Security researchers have unearthed a potentially serious flaw in User Account Control (UAC) features in Windows 7. Microsoft is aware of the issue but is currently unconvinced it needs to make changes to the pre-release code. UAC is a security feature introduced in Windows Vista that's designed to prompt users for permission …
So simple fix no?
Surely all they have to do is make sure any changes to UAC prompts and not make it classed the same as a control panel. Problem solved no?
Trying to copy Linux !?!
So! This is NO surprise, people will no doubt PAY good money for an OS that is closed, and then they PAY to protect it with some anti-virus and anti-malware program, and then fall prey to yet ANOTHER bot/virus/worm. Is utterly obvious that they're trying to copy Linux, but just like the pack of cards that M$ is, just lets in another avenue of attack.
Save you money, enjoy a world of FAR FEWER security risks, and a big increase in speed : Linux!
I think Microsoft means:
That they'll make the fix in the final, but not produce a patch / fix for the Beta. Producing patches for beta software becomes a real bitch, especially out of sequence....)
That'd be "Broken By Design" then.
No change there.
And I had such high hopes for Windows Seven.
MS - there is still time to unbreak it. Maybe you should listen to security consultants?
By design: delegated to anti-malware providers?
delegated to anti-malware software providers?
...you could stop running as admin.
UAC a a band-aid for cretins. No bug in UAC could possibly be as gaping a hole as using an admin account for everyday work. If you do that then you *deserve* to lose.
And nothing of value was lost.
I haven't utilized, nor seen the need for, UAC in Windows Vista on any of my systems. I can cross the street on my own, to make an analogy.
Windows 7 - best ever OS to date!!
Windows 7 Rocks!!
In fact, I bet there will be more PCs running beta versions Windows 7 than there will be PCs running 'production' copies of Linux
Linux, irrespective of the flavour, is a feeble, confused, pathetic excuse of an operating system. Used by sad geeks with no social skills who spend all their life on the internet.
Apple PCs are bought by people with more money than sense, who actually think that they are being trendy and ‘making a statement’ by buying some overpriced white tat. Irronically, most Apple users install Windows anyway.
The best thing about Windows 7 is that it will make Microsoft billions and billions of dollars. I love Microsoft!!!
Ho ho ho
Cue yet another Linux fanboy.
Yet every Linux setup script and every other Linux forum entry tells me to turn off SELinux, because it's such a bugger. I'll turn it off when I turn off NoScript - and that will be another cool day in hell...
Why can't MS figure out these things itself?
Surely they have competent security people on staff? Or do they?
I sure hope that's what they mean. Leaving a gaping security hole like that almost makes it worse than the "security" in XP.
Without going too far into shock-horror mode, isn't it the purpose of releasing a beta to get holes discovered?
This might sound stupid but...
Should the UAC not pop up asking if you want to shut off or silence the UAC? Another footbullet for microsoft? Or a win for linux?
Its not a bug, its a feature... Its supposed to constantly reboot (etc)
Its a beta you morns
Its a freaking beta. it will be fixed in the final release. You know what your getting into when you use beta software. get over it. seriously!
Some folks look for anything to try to take down microsoft with.
Is for people who think playing with operating systems is the point of computers. Just to clear that up before the zealots make the point. Windows is an operating system that retards can use, yours isn't however it does have lots of software that's fun to use without an BEng in software engineering.
In plain English 'NO ONE GIVES A FUCK ABOUT LINUX, GO AWAY WE'RE TALKING TO GIRLS.'
There's also an antitrust issue here, IMO.
The UAC whitelist is anti-competitive, as well.
Users cannot add 3rd party components that they use & trust to the UAC whitelist. Only Microsoft's own components can be on it. So, for example, third party file managers have to display at least one UAC prompt to get admin access while Microsoft's Explorer does not. That isn't an even playing field.
Similarly, users cannot remove Microsoft's components from the UAC whitelist. So if you do not use Explorer but do want the whitelist (which is on by default), you are forced to leave the security hole open for Explorer even though it doesn't benefit from you. Explorer's UI isn't isolated like an admin process is -- its windows have "medium integrity" -- so there doesn't seem to be anything to stop it being remote-controlled via mouse & keyboard events. Which is an okay trade-off if you use it but a stupid security hole if you don't.
Sadly for me (a file manager nut), people don't seem to care much about anti-competitive behaviour that affects anything other than web browsers, so nobody AFAIK has picked up this story, although I did mail a bunch of sites about it.
More details here, including a confirmation from Microsoft:
Since when did Linux become a religion ? Do you sleep at night with a fluffy penguin clasped close to your body ?
