off the mark on this one. We shall see.

Go Steelers!

re: Microsoft response to UAC ‘issue’

lketchum — Sun, 01 Feb 2009 09:11:03 GMT

It's very clear that Microsoft's explanation is quite correct. Period. End of story. It was more than a bit alarmist to have presented the original "vulnerability" in the context of some kind of breach or flaw.

Since UAC was originally announced its role and function within user space has been clear and this nonsense that it is a boundary has to stop. It is an alerting mechanism designed to inform the logged user of impending changes - and nothing more.

Similarly, the idea that what appear to be similar functions in OS X and other *nix are somehow superior, seems silly - they are entirely different things. On the *nix privilege elevation takes place and persists opposite a simple read, write, execute model. Unlike on Windows where UAC may be exposed to policy objects and much more granular control, OS X and other *nix adhere to an archaic model that is not only less secure, it is far more difficult to manage centrally.

I can imagine that more than one fist found its way to slamming more than one desk up in Redmond when this matter was presented here and elsewhere as it was. I was equally miffed - explaining things in a way small business customers understand well is hard enough and that kind of rubbish made 07 and 08 hard enough on partners in the channel with Vista. As an industry, we have to beg two things: "If you do not know what you're writing about, don't publish it" and "if you do not know what you are talking about, ask questions." - less clickety clickety and more journalism, please.

re: Microsoft response to UAC ‘issue’

subzerohitman721 — Sun, 01 Feb 2009 07:50:26 GMT

@whiplash55

I agree with you. But I would really not want to start using Norton again. I stopped using them in 2003 and really have no desire to.

Maybe AVG will come up with something.

However, VB is taught in High School. I shudder at the possibility of some loser with too much spare time compromising Windows 7. Or the proof of concept code falling into worse hands.

I did post a blog response on the Engineering Windows 7 blog. I hope many on here will follow suit and let Sinofsky and Company some pressure to change this.

http://blogs.msdn.com/e7