Not too long ago, we ran a story informing you of how the auto-elevation feature in Windows 7 is broken in a way that allows malicious programs to silently gain administrative privileges. We wondered if Microsoft was ever going to fix this one before Windows 7 goes final, and even though we’re not there yet, a recent article by Mark Russinovich seems to imply pretty strongly that no, Microsoft is not going to fix this.
After lots and lots of user complaints about how people were annoyed by UAC prompts in Windows Vista, Microsoft gave in to the whiners, and created something called auto-elevation, which allows certain parts of the system to auto-elevate themselves without bringing up any UAC prompts. This way, Microsoft was able to bring down the amount of prompts.
A clever programmer – not a security researcher – quickly found out that this was a pretty braindead decision by Microsoft, as it is now possible to quickly, easily, and silently bypass UAC completely by anything injecting code into the memory of another process, a process with auto-elevation capabilities, using standard, documented APIs. Some noted that this only works for administrators and not for standard user accounts, but since Microsoft still defaults to administrator accounts, that point becomes a bit moot.
The way to fix this issue is pretty simple: set the UAC slider back to its topmost, Vista-like level, which disables auto-elevation, and removing the threat completely, and as such, I always advise people to do so. The question has always been: Will Microsoft fix this?
A recent article on UAC in Windows 7 by Mark Russinovich seems to indicate that no, Microsoft is not going to fix this. First, he explains that even without auto-elevation, there are several ways malware can take advantage of unsigned executables asking for higher privileges. However, Russinovich adds, it’s hard for malware to get on the system in the first place. “Windows has many defense-in-depth features, including Data Execution Prevention (DEP), Address Space Load Randomization (ASLR), Protected Mode IE, the IE 8 SmartScreen Filter, and Windows Defender that help prevent malware from getting on the system and running.”
Still, if malware were to get on a system anyway, it could get past UAC, auto-elevation or not. He also reiterates that even without administrative privileges, malware can still do just about anything malware wants to do these days, such as joining a botnet or messing with user files, data, and input.
With this in mind, Russinovich continues, and addresses the specific code injection flaw we talked about:
Several people have observed that it’s possible for third-party software running in a PA account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer, which is a Windows executable, it can leverage the COM objects that auto-elevate, like the Copy/Move/Rename/Delete/Link Object, to modify system registry keys or directories and give the software administrative rights. While true, these steps require deliberate intent, aren’t trivial, and therefore are not something we believe legitimate developers would opt for versus fixing their software to run with standard user rights. In fact, we recommend against any application developer taking a dependency on the elevation behavior in the system and that application developers test their software running in standard user mode.The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true, but as I pointed out earlier, malware can compromise the system via prompted elevations as well. From the perspective of malware, Windows 7’s default mode is no more or less secure than the Always Notify mode (“Vista mode”), and malware that assumes administrative rights will still break when run in Windows 7’s default mode.
This confused me. The methods he described all require elevation prompts to pop up at some point, while the auto-elevation code injection is completely silent. What this means is that Windows 7’s default UAC level is definitely less secure, as it introduces a method for malware and applications to elevate without ever triggering UAC – something that was not possible on Vista.
Throughout the article, Rssuinovich reiterates that UAC should not be seen as a security barrier, but no matter how often Microsoft brings this up, it still doesn’t make any sense to me. Microsoft has often stated that UAC is a security barrier, but whenever it doesn’t suit them to see it as such, they claim something else completely.
Even if they originally did not design it to be a security barrier, it does seem to be the case that it has turned out to be one. I’d say that instead of trying to convince the world that it’s not, they should just roll with it, improve UAC so that the mentioned holes get plugged, and use it to aid in marketing.
At the end of the day, Microsoft blogger Rafael Rivera said it best. “Here’s my million dollar question: If UAC wasn’t designed to ultimately protect us from anything, why does its icon resemble a damn shield?”
From the article, re displaying UAC prompts in ‘secure desktop’ mode:
“The use of another desktop also has an important application compatibility purpose: while built-in accessibility software, like the On Screen Keyboard, works well on a desktop that’s running applications owned by different users, there is third-party software that does not. That software won’t work properly when an elevation dialog, which is owned by the local system account, is displayed on the desktop owned by a user.”
Am I right in interpreting the ‘important application compatibility purpose’ as forcing those 3rd parties to update their software?
