Star Source Code to UAC Injection Flaw Released
Linked by Thom Holwerda on Mon 22nd Jun 2009 22:31 UTC
Windows Here at OSNews I have hammered and hammered on a few times already about the major flaw in Windows 7's default User Account Control, which allows people or software with malicious intent to completely bypass UAC in such an easy manner that you wonder why UAC is there in the first place. Well, the source code to this flaw has been released - since Microsoft has made it clear they have no interest in fixing it anyway - and Long Zheng, fellow advocate of fixing this bug, made a very clear demonstration video.
E-mail Print r 7   · Read More · 48 Comment(s) http://osne.ws/gr0
Thread beginning with comment 369818
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Stop Press!
by gedmurphy on Tue 23rd Jun 2009 07:48 UTC in reply to "RE: Stop Press!"
gedmurphy
Member since:
2005-12-23

Security experts, any system administrators, any knowledgeable users and so on say it's a flaw, but you ignore it all just because Mark says so? Umm..


I ignore it all because I understand the technology internally and don't second guess according to what journalists say.
Maybe these so called experts should learn a little more about the systems they're supposed to be an expert on.

Malware can already compromise admin accounts via elevated prompts without needing to exploit this feature. If Microsoft reverted this choice, it won't stop malware writers in any way. This is an administrator account, there's no getting away from that.

The only people Microsoft are concerned about is software writers using this to hack their own software giving it administritive rights. But as they point out, people _should not_ be doing this. Anyone doing this should be shot

Reply Parent Bookmark Score: -2

RE[3]: Stop Press!
by invent00r on Tue 23rd Jun 2009 09:07 in reply to "RE[2]: Stop Press!"
invent00r Member since:
2009-04-27

Malware can already compromise admin accounts via elevated prompts without needing to exploit this feature.


Why exactly is the malware going to prompt an admin to elevate if they can now easily do it automatically?

Reply Parent Bookmark Score: 2

RE[3]: Stop Press!
by WereCatf on Tue 23rd Jun 2009 11:07 in reply to "RE[2]: Stop Press!"
WereCatf Member since:
2006-02-15

Malware can already compromise admin accounts via elevated prompts without needing to exploit this feature.

Such as?

If Microsoft reverted this choice, it won't stop malware writers in any way. This is an administrator account, there's no getting away from that.

Indeed. If the default user was not admin then this would be a non-issue. But as the default user IS an admin this is and will always be an issue. Insecure defaults are insecure.

The only people Microsoft are concerned about is software writers using this to hack their own software giving it administritive rights. But as they point out, people _should not_ be doing this. Anyone doing this should be shot

People shouldn't auto-elevate their applications and they should be shot if they do? Hmm, have you heard that Microsoft themselves do exactly that; they have several apps auto-elevating..

Reply Parent Bookmark Score: 3