Coffeehouse Thread

184 posts

UAC controversy - the last episode!

Back to Forum: Coffeehouse
  • User profile image
    wastingtime​withforums

    That's it, the final word is spoken:

    http://www.osnews.com/story/21653/Microsoft_Won_t_Fix_Windows_7_s_UAC

    Well, at least it's over. Symantec employees cry of joy, their jobs are safe for at least five more years.

  • User profile image
    Royal​Schrubber

    If it is any consolation to you, most linux distributions that use bash as default scripting language are vulnerable too..

    https://bugs.launchpad.net/ubuntu/+bug/127116

    2 years, marked invalid Smiley

  • User profile image
    ManipUni

    Pretty depressing. Microsoft has undone all of its good work in Vista just to make the idiots happy. Windows 7 for most users will be as bad as XP has been.

  • User profile image
    Bass

    Why does "not having root access" == security? I think people's personal files and information is FAR more important to be secured then some apps in \Program Files, and you don't need root access to manipulate the user's home directory, where they store most of their sensistive information, nor to open sockets, or access the keyboard and mouse.

    You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

  • User profile image
    AndyC

    RoyalSchrubber said:

    If it is any consolation to you, most linux distributions that use bash as default scripting language are vulnerable too..

    https://bugs.launchpad.net/ubuntu/+bug/127116

    2 years, marked invalid Smiley

    Not really, that bash "vulnerability" is dubious at best....

    It's dissapointing to see Microsoft backing down on UAC, I think the majority of people aren't actually as bothered about the prompts as a handful of whiny bloggers would suggest, and whether they are prepared to admit it or not it certainly reduces the effectiveness of UAC (a quick scan of the MSDN forums reveals swathes of programmers trying to circumvent UAC, not because they're malicious, but because they don't see the need to fix LUA issues).

    Naturally, I'll be running UAC at it's full setting and I'll just have to deal with the broken apps, because they will be inevitable. And Standard User Accounts will continue to be a pain in Windows because Microsoft continue to miss the point on this issue, albeit probably quite deliberatly in the face of yet another swathe of Vista-esque bad publicity.

  • User profile image
    PaoloM

    Bass said:

    Why does "not having root access" == security? I think people's personal files and information is FAR more important to be secured then some apps in \Program Files, and you don't need root access to manipulate the user's home directory, where they store most of their sensistive information, nor to open sockets, or access the keyboard and mouse.

    You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

    ++

  • User profile image
    ManipUni

    Bass said:

    Why does "not having root access" == security? I think people's personal files and information is FAR more important to be secured then some apps in \Program Files, and you don't need root access to manipulate the user's home directory, where they store most of their sensistive information, nor to open sockets, or access the keyboard and mouse.

    You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

    Because those types of issues can be removed. A rooted system is a reinstall.

  • User profile image
    PaoloM

    ManipUni said:
    Bass said:
    *snip*

    Because those types of issues can be removed. A rooted system is a reinstall.

    Once the most important thing on your system has been compromised, reinstalling is the last of your problems.

  • User profile image
    AndyC

    PaoloM said:
    ManipUni said:
    *snip*

    Once the most important thing on your system has been compromised, reinstalling is the last of your problems.

    So why bother with UAC at all? Why don't we just go back to a crappy single-user version of Windows and be done with it?

    Yes, a user's data is the most valuable thing on the machine (to that user) but allowing the OS to be deeply compromised enables malware to do things other than just compromise the data on the machine and the end result may be far more harmful.

  • User profile image
    ManipUni

    PaoloM said:
    ManipUni said:
    *snip*

    Once the most important thing on your system has been compromised, reinstalling is the last of your problems.

    Because people write spyware to destroy those pictures of your family trip? Give me a break...

    By your logic we should just draw a line under Windows' security right now and assume that the second anything nasty is executed the entire show is over. Maybe in the next version Microsoft can work on faster format/reinstalls?

    The Windows architecture needs a major update. Things running as a user should have significantly less access than they do today. But until UAC is in place it is pointless.

    No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc).

     

  • User profile image
    blowdart

    ManipUni said:
    PaoloM said:
    *snip*

    Because people write spyware to destroy those pictures of your family trip? Give me a break...