To answer myself: from later in the article: Win7 has a new UAC setting ‘do not dim my desktop for UAC prompts’. “The only difference between that and the default mode is that prompts happen on the user’s desktop rather than on the secure desktop. The upside of that is that the user can interact with the desktop while a prompt is active, but as I mentioned earlier, the risk is that third-party accessibility software might not work correctly on the prompt dialog.”
So, counter-intuitively, having the UAC prompt on a separate desktop does work with old 3rd party software, but having it on the user’s desktop may not.
Well my job is secure for the next five years.
Please, lets not make this more dramatic than it is. Your job was always safe.
There are always idiots that need help with the “any” key.
I said it once and I`ll say it again.
Mircosoft is just stupid. Any .exe the (normal) user (the vast majority) starts can now in effect install a rootkit and hide itself from any anti-malware measure.
With proper UAC that major security hole wouldn`t be possible.
Epic epic fail.
But it will keep the Windows support industry alive and well. And it will keep malware authors producing windows malware instead of trying other platforms.
There are always to sides to every story.
Care to explain what is so different with Windows’ UAC and Ubuntu’s sudo-usage in which only the user password is prompted?
For an outsider observer these two are quite identical in their overall design patterns.
(Please do catch the intended sarcasm also.)
Because in Ubuntu the user is actually a limited user – they are a regular user will full restrictions and the sudoers is a request for elevation.
Windows users are still setup as Administrators (or PowerUsers – which ever the case they get far too many privilages) with UAC merely being a ‘stop and consider’ sign along the way rather than real privilage seperation. If Microsoft were really serious about security – all users by default would be setup with a Limited User account from the moment the operating system is installed.
Microsoft could have done this, but they chose instead for the half baked half assed approach all for the sake of software compatibility – yet another example of Microsoft failing to grasp security and failing to live up to the promise after Windows XP SP2 was released that they would put security and correctness before compatibility. Well, they’ve failed to live up to the standards that they set for themselves.
Edited 2009-06-11 13:34 UTC
Why don’t they do this? It wouldn’t affect compatibility too much, and when it did, they could actually prompt for elevation. Also, “Standard User” is the default when you add a new account in Windows. I might be preaching to the choir, but it might make more sense to enable administrator account WITH UAC turned on and then create a limited user that prompts for elevation, as it already does in limited user accounts.
I’m not to clued in to the exact nature of why they didn’t pursue it – I assume that compatibility was a major factor given they hadn’t pursued it previously. If all it required was an elevation of privileges that could have been achieved manually simply by right clicking and selecting, “run as administrator”.
This goes right back to the fundamentals flaws with Windows, specifically, everything that sits above the kernel. The kernel itself is sound, it is the garbage that sits on top which was a hacked retrofit of a flawed user space. Until Microsoft completely gets rid of the user space and replace with either a user space from another operating system (BSD) or create on from scratch – things will just keep getting worse as Microsoft tries half-assed hacks to work around fundamental design flaws.
Edited 2009-06-11 22:27 UTC
That’s a pretty bold statement by someone who doesn’t work there and hasn’t been involved in this decision. I suppose all the millions of dollars spent on re-architecting Windows, changing developer mindset/culture and their development workflow to focus on security, plugging Windows even further, adding new lines of defense, education of users and so on is all a big joke.
In this particular case of UAC default levels I agree with Thom that it should be all the way up. Mine is and I haven’t had a single issue, but, the fact that Microsoft do not agree doesn’t qualify them to not be taking security seriously.
It’s become and will continue to increasingly be a commercial risk for any OS vendor to not take security seriously. It’s pretty obvious Microsoft realize this.
Were you involved? if not, what makes your point any more valid? if you were involved then you should hang your head in shame for making such massive ball of crap and subjecting customers to all the misery that comes with Windows.
You’ve had almost 8 years by the time Windows 7 is released to fix the fundamental flaws with Windows – but you chose backwards compatibility over getting it right.
Re-architecture? it isn’t completed yet! they’ve only just done the kernel plus a a small fraction of the user space. It still doesn’t change the fact that moving something left, right, up and down won’t fix fundamental design flaws. Win32 never designed to be multi-user, secure, scalable and a clean design – it was a half baked attempt to do the least amount of investment possible.
Then again, giving the likes of Steve Ballmer a $700,000 cash bonus is more important than fixing the product line up – you know, the product. The product is this magical thing that you sell to then bring in cash. If your product line up is crud – all the marketing, all the bonus’s to executives isn’t going to change that reality.
All operating systems have their flaws but one has to differentiate between design flaw versus code flaw. Something can have a flaw in the code but due to the design the impacts are minimal at best. Both Mac OS X and Windows have design flaws – both have failed to step up to the challenge when required.
