Linked by Thom Holwerda on Sat 31st Jan 2009 10:45 UTC
Privacy, Security, Encryption Yesterday, we reported on the security flaw in Windows 7's UAC slider dialog, and today, Microsoft has given a response to the situation, but it doesn't seem like the company intends to fix it. "This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level." I hope this reply came from a marketing drone, because if they intend on keeping this behaviour as-is in Windows 7 RTM, they're going to face a serious shitstorm - and rightfully so. Let's hope the Sinfoskies and Larson-Greens at Microsoft rectify this situation as soon as possible.
Permalink for comment 346400
To read all comments associated with this story, please click here.
RE[6]: Not that serious
by Nelson on Sat 31st Jan 2009 18:25 UTC in reply to "RE[5]: Not that serious"
Member since:

Here's another point which disproves any argument anyone could possible have towards this:

Let's set a few things off the bat:

1) An unsigned Application requires Elevation to run
2) VBScript embedded into a malicious installer would require Elevation to run

Now, your argument is this:

If it promises nude pics of Angelina Jolie, they WILL run it!

So from that, we can make point 3:

3) The user will elevate the Application

Now, the point I'm making, the point which shatters every argument against Microsoft's judgment on this, takes 1, 2, and 3 into account.

Now, let's say the user runs the malicious program, UAC pops up, and he clicks through it (As you claim he would).

Now what happens? The Application is run in elevated mode, where UAC will not popup for that Application's lifetime REGARDLESS.

This means, once an Application has elevation, UAC does not ask it again for another action in the system.

Test this by running an Application to perform SendKeys on Vista, where UAC protects system settings.

What will happen if you run it normally? UAC will pop up and stop you. Hooray! Right? Well it gets interesting.

Now run the Application and require UAC to elevate (You can do this in Visual Studio by exporting a MANIFEST file with your Application)

What happens when the SendKeys tries to disable UAC? No dialogs? What!? How can this be?

Is it magic? No it's common sense.

The fact that Applications are required to be elevated by UAC renders this entire, ridiculous claim of an exploit to be a moot point.

You can mod this down to hide the facts, but these are the facts. This is the truth. You can test all of this on your own Vista machine if you doubt the legitimacy of anything that I say.

Take the fanboy glasses off for a change people, and look at the cold hard facts. This is nothing but a headline grabbing article to post during a slow news day.

Reply Parent Score: 5