Linked by Thom Holwerda on Mon 22nd Jun 2009 22:31 UTC
Windows Here at OSNews I have hammered and hammered on a few times already about the major flaw in Windows 7's default User Account Control, which allows people or software with malicious intent to completely bypass UAC in such an easy manner that you wonder why UAC is there in the first place. Well, the source code to this flaw has been released - since Microsoft has made it clear they have no interest in fixing it anyway - and Long Zheng, fellow advocate of fixing this bug, made a very clear demonstration video.
Thread beginning with comment 369758
To read all comments associated with this story, please click here.
What if using a limited user account?
by pcunite on Tue 23rd Jun 2009 00:25 UTC
pcunite
Member since:
2008-08-26

Does this problem exist if running as a limited user account? No it does not! There is no problem here people!

Edited 2009-06-23 00:31 UTC

Reply Score: 2

darknexus Member since:
2008-07-15

Does this problem exist if running as a limited user account? No it does not! There is no problem here people!

Correction. There would be no problem if Microsoft's default user setup when the os is first installed is a limited user. But guess what? It isn't. Couple this with the fact that most typical users do not want to worry about securing their computers, and you have a very dangerous situation. Sometimes half-assed "security" is worse than none at all. This is one of those times, and so, so typical of Microsoft. They don't like their own security measures so they implement a backdoor and forget to put the key in the lock, so to speak. Pathetic.
Now the question is: What will be the result of this code being released? Will Microsoft hurry up and fix it before malware uses it, or will they delay yet again and close their eyes to a problem while people's computers are cracked?

Reply Parent Score: 13

mtzmtulivu Member since:
2006-11-14


Correction. There would be no problem if Microsoft's default user setup when the os is first installed is a limited user. But guess what? It isn't.


microsoft does not install the OS on computers, OEM do and they chose to not default to normal user set up because they didnt want joe sixpack to call them and complain that he cant install the video codecs his newly found porn site tells him to ..

as far as i can tell, this "exploit" doesnt work if UAC setting is set to maximum, OEM can do that before pass the OS the joe if they care about his security...why arent they?

Reply Parent Score: 0

dylansmrjones Member since:
2005-10-02

Except that the default user created in Windows is an Administrator. This is default behaviour in XP, Vista and Windows 7. And an extremely stupid decision made by Microsoft.

And running as limited user is not a solution, but merely a workaround. Though of course, the wiser solution is always to run as limited user (in win2k3 known as 'standard user').

In the mean time, if you have to run as Administrator, run at highest security level, even if UAC is annoying (which it is).

Reply Parent Score: 5

MollyC Member since:
2006-07-04

Except that the default user created in Windows is an Administrator. This is default behaviour in XP, Vista and Windows 7. And an extremely stupid decision made by Microsoft.


OSX's default user is admin, last I checked (Panther). Did they change that in Tiger or Leopard? If not, then is it really "extremely stupid"? If both Apple and Microsoft, and Ubuntu (according to google_ninja) all do the same thing, then there must be a good reason for it.

Reply Parent Score: 2