Microsoft has a great kernel strapped with a half assed user space, coupled with hacks and work arounds to navigate around the fundamental design flaws that exist, things won’t improve. Will they improve the in the future? no they won’t because unless they purge the layers of cruft out of Microsoft’s management, you’re going to continue to have the same insular approaches with little outside ideas coming it – a company rampantly embracing the NIH syndrome.
Edited 2009-06-11 23:01 UTC
Here is an interesting link – raising the very issue which I raised:
http://blogs.zdnet.com/hardware/?p=4627
Too bad people are far too in love with UAC instead of seeing it for what it really is – merely a dialogue to slow down a user rather than protecting the system. I hardly call a dialogue protection – its like walking through a group of bullies with a sign saying, ‘don’t beat me up’.
It’s pretty much security theater by this point. Since it’s inconvenient, and the dialogs look scary, that must mean it’s secure. Same as the half-assed two-factor authentication most banks use (something you know, and something else you know – which the user probably wrote down on the same post-it note stuck on the side of the monitor).
Actually making it secure – sandboxing everything, and preventing anything except the Windows Installer service from changing any system settings, for example, would ideally be transparent. It’s just bloody hard work, and you can’t really market it as a feature if nobody ever sees it.
For what it’s worth, Windows 7 actually does protect some settings (like file associations) from being modified by anything other than Windows Installer. It just doesn’t go nearly far enough.
Yeah, and the security doesn’t get much better in most other organisations either. I’m confused when I hear people complain about ‘remembering passwords’ and how ‘difficult’ it is; hell, I can remember 12 phone numbers, my credit card number, bank account number, IRD number and work and income (social welfare) number plus 5 sets of passwords I use. If I can do it – anyone can.
Oh, you could market that. “Sandboxing Technology included with Windows; allow you to get on with your work whilst keeping the nasties out”. Its hardly rocket science dumbing something down and marketing it to tap into the concerns of end users about nasties that are out there.
The thing is, security could easily be fixed by making all end users standard users – that is, set them up by default as a limited user and UAC demanding that the end user put in their password before elevating the privileges.
Microsoft could have done this 8 years ago when they released Windows XP, they have done it after the security fiasco that required SP2 to be released. Microsoft have had many opportunities and each time they’ve failed to take advantage of them.
Ubuntu doesn’t auto elevate
(Sorry if you already knew the answer. I wasn’t sure whether if, by “sarcasm”, you meant your post to be taken ironically or rhetorically).
Care to explain what is so different with Windows’ UAC and Ubuntu’s sudo-usage in which only the user password is prompted?
For an outsider observer these two are quite identical in their overall design patterns.
For a regular user the difference is rather miniscule. I get annoyed by how UAC blocks everything, but to some that might be a good thing. The Ubuntu-way doesn’t do that so it’s again a double-sided blade.
But the UAC prompt doesn’t require passwords, it’s just point-and-click and can be bypassed very, very easily. The Ubuntu-way requires you to know the user’s password and can’t be bypassed; either you know the password and can do what you please or you don’t and can’t do anything outside of the user’s privileges.
Common misconception. The UAC dialog DOES require a password, just not when you’re running as administrator.
If you’re a regular user, you get a a password dialog. If you’re an administrator, you get the click-through dialog. Sadly, like Mac OS X, windows insists on making the first (and most of the time, only) account an administrator.
Common misconception. The UAC dialog DOES require a password, just not when you’re running as administrator.
Ah, didn’t know. Haven’t used Vista nor Win7 much, just a quick peek into both. Kinda silly to make the default user an administrator.
Did… you even read the article?
“So, how much malware protection do you get when you run in a Windows Vista PA account with UAC enabled? First, remember that for any of this to matter, malware has to get onto the system and start executing in the first place. Windows has many defense-in-depth features, including Data Execution Prevention (DEP), Address Space Load Randomization (ASLR), Protected Mode IE, the IE 8 SmartScreen Filter, and Windows Defender that help prevent malware from getting on the system and running.
As for the case where malware somehow does manage to get on a system, because malware authors (like legitimate developers) have assumed users run with administrative rights, most malware will not function correctly. That alone could be considered a security benefit.”
Yes, there is some security risk, but every OS has risks if a program can fool a user. At least Windows has a “hidden” layer of protection.
Hardly hidden – it’s been two years now. Plenty of time for malware authors to adapt.