Now get on topic asshole !
I suspect that this 'bug' will be squashed in the release code, this is a beta after all, lets judge W7 on the final RTM.
behaviour is "by design"
MS for "sure we've got our head up our arses".
OH no of course not
Oh, no, there's no POSSIBLE way being able to turn off UAC with no user intervention could POSSIBLY be used insecurely.. *rolls eyes*. Get it together microsoft.
Am I missing something here? If the end-user turns off UAC then it is disabled. How is this a bug?
@anonymous coward - eh?
Yes apparently you ARE missing something. You're missing the bit where you actually READ the article and learn that malware can turn off UAC without the "end-user" knowing about it. F- for reading comprehension I'm afraid.
So vista also has a bug right?
I don't get it if you disable UAC how is it Microsoft fault? I have it disable in Vista cause none of my programs seems to work with it installed. They crash when using or have issues installing so I disable it.
Microsoft is against this but, I have a router with a built in firewall, anti-virus etc and I am not worried about it.
I thought UAC couldn't be turn off in Window 7 any way? I know you can disable prompts but thought it still ran in the background.
"Save you money, enjoy a world of FAR FEWER security risks, and a big increase in speed"
Except that none of my critical apps work, and there are NO EQUIVALENT APPS under Linux.
Back to Windows then.
@ Microsoft defenders
The issue is not that there is a security flaw in a beta version of an OS. It's that Microsoft refuses to acknowledge and fix it. Suppose a vulnerability was found that let an attacker access anyone's Gmail account, and Google announced that they would not do anything about it. Would you find that acceptable?
"Windows is an operating system that retards can use"
Unfortunately, yes. That's why there are multi-million computer botnets spewing the spam that fills your inbox. That's why I regularly have zombies hammering on my FTP and SSH servers. That's why so much money is wired to Nigeria. That's why there are so many tech-support horror stories (broken cupholder etc.). If operating a computer required a modicum of intelligence (like how operating a car or airplane requires a certain level of competence), cyberspace would be much more hospitable.
Perhaps things like this are intentional. MS has to have people in the dev that know a good bit about how things work, or at least we'd like to hope they do. It's my guess that they release things like this intentionally so that software companies (that microsoft has a shared interest in) can make programs to protect it.
It's the same as Comcast refusing to release a bandwidth meter for users. For awhile now they have been suggesting you buy software, of course go by software they suggest because they benefit from those purchases.
In MS's defense when comparing Windows to Linux if your not an idiot you don't use your Linux PC as root therefore you'd immediately remove yourself from alot of potential issues.
they have made it easier to turn off windows own built in nagware system - UAC. they be applauded for it.
Am I missing something?
How on earth is this as big of a bug as the tech press would have you believe?
If you have untrusted code running on your system and you are logged in as admin, you're already a loser.
Covert Microsoft Operations? Or just Sloppy Seconds from Over/Underrated and Under/Overpaid Coders
A recognised flaw ignored by Systems Admin/Windows Programmers would easily disguise In-House Use, which could be maliciously attributed elsewhere and therefore would warrant a Systemic Abuse award.
Why are MS defaults so often unsafe?
"Anonymous Coward" (31 January 2009 00:53 GMT) said:
"I suspect that this 'bug' will be squashed in the release code, this is a beta after all, lets judge W7 on the final RTM."
I hope you're right. Otherwise, it doesn't bode well for MS security attitudes in general.
I too, like someone else up above on this page, have high hopes for Windows 7, because I don't necessarily want to be stuck with XP or Linux or Mac forever (I do currently use all three of those OS's, although I would *like* someday to consolidate most of that to just one OS - probably dreamin' again). A year or so from now, I will be "OS shopping" again and I want there to be plenty of *good* choices to pick from.
One would *hope* that Microsoft can get their act together and take this security stuff *seriously* instead of just fucking around with it like they seem to like to do with so many things.
MORE SECURITY! LESS RIBBONS! DUH! What's so hard to understand about that? Why can't they get it? Are they deliberately trying to drive people to other OS's fulltime? I happen to like XP and I use it for a lot of things, but it will be dead soon as far as security patches. Windows 7 had goddamned well better be a big success or I'll be royally pissed off.
Come on Microsoft, we know you can do it - just quit watching pr0n all day long and write some decent code you guys. The universe will thank you for it.
