Linked by Thom Holwerda on Sat 31st Jan 2009 10:45 UTC
Privacy, Security, Encryption Yesterday, we reported on the security flaw in Windows 7's UAC slider dialog, and today, Microsoft has given a response to the situation, but it doesn't seem like the company intends to fix it. "This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level." I hope this reply came from a marketing drone, because if they intend on keeping this behaviour as-is in Windows 7 RTM, they're going to face a serious shitstorm - and rightfully so. Let's hope the Sinfoskies and Larson-Greens at Microsoft rectify this situation as soon as possible.
Thread beginning with comment 346372
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Not that serious
by Nelson on Sat 31st Jan 2009 14:52 UTC in reply to "RE[3]: Not that serious"
Nelson
Member since:
2005-11-29

No. For this (the proposed exploit) to even propagate on the system, he'd need to authorize it to run, which would trigger UAC.

That's the angle from which it's looked at by Microsoft: It cannot be remotely exploited without social engineering, the user needs to have already run the program (And consented with UAC) before any of this is allowed to happen.

You're talking about the program already executing on the users machine, which means UAC has one way or the other already been defeated.

Like I said, in cases of social engineering, if the user is gullible, not one UAC dialog, or ten UAC dialogs will be able to stop him from being exploited.

Reply Parent Score: -1

RE[5]: Not that serious
by Gone fishing on Sat 31st Jan 2009 15:03 in reply to "RE[4]: Not that serious"
Gone fishing Member since:
2006-02-22

My understanding was:

The user gets a file such as see_girl_naked.vbs The file runs a script that emulates some key strokes and poof no UAC. But you could have a nice new mail server installed

What should happen is a warning see_girl_naked.vbs wishes to modify your system files click yes to allow. Obviously if you say yes your an idiot and very little can save you.

Reply Parent Score: 4

RE[6]: Not that serious
by Nelson on Sat 31st Jan 2009 15:07 in reply to "RE[5]: Not that serious"
Nelson Member since:
2005-11-29

VBScript must be executed within the host environment. Every browser has provisions to protect from script propagation as well.

However, the bigger picture, and point alluded to by many, is that this can be bundled with malware, malware will not run without user elevation, so a lot of the danger is a moot point.

The dangerous possibility was the fact that this could be remotely executed with no privileges what so ever, and be used to disable UAC from outside the computer. This is not the case.

Reply Parent Score: 0

RE[5]: Not that serious
by WorknMan on Sat 31st Jan 2009 16:53 in reply to "RE[4]: Not that serious"
WorknMan Member since:
2005-11-13

No. For this (the proposed exploit) to even propagate on the system, he'd need to authorize it to run, which would trigger UAC.

That's the angle from which it's looked at by Microsoft: It cannot be remotely exploited without social engineering, the user needs to have already run the program (And consented with UAC) before any of this is allowed to happen.


And how do you suppose most malware gets on a user's machine, through osmosis?

If it promises nude pics of Angelina Jolie, they WILL run it! MS needs to make UAC prompt if there are any changes to its setting under ANY circumstances.

Edited 2009-01-31 16:53 UTC

Reply Parent Score: 4

RE[6]: Not that serious
by Nelson on Sat 31st Jan 2009 18:14 in reply to "RE[5]: Not that serious"
Nelson Member since:
2005-11-29

Point being what? If they were tricked into clicking through UAC one time, then they will surely do it again, if it means the difference between seeing what they think is a naked photo or not.

But whatever, it seems common sense is lost on a lot of people who foam at the mouth and jump at the opportunity to criticize.

Edited 2009-01-31 18:15 UTC

Reply Parent Score: 2

RE[6]: Not that serious
by Nelson on Sat 31st Jan 2009 18:25 in reply to "RE[5]: Not that serious"
Nelson Member since:
2005-11-29

Here's another point which disproves any argument anyone could possible have towards this:

Let's set a few things off the bat:

1) An unsigned Application requires Elevation to run
2) VBScript embedded into a malicious installer would require Elevation to run

Now, your argument is this:

If it promises nude pics of Angelina Jolie, they WILL run it!


So from that, we can make point 3:

3) The user will elevate the Application

Now, the point I'm making, the point which shatters every argument against Microsoft's judgment on this, takes 1, 2, and 3 into account.

Now, let's say the user runs the malicious program, UAC pops up, and he clicks through it (As you claim he would).

Now what happens? The Application is run in elevated mode, where UAC will not popup for that Application's lifetime REGARDLESS.

This means, once an Application has elevation, UAC does not ask it again for another action in the system.

Test this by running an Application to perform SendKeys on Vista, where UAC protects system settings.

What will happen if you run it normally? UAC will pop up and stop you. Hooray! Right? Well it gets interesting.

Now run the Application and require UAC to elevate (You can do this in Visual Studio by exporting a MANIFEST file with your Application)

What happens when the SendKeys tries to disable UAC? No dialogs? What!? How can this be?

Is it magic? No it's common sense.

The fact that Applications are required to be elevated by UAC renders this entire, ridiculous claim of an exploit to be a moot point.

You can mod this down to hide the facts, but these are the facts. This is the truth. You can test all of this on your own Vista machine if you doubt the legitimacy of anything that I say.

Take the fanboy glasses off for a change people, and look at the cold hard facts. This is nothing but a headline grabbing article to post during a slow news day.

Reply Parent Score: 5