Yes, there’s plenty of stuff malware can do in the context of a regular user account, but it’s pretty much impossible for said malware to worm it’s way into the system so deeply that it can’t be removed. Unless it has admin privileges, in which case it can do whatever it likes, and there’s little chance of stopping it. Just like XP.
This basically sounds like Microsoft tried half-assing a security barrier, realised that it doesn’t work properly, and then tried to claim that it’s not really a security barrier at all.
None of Vista’s UAC system makes the slightest bit of sense as anything other than a security barrier. If it’s intended to force third-party developers to write applications that don’t require admin privileges, why does it have filesystem and registry virtualisation? If it’s not intended to prevent software from elevating itself without permission, why does it go to such lengths to protect the UAC dialogs from any kind of tampering?
Of course, even Vista’s UAC can be bypassed. It’s just a whole lot easier in Windows 7.
I guess they just gave up, punched a huge hole in the security barrier they worked so hard to build, and exempted themselves from having to fix their own software, while still requiring everyone else to fix theirs.
Since it claims to offer absolutely no security at all, why does it keep bombarding me with elevation prompts just because I happen to be using non-Microsoft software? What’s the point?
Yes, and _I_ understood what was wrong with it.
Some security risk?? The former security salvation UAC is now nothing more than joke by default. Much like your claim that it is hidden.
Unfortunatly people don’t want proper security, look how much Vista got bashing when they actually made things secure. I don’t mind this change since I will move UAC to most secure which will protect system again. I admit it’s idiotic decision from Microsoft, but only idiots will suffer from it. Kind a like electing George Bush.
Lol, I liked the last part. Bush bashing will NEVER get old, but at least he was a “stimulus” to the comedy industry. Oh, and the shoe throwing industry.
Microsoft is incapable of fixing UAC. They get the bottom of the barrell coders, all the good ones go to Google or Apple. Their development team is inferior, I know a three year old that can code better than the Wndows team.
This is another reason why Windows 7 will be a trainwreck and Mac OS X and Linux will take over the IT world.
Microsoft should just step aside and let the professionals code OS software, they are incapable and unable to do any decent design work with Windows.
To summarise a very long article:
No you’re wrong, we were lying/simplifying/spindoctoring/pre-retconning about UAC and security. UAC is actually about making/forcing/encouraging/politely asking 3rd party developers tweak their apps to run as normal users. Microsoft apps don’t need to do this because we (and we alone) can be trusted to always let our apps run with administrator priveleges.
No you shouldn’t run as an administrator anyway, unless you want older apps, or apps that legitimately require administrative access to work. You should run as a normal user, even though that’s not default and you need to be a windows administrator to set it up.
Elevating is never a problem for a real malware, and social engineering works so well that we don’t think that having simple backdoors for malicious apps is any less secure.
Micosoft apps need silent elevation so that people don’t get jaded and stop reading the warnings. Third party developers (even those that legitimately require admin rights) aren’t allowed to silent elevate because it’s better to make their users always click dialogs than to allow their apps to silently elevate. IE. Do as we say, not as we do.
We made these changes because instead of developing proper hooks for accessibility, we want to allow third parties to manipulate secure processes with accessibility software.
I seem to remember this guy being smart, honest, forthright and upfront. What happened? Just to squeeze an Apple related quote in here. “This is shit!” – Steve Jobs
I guess this is indeed really the point. The shield icon is most likely chosen to sell this feature to the world in Vista.
So a malware developer just out of chance (not will) develops malware and they are famous for following directions, right? How depressing! Well…. I guess that’s it for “Windows is Safer than OSX and Linux”.
Edited 2009-06-11 13:21 UTC
It is the Microsoft way of security…
This is also the reason why ignorant and/or lazy users prefer windows. Security implies additional complexity and work and “normal” users don’t care about good practices of security.
Microsoft is locked by the legacy of insecurity applications and it will never will change this to not loose its clients.
Because of this I use linux on all my computers and, when I need to run some windows application, I use a virtualized windows on vmware or virtualbox. If it becomes infected by malware it is only need the restore one file (the virtualized C: drive) to reinstall the system.
Edited 2009-06-11 15:12 UTC
Quite the contrary.
Often additional complexity implies insecurity.
I find it somewhat funny that MS is still “the laughing stock of security” among the general public, whereas Vista was actually well received in the infosec-community.
When it comes to security, I am equally skeptical about your typical Ubuntu and Windows. And yes, I have actually audited open source code. Not so different, really, except that the dumbest users are using Windows. But even this may change.
