Feeds

back to article Windows 7 UAC flaw silently elevates malware access

Researchers have uncovered yet another flaw in Microsoft's Windows 7 beta that could allow attackers to gain full administrative privileges by bypassing the operating system's UAC, or user access control. Researcher Rafael Rivera Jr. has released proof-of-concept code that demonstrates how unauthorized third-party software can …

COMMENTS

This topic is closed for new posts.
Joke

so

"bypassing the operating system's UAC, or user access control"

it simply involves waiting a week until they get so pissed off with it, that they disable it :)

0
0

cake ?

should have called it 'pie.exe'. As in: use 'catapult' to apply 'pie' to 'face' ...

0
0

@SO

That is so true. All these stories about bypassing UAC and we are all going to turn it off anyway.

0
0
Gates Horns

Oh dear is +setuid time again

Haven't we been through this since Unix has had the setuid flag on executables ? "A suid program must be careful not to execute anything with elevated privileges" (or write files really carefully, sanitize arguments and so on). Do we really have to go through it again, until MS learns ?

I wish they would hire a couple of Unix guys to help them get a clue. Seriously.

0
0
Anonymous Coward

Back to Vista UAC?

It seems that by trying to make UAC prompt less, it is making it a lot less secure. Should Windows 7 revert to Vista's type of UAC by default?

Having said that, users still shouldn't be running those dodgy applications - no safeguards in the system that protects users from themselves should be relied upon.

0
0

User friction

They should try it the other way round - make non-admin tasks a hassle under an admin account.

Then people might use a non-privileged account for everyday stuff. (Ok, sysadmins ...!)

But it's hard to change people's mindset - I still come across developers brought up on Windows, when using Linux, logged in to 'root' for their normal work.

0
0

Here we go again

So, another version of Windows which is about as secure as the last. Which is as secure as Windows 95.

Microsoft will never ever release an OS which is just secure out of the box.

0
0
Silver badge
Coat

Cake.dll

It was DLLicious cake, and it had a CPU timeslice.

(Sorry.)

IGMC - it's the one with the copy of Portal in the pocket.

Steven R

0
0

Oh dear

Someone found a vulnerability in a beta? Isn't that the whole point?

0
0
Bronze badge
Linux

B-E-T-A! Let me repeat that. B-E-T-A!

Hey, I'm no Windows fan but it does say on the "box" when you download it "Windows 7 BETA"! You are MS guinea pigs, it is for MS to test if it works. This is exactly the sort of thing they want to come out. So if you're stupid enough to rely on a beta O/S to run you production stuff and keep your important info safe, then sorry but you deserve everything you get quite frankly!

Play with it by all means, but please don't think you're getting a free copy of Vista Ultimate SP2 for nothing, it comes at a price.

I am looking forward to the day the beta program closes and all those people who loaded W7 and got used to it won't be able to get to their files unless they punch in a credit card number first! Mwahhahahah! "All your data is belong to us!".

0
0

Why not just make the initial user account unprivileged?

In my limited testing, working as a regular unprivileged user is pretty smooth. When I want to do an administrative task, UAC asks me for Administrator password. I don't understand why that can't be the default.

0
0
Gold badge
Stop

Re: setuid

Or, in other words: It's a piece of piss to do this on a UNIX system as well, once you've got your calling program installed with the correct owner and flags set.

The only thing left to work out is whether that's a harder exercise than getting the trusted, digitally signed calling program onto Win 7........

0
0
Thumb Down

high??

Off is more likely, I don't see how people can live with it

0
0
This topic is closed for new posts.