I'm beginning to think there are anti-Microsoft people actually WORKING AT MICROSOFT, deliberately trying to sabotage it, judging by some of the crap they've tried to foist off on the public the last couple of years. Maybe it's all those "foreign workers" ;) they've been hiring on temporary Visas, sabotaging a U.S. company ;) such as MS - okay I don't really actually believe that, but one has to wonder sometimes. If it isn't intentional, then it must be mind-numbingly-stupid idiocy and lack of paying attention to what the market wants. (Or, to put it less gracefully as others have, MS has its head up its ass sometimes.)
Another "Anonymous Coward" (31 January 2009 02:35 GMT) said:
"Am I missing something here? If the end-user turns off UAC then it is disabled. How is this a bug?"
Perhaps I misunderstood the question, or maybe I'm misunderstanding the whole UAC thing, but didn't the article say:
"This means, security researchers warn, that future strains of malware might be able to silently shut down UAC, leaving users with the misleading impression the controls are still active."
That doesn't sound good.
But at the end of the article it says:
"In the absence of a built-in modification from Microsoft, users can act themselves by changing the UAC policy to "Always Notify" if UAC settings change. "Annoying, but safe," Zheng concludes"
So that last part sounds okay I guess, but how many average-idiot users would know that they should change that? Will it be in the Windows 7 Owner's Manual ;) ?
I guess I'm just too old-fashioned, but IMO a thing's default settings should offer the average user a reasonable amount of protection. "Average user" nowadays, when it comes to computers, basically means "dumb as a box of rocks" and "not technically inclined" and "has no desire nor capability to learn technical things." So I don't understand why Microsoft continues to insist on having defaults for things, that put average users at risk - AutoRun comes to mind. Okay so it makes things easy for total morons, people who probably shouldn't be owning a computer in the first place since all they're going to do is rack up many hours worth of calls to tech-support (no wonder some tech-support people end up with bad attitudes towards users).
I *WANT* Windows 7 to be excellent. It gives us all more choices, even if I don't end up using it. I may opt for a different OS instead anyway (not enough data yet to make a decision), when it comes time to buy a new computer, but I want there to be a good COMPETITION - not some lame already-decided contest between Lame OS #1 and Lame OS #2 and so on. (Frankly, *all* OS's are somewhat irritating; it's just a matter of picking the OS that pisses you off the least.)
When will Microsoft learn? SAFETY FIRST - or at least 2nd or 3rd. We're waiting...
If you don't like you dont have to use, but dont be a hater just because you don't understand it.
Also forgive those of us (who use linux) and understand that BETA testing is a time for bugs to be both raised and fixed.
If MS told you black was white you'd believe them.
@AC troll, i'll look forward to putting malware on your win 7 then!!
UAC is NOT annoying
I have used Vista since December 2006 and have not found it annoying in day-to-day use. When I have to install lots of programs in setting up a new PC with legally obtained software, I shut down UAC but for normal use on my own PC I always leave it on. How often do you have to install a new program? I also find it satisfying that the UAC prompts come on when ActiveX controls manifest themselves for updates and downloads. It is a good moment to check and does not happen too often. I do not understand Microsoft have given in to "professionals" whining about UAC in Vista. You see what comes of it in Windows 7. Perhaps those "professionals" like to slip in the occasional script. I have known those in my own organization.
Perhaps, if we're lucky, MS will also remain unmoved by the concept of continued existence.
Linux guys, by the way, rather than remaining Gates pants sniffing boot lickers, are doing something about the problem. Praise be to them.
Unsafe by design? Nice work.
It seems they've learned nothing whatsoever at Redmond.
On a related note, whenever I see the UAC acronym, all I can think of is Viz' Up the Arse Corner. This amuses me no end.
Target for Tonight
ZoneAlarm does some of the same protection, but doesn't shut down without a prompt. No doubt there have been attacks.
Sooner or later somebody is going to find an actual bug in this, rather than a piece of dumb configuration. And the style of Microsoft's response doesn't inspire confidence.
What they're saying is that UAC can be disabled without the user's knowledge, and silently - therefore is a gaping hole for all sorts of nasty things.
Of course, if you'd read the article in full, you'd have got that bit...
It's not a bug, but a risk. If malware can turn off UAC it current;y doesnt pop up and prompt the user. Therefore the malware can silently disable it.
It's Beta. It's hardly earth shattering news. Beta has flaw. shock horror.
We can moan if it's in the final. UAC is as someone else put it, a bandaid.
Stop putting "everyone" or "domain users" in the local admin groups. Stop running as admin.
As has been mentioned . . .
. . . it's a Beta release, all Beta's have bugs in them that don't get fixed until another release or a final release - even *gasp* Linux beta's have bugs in them.
It's kind of the reason for having a beta release.