I use linux but not Ubuntu nor sudo. I prefer the “Red hat way” of use su – to become root and do the administrative things.
The plague of today’s operating systems is to treat users as stupid and not capable of learning some basic things to operate the OS. Before, in CLI times, the user should learn some commands before use the system. Even to drive a car it is necessary take some lessons; why not computers which are much more complex and flexible ?
Edited 2009-06-11 15:56 UTC
isn’t it more secure to add yourself to sudo for the privileges you need and not elevate yourself to root every time you need to do something?
i use fedora too and beesu, which i think is superior to ubuntu’s gksudo.
No. Imagine if you forget your desktop unlocked when you leave your room.
The intruder would not can do administrative tasks because su – would ask the root password. But with sudo he could do everything.
assuming he knows your password? wat?
sudo asks for the user’s password and does not ask for it again until for 5 minutes after the most recent sudo command by default. You can change that using the rootpw (set to ask for root password instead of user password) and timestamp_timeout (set to 0 to always ask for password) options in the sudoers file. See man sudoers or http://www.sudo.ws/sudo/man/sudoers.html for more information.
Also, sudo -k and -K options “kill” the record of sudo being used recently so the next sudo command will ask for a password. See man sudo or http://www.sudo.ws/sudo/man/sudo.html for more information.
Microsoft is not stupid. Anyone engineer can design things in ‘nice’ way. It is much harder to design things for the way your customers need and use them over time.
It is one of their reasons they are successful.
Does it make things ‘messy’ sometimes? Of course it does. Sure not building and enforcing proper rights management into Windows since its inception has caused issues today. However, at the time, they provided the average user with an optimal experience.
Even look to Word as an example. Sure it might have been classically better to use a text file format. Yet, back in the day, speed was an issue. The binary blob format of old MS Word documents was way faster to open. These were the days of the 386 running at 20 MHZ. I’m not suggesting they did not exploit it for vendor lockin by any means
They have been known to even tweak the OS to make certain buggy program work. Most engineers do the same thing on a small level… for example… reading a mal-formed configuration document. Sure, it’s better if your users properly format things, but if you can make it work and make it easier on your users… why not.
I don’t personally like UAC as I don’t trust it to actually block things at the lowest level. However, as a developer, I can see its use. Programs will get rewritten slowly but surely. Users hate strange prompts and bugs will be filed.
I’d say most apps that are ever going to be re-worked to use UAC have already been re-worked, FWIW. The UAC *prompts* for COM elevation don’t force people to re-write things, either. Those prompts could be disabled for all apps to avoid irritating their users, if the prompts have no security benefit (and there is next to no security benefit from the COM elevation prompts with Win 7’s default settings).
(You can still have UAC without the prompts. Apps still have to request admin rights in a way which enables them to elevate under standard user accounts.)
Sometimes you have to elevate to do what the user has asked. Third party apps cannot help but irritate the user with at least one prompt in that case. On the other hand, Microsoft have given themselves a backdoor so that their own bundled software doesn’t have to irritate users with the prompts.
This is especially annoying when you realise that the reason UAC on Vista annoyed people was because Microsoft’s software promtped people too often. (And showed stupid prompts-about-prompts.) Microsoft’s apps, the cause of the irritation, was given a free pass to elevate in the same stupid way — with no object caching — that it did on Vista while third party developers are told the irritating system is there to make them (but not Microsoft) write their apps properly. It’s a joke.
To add to the joke, if you use Microsoft’s apps under a standard user account you’ll still be bombarded with prompts, and you’ll still have to type a password for every single one of them.
Microsoft could have improved things for everyone, admin and standard user alike, without reducing the security of the UAC prompts, if they had bothered to properly refactor their own apps. (Especially Explorer and the Control Panels.) Instead took the easy backdoor route, made the remaining prompts pointless, made it more tempting to use admin instead of standard user, made third-party apps suffer for pure security theatre, and insulted third-party developers by telling them they should do something that Microsoft themselves cannot be bothered to do.
I like Windows 7 overall but not the changes to UAC.
At this point in time we should’ve been talking about how to make UAC:
– more secure (closing holes, not opening ones you could drive a tank through)
– more informative (so that you’re given an admin-code-generated description of the command that is about to be executed, not just the name of the binary that will execute it)
– and less annoying (by having fewer prompts and eliminating the stupid prompts-about-prompts).
