back to article January's Windows 7 hole still open

A security hole in Windows 7, highlighted by a blogger back in January, is still wide open and Microsoft is showing very little interest in closing it. Of course the software is only in beta right now, but the full release is due in August. An Aussie blogger spotted the problem with User Account Control back in January. John …

COMMENTS

This topic is closed for new posts.

Ahhh...

I always thought the age-old joke about Microsoft "Undocumented Features" was *just* a joke!

0
0
Thumb Up

By design

Didn't MS state back in Jan that this was the 'intended behaviour' and that they weren't going to change it ?

0
0

It isn't the same issue

The issue described in January was a SendKeys vulnerability: that UAC wasn't prompting the user when UAC was disabled.

The current issue is different and relates to priviledge escalation due to "pre-trusted" apps like explorer.exe allowing their memory to be altered by other unprivileged processes.

Also, Long didn't write the code, he just reposted it.

0
0
Alert

More information...

"But 21-year old Long Zheng created proof of concept code which can remotely switch UAC off without informing the user."

Long Zheng is a very good writer (his blog is far more accurate than some crappy IT websites), but he's not a software developper. The flaw has been discovered by Leo Davidson, and he's the one who released the proof of concept code.

Anyway, the good news is that IE users are protected against this flaw if a malware tries to exploit an unpatched flaw in Internet Explorer, flash, or adobe reader, since Internet Explorer and its plugins run in low integrity more (aka Protected Mode).

However, safari and firefox users are at risk, since a flaw in their browser or in one of their plugin would allow a malware to gain administrive privileges through this UAC flaw.

This UAC flaw resides ONLY in the default uac setting. Setting the UAC at the highest level will make this flaw NON-EXPLOITABLE.

So; Microsoft could fix this flaw using the same UAC setting as Vista, but people don't like to see elevation prompts when they do administrative tasks (they wouldn't like linux either ^^).... so Microsoft is listening them and UAC is now useless (except for IE users who still benefit from the protected mode).

The flaw itself cannot be fixed because il would stop some programs from working.

0
0

Reaction

It'll be interesting to see what their reaction is, by design or not, it's still a gaping hope which now has to be plugged as the code's in the wild

0
0
Black Helicopters

"The flaw itself cannot be fixed because il would stop some programs from working."

"The flaw itself cannot be fixed because il would stop some programs from working."

Er, Microsoft frequently make OS changes which stops programs working. Why should this flaw not be one of them?

[Black helicopters, no explanation should be needed, all right?]

0
0
Gates Halo

but M$ said so

So it must be true. I mean sure there is a chance that if you use Firefox or safari that you could be at risk, but nobody actually uses those browsers. Everyone on the planet uses Internet Explorer, so no worries. And certainly no one would set this control to low or off just to avoid being prompted for permission every time you touch your keyboard or click your mouse, would they. Microsoft is never wrong and their systems are rock solid. Just ask them. I will follow them down the garden path of upgrades from XP to vista to 7 just like they told me I should because, after all Microsoft knows what is best for me, and you too. Maybe I should look into a volume license, because after all I want to spread the joy to all the people I know. Everyday at the appointed time of 4:20 pm I bow down toward Redmond and pray to my god bill and all he represents. forgive me for my doubts my lord bill, and please smite the evil penguin.

0
0
Thumb Up

Anon control to UAC should be denied.

Microsoft calls this allowable?

Whew let me make up an internet script that will remotely connect to random IP addresses and send the command to turn off UAC all over the internet! YAY this will be so fun and legal since Microsoft wants it this way by design.

Microsoft really does love spooks!

0
0
Coat

Very Handy!

So now there's a UACC: User Account Control Control.

That will come in handy!

0
0
Jobs Halo

Sweet Justice

I guess it's not just Apple that goes on for months without plugging security issues. Sweet justice...

0
0
Happy

@ Mike 61

I understand why you bow toward Redmond everyday but why at 4:20 pm? Please explain.

0
0
Dead Vulture

Windows 7 Development Stage

Windows 7 _is not_ Beta, it is RC1

http://en.wikipedia.org/wiki/Software_release_life_cycle

please refer to the diagram on the right.

0
0
Flame

@420 pm

http://en.wikipedia.org/wiki/420_(cannabis_culture)

flames because, well...

0
0
Stop

It's a fracking beta!

I can throw hate at MS just like everyone else, but give me a break. When I downloaded Windows 7, it came with disclaimers abound. They have no legal and moral responsibility to patch beta software. If you want to run a beta you should be able to understand the risks.

0
0
This topic is closed for new posts.

Forums