I'll wait for Windows 7 SP2 then a few more months for security updates, before I install it. Until then I'll keep plugging away with XP Pro SP3, I've gotten used to it :)
feed the trolls...
Well, at least we know the government has installed broadband under bridges, lmao
The next pile of crap is on it's way then.
"Those who don't understand UNIX are condemned to reinvent it, poorly." – Henry Spencer
Fail agian microsoft...
What do they mean by not a big problem... if i had windows 7 on my machine someone messing with my settings or even controling a big part of my pc 2 me looks like a BIG! problem if u ask me. say if where a banker and do banking at home they could just take thosse important files right off ur pc and you would be none the wiser...
Think again microsoft........FAIL
>>malware might be able to silently shut down UAC<<
It would have to get there fast to shut it down before I did :-)
Anyway it's obviously a bug in the beta - by the time it's in a release you'll need to enter a 36 character key only useable once or phone MS support at $50 a minute
I use (and love in a fashion) MS software but (SQL Server aside) I see mostly performance sapping gimmicks since 2000. The UI 'innovations' in particular stink. They constitute giant leaps backwards for anyone with a cursory knowledge of what files and directories are. Anyone with the genius required to get through M$ licensing post-2000 should be well up to that.
Paris - because
1. she would find Windows 2000 more user friendly than anything they have brought out since
2. I love her in a fashion
Am I missing something?
Why on earth would you want to turn off UAC? What a stupid thing to do. It's there for a reason - just make it unobtrusive enough - OSX and Linux manage it fine.
To the anonymous idiot who claims Apple purchasers have more money than sense? What are yo talking about. Aside from great design, some of us buy them for the OS which is damn good. The second hand value is also infinitely better than a PC.
You Express/Mail readers should give Microsoft a break. It's a BETA VERSION. The purpose of which is to find these problems and make sure that they are corrected/refined before the final release. The license agreement, I imagine would say very clearly that it shouldn't be used as a primary or production OS. Obviously some of you are too thick to understand the beta process. No wonder its been a closed process for developers for many years. I actually feel sorry for Microsoft, I always thought that Windows was like it was because they couldn't design a decent OS, now I know that they have the dimmest user base out there...
@ AC Friday 30th January 2009 22:26 GMT
You were up late weren't you. So Windows 7 is the Bestest Ever is it? It seems odd that you think a service pack is the greatest ever OS in the whole world ever. So I've got more money than sense have I? You arrogant little turd. No Windows install here. I use a Mac (that isn't white by the way, Apple's desktops haven't been for ages) because *I* have found by trying all the options available to me it's the best environment for developing Ruby and HTML, and seeing as that's what *I* do then it helps, and it's the best environment, with the best software options IMHO for my hobby. Oh, and loving a company so much is wrong, get yourself some help sunshine, that's not healthy. I bet you'll call me a fanboy for that too, oh the irony...
@SkippyBing Posted Saturday 31st January 2009 00:18 GMT
Talking to "girls" online were you? I doubt very much you've ever seen a real life woman in her underwear, leave alone naked. YOU POSTED THIS AT MIDNIGHT AND YOU WERE ON A FUCKING IT NEWS WEBSITE!!!
No security hole....
.....as long as you are running as a standard user.
Trying the W7 beta atm. Tried to run the "proof of concept" on a user (i.e. NOT admin) account - does not change the UAC setting.
Get a job
"Apple PCs are bought by people with more money than sense, who actually think that they are being trendy and ‘making a statement’ by buying some overpriced white tat. "
If you pass your exams and get a good job Son, you too can afford some nice expensive kit. In the meantime, I'd ask your parents for more pocket money.
Why so much hate?
Stop the OS wars people! Let everyone use whatever OS suits them best!
I've been using linux for years, and latest versions of distros like Ubuntu, are really easy to use,
I'm now spending less time tweaking system settings than when I was using Windows 98.
I know there are many people who like Windows - and IT'S OK!
Diversity is a beautiful thing!
Yes, you are missing something.
He's saying that at the default security level, a random program can shut down UAC without the user knowing it happened.
- It could also re-enable it after it performed its nefarious deeds, so an end-user would have no idea something happened.
An end-user should be allowed to turn off UAC, but they should get a UAC prompt asking if they are sure and that they did it, rather than it being possible for an evil program to silently kill it.
Not To Worry - Replace With Linux
Win weenies defending dying diseased castle of crap.
Linux heroes are DOING something about the worldwide infestation of broken windows.
Not perfect yet? So shut up and help donkeys.
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Human spaceships dodge ALIEN BODY skimming Mars
- Downrange Are you a gun owner? Let us in OR ELSE, say Blighty's top cops
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know