We should have been debating whether Windows was ready to make standard user the default for all consumers (clearly not if consumers couldn’t stand Vista’s UAC prompts, because Windows 7 still prompts the **** out of standard users and makes them type passwords every time to boot).
Instead we’re stuck explaining the level of stupidity and hypocrisy in Microsoft’s changes to UAC, and debating with people over whether elevation and consent are useful concepts at all (because what they’ve seen of them so far is so badly implemented they don’t realise they could work so much better).
Edited 2009-06-11 18:56 UTC
it’s windows! do you want it secure? for what?
if you make windows secure, you’ll break thousand of applications.
Windows will be as secure as the user in front of the screen is tech saavy and knows about secutiy. The biggest security hole will always be the user in front of the screen. To me UAC is a noble attempt by Microsoft to fix something wrong within Windows. It may not be perfect, but still it is better than nothing.
Now saying that UAC will save your asses is simply as wrong as saying sudo will save it too. What happen when you start synaptics under ubuntu? You get a password prompt. Now, what would happen if it can happen I can write a small script that put itself somewhere in your path where you have the rights to write, and that it look exactly as the gtksudo prompt? After you entered it, I can simply call synaptics with your password and you’ll never know I’ll be doing nasty things behind your back. Now, take the situation the other way around. Let’s say I create a clone of one of MS tool that require elevated rights, than place it somewhere in your start menu hopping you click on it and elevate my nasty exe. Both situation look similar.
A safe on a gun will not stop you from shooting yourself if you set it wrong or don’t know how to handle a gun.
What happen when you start synaptics under ubuntu? You get a password prompt. Now, what would happen if it can happen I can write a small script that put itself somewhere in your path where you have the rights to write, and that it look exactly as the gtksudo prompt? After you entered it, I can simply call synaptics with your password and you’ll never know I’ll be doing nasty things behind your back
Not possible. You don’t have write permissions to /usr/bin (or wherever gtksudo is installed) and that’s where libgtksudo executes it from. It doesn’t execute from path as that’d be stupid.
I know that be stupid, but what would be stopping me from changing the Synaptics menu entry in your menu and avoiding directly the libgtksudo? I was exposing the fact that most threat come from user actions, not from vulnerabilities.
Except that you couldn’t do that without the user knowing, because nothing is set with execute rights unless the user set it themselves. Ah Unix Security 101.
Really this comes as no surprise. I would almost rate it as a conflict of interest.
MS introduces Livecare in order to help ward off the bad guys. Of course it costs money. Then ooops we left a hole open. After all if they made a secure OS how many software vendors would go under?
Just a big LOL typical MS bs. Let’s move on, nothing new here!
Vista’s UAC is just fine, but the tech media, predisposed to bash Microsoft, aided by misleading Apple ads (which that same tech media cheered, even as they admitted were gross exaggerations), led the public to believe that UAC is some horrible nuisance. This is bull. I’ve never been annoyed by it at all. But Microsoft, tired of the bashing, caved to the anti-Vista propaganda, and tweaked UAC to be useless. IMO, they should have just stuck with UAC the way it was. I blame Microsoft for lack of conviction to stay with what works (and this is evidence that they are a second-rate company) but I also blame the tech media, Apple, the tech sites, and anti-Microsoft posters to such sites (and yes, that included many posters to this site, sadly) for spreading lies about Vista’s UAC (then complaining when those lies are “addressed”).
The one saving grace is that Mark Russinovich is a brilliant guy. If he sees no issue here, then maybe there really isn’t an issue. However, I found his dismissal of the alleged flaws of the new system in this article unconvincing: “Well, malware can infect the system through prompted elevation as well.” Yeah, but at least there is a prompt in those cases; under the new system malware can cause elevations unprompted. I think he needs to give a more detailed explanation of why he maintains that the new system doesn’t suffer any real problems.
Edited 2009-06-11 22:19 UTC
Well, to shove a feather up my own butt here, I’ve always gone against the flow when it comes to UAC. UAC simply was never has horrible as the world made it out to be, and I’ve personally always been diligent and patient in explaining this to people.
Too bad Microsoft is weak, and gave in to the whiners.
You are absolutely right, UAC was probably the best feature, also Microsoft should force the user to create and login to a standard user account the first time he/she installs the system. UAC should not require a password each time too, I should be able to say which Software I think is safe to install (example apps from Microsoft are safe to install) or can it be done now also I am not informed.
I’ve released the proof-of-concept application and source code behind this whole thing:
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
MS say it’s a non-issue so I guess they won’t mind.