    By your logic we should just draw a line under Windows' security right now and assume that the second anything nasty is executed the entire show is over. Maybe in the next version Microsoft can work on faster format/reinstalls?

    The Windows architecture needs a major update. Things running as a user should have significantly less access than they do today. But until UAC is in place it is pointless.

    No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc).

     

    No, but people write spyware to lift "My Documents" and the internet cache.

  • User profile image
    Sabot

    ManipUni said:
    PaoloM said:
    *snip*

    Because people write spyware to destroy those pictures of your family trip? Give me a break...

    By your logic we should just draw a line under Windows' security right now and assume that the second anything nasty is executed the entire show is over. Maybe in the next version Microsoft can work on faster format/reinstalls?

    The Windows architecture needs a major update. Things running as a user should have significantly less access than they do today. But until UAC is in place it is pointless.

    No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc).

     

    "No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc)."

    Did you mean to say that Manip ... I'll give you a moment to think about this statement, you can go ahead and change it because I would if I was you! Because strong UAC is sure as heck not going to stop a whole load of other vulnerabilities that AV also protects against. 

  • User profile image
    Ray7

    I've suddenly realised what Microsoft is talking about! We've been looking at it from the wrong side.

    The UAC is not there to help keep users secure. If you think about it, it is there to allow developers to keep writing the same security-busting code they have done since Windows95.

    Take a leaf out of Apple's play-book. If you don't keep your code up to date, then you don't get to play.

     

  • User profile image
    ManipUni

    Sabot said:
    ManipUni said:
    *snip*

    "No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc)."

    Did you mean to say that Manip ... I'll give you a moment to think about this statement, you can go ahead and change it because I would if I was you! Because strong UAC is sure as heck not going to stop a whole load of other vulnerabilities that AV also protects against. 

    Well I am going too far. Anti-Virus will always have a place. But what I mean is that when something nasty is run as a user that is almost harmless to the safety of the system as a whole. If the user doesn't accept that UAC prompt they're safe. In an environment like that, some users could live without AV.

    So for example on a system with no personal data (web-access slave system) without an admin account could very much live without AV. I'd still recommend it though Smiley

  • User profile image
    Larry Osterman

    Ray7 said:

    I've suddenly realised what Microsoft is talking about! We've been looking at it from the wrong side.

    The UAC is not there to help keep users secure. If you think about it, it is there to allow developers to keep writing the same security-busting code they have done since Windows95.

    Take a leaf out of Apple's play-book. If you don't keep your code up to date, then you don't get to play.

     

    ***DING*** ***DING***  Give the man a ceegar.

    UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

    And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

    The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

     

     

  • User profile image
    Charles

    Ray7 said:

    I've suddenly realised what Microsoft is talking about! We've been looking at it from the wrong side.

    The UAC is not there to help keep users secure. If you think about it, it is there to allow developers to keep writing the same security-busting code they have done since Windows95.

    Take a leaf out of Apple's play-book. If you don't keep your code up to date, then you don't get to play.

     

    Please watch and understand this: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

    Learn.

    C

  • User profile image
    intelman

    WTF is UAC anyways. Is it a security feature or not? 

    http://blogs.msdn.com/uac/

    "User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn."

    Actually Within Windows has just written about this...

    http://www.withinwindows.com/2009/06/10/uac-uac-go-away-come-again-some-other-day/

    UAC in its "annoying" origional state was great. At this point I am not even sure Microsoft knows what they want to define UAC to be. I am pretty sure it is meant to be a security feature...

  • User profile image
    ManipUni

    Larry Osterman said:
    Ray7 said:
    *snip*

    ***DING*** ***DING***  Give the man a ceegar.

    UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

    And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

    The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

     

     

     Maybe that's Microsoft's problem right there.

    UAC isn't a security feature but perhaps it should be. Remove user's ability to login to admin accounts EVER (ex. Server) and have UAC escalate on request. But as I'm sure you are well aware a program running as a admin-user even with UAC enabled still has far too many liberties which is why windows design changes need to be made.

    This isn't stuff that will happen in Win 7. Heck this isn't stuff that will happen for a long time. But in the mean time leave UAC on and start knocking out admin-user features one by one and move them to the admin-admin UAC prompt "zone" of security.

    PS - Charles I will watch the video later today Smiley

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.