Help - Search - Members - Calendar
Full Version: Microsoft Won't Fix Win 7's UAC
Gladiator Security Forum > Microsoft Corner > News and Information about Microsoft
Chachazz
Jun 12 2009, 08:49 PM
"Not too long ago, we ran a story informing you of how the auto-elevation feature in Windows 7 is broken in a way that allows malicious programs to silently gain administrative privileges. We wondered if Microsoft was ever going to fix this one before Windows 7 goes final, and even though we're not there yet, a recent article by Mark Russinovich seems to imply pretty strongly that no, Microsoft is not going to fix this."

Throughout the article, Rssuinovich* reiterates that UAC should not be seen as a security barrier, but no matter how often Microsoft brings this up, it still doesn't make any sense to me. Microsoft has often stated that UAC is a security barrier, but whenever it doesn't suit them to see it as such, they claim something else completely.

Even if they originally did not design it to be a security barrier, it does seem to be the case that it has turned out to be one. I'd say that instead of trying to convince the world that it's not, they should just roll with it, improve UAC so that the mentioned holes get plugged, and use it to aid in marketing.

At the end of the day, Microsoft blogger Rafael Rivera said it best

"Here's my million dollar question: If UAC wasn't designed to ultimately protect us from anything, why does its icon resemble a damn shield?" Click to view attachment

Full article: OS News

*[Russinovich]
Chachazz
Jun 14 2009, 08:06 PM
Windows 7 UAC code-injection vulnerability: video demonstration, source code released

"....Microsoft has known about this for half a year as well as indirectly acknowledged and ignored this vulnerability, I have asked Leo Davidson to release the proof-of-concept source code and test application into the wild for public scrutiny. If Microsoft is right in saying this has no security implications, then this should mean nothing. If they are not then, well, at least there is still time to do something about it. A month to be exact.

I realize Microsoft will not by any stretch of the imagination return Windows 7 to the Windows Vista “always on” mode of UAC, there’s too much to lose. What I would like is for Microsoft to acknowledge that there is an increased security risk with using the default Windows 7 UAC policy, and communicate this to users where appropriate."

by Long Zheng
http://www.istartedsomething.com/
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.