Out-of-the-box Windows 7 machines are still vulnerable to eight out of ten viruses, according to a test by security firm Sophos. The experiment proves that the improved User Account Control (UAC) features built into Windows 7 are not enough and that additional anti-virus protection is still required. In fairness to Redmond, …
lol - UAC in name only
... because if the system was built to respect different user levels to run more priviledged commands then it should stop more than just 1 virus.
So UAC like WGA is just nag ware then?
Before you flame me, remember the next version of Ubuntu just came out to rapturous dissappointment.
Hope I'm not the first to say
This is so much BS I can't believe el reg reproduced it without critique. The assumptions, methodology , and conclusions are mind-numbingly wrong.
I have UAC turned on on my Windows Vista PC and I do not experience the 'constant pop-ups' that The Register and other people attribute to Windows Vista.
I have only once experienced a program that caused some UAC popups during normal use and that was a program that didn't follow the guidelines for file placement etc and was designed and written long before Windows Vista was introduced.
All other software I use only cause a UAC popup on installation, update or deinstall, just like they should.
time, gentlemen, time!
how long did it take to get ten viruses?
Let Me Stop You Right There,,,
"Get a Mac", blah, blah. This should take care of hundreds of comments. Point is once Mac starts supporting 95% of the worlds market with all of the interoperability issues (hardware/software) and can still say what they usually say, then I will listen; until then, grab a pint and p**s off with you.
Trojan != Virus
How many times does this need repeating ?
Autorun ? Isn't that disabled by default in 'Naked Win 7' ?
This is a bit daft really, you might be the cleanest person in the world but without a condom you are likely to catch an STI... You might pop along to the sex clinic and get some johnies for free, in fact Microsoft do much the same thing with Security Essentials. I'm guessing they can't include this with Windows becuase the European bonks would cry about anti-competition!
Apparently not. The real lessons are that you need to stop running as admin and you need to stop running attachments.
If the assertion is that these viruses launch themselves, without the end-user's consent, in an ordinary user account and still manage to end up with full privileges, then I'm all ears. I suspect, however, that this is more a case of "admin runs attachment, system owned, film at 11". (Reminds me of something else I read here today. Oh I remember, it was that Linus quote about the surprise discovery that running arbitrary code as root is a bad idea.)
Anyway, MS apparently just don't get it. They've spent the last ten years trying to hide the "administrator" account but consistently made the ordinary user account a member of the administrators group. Er, hullo? Does *anyone* in Redmond still understand the NT security model?
UAC would be less annoying if it worked properly.
I spent a tedious hour setting up a new Win7 Laptop and was frustrated by the need to select the UAC dialogue while trying to install Flash and another couple of applications (whose names I don't recall) -- it was lucky that I decided to Alt-Tab or I would have had no idea why the installers failed since the UAC dialogue, and its darkening effect, were hidden behind Internet Explorer.
I know it's a minor thing, but you would have thought that after all these years Microsoft programmers would be able to write system modal dialogue boxes which are on top.
UAC is not strictly about security
The idea of UAC is to make software houses write software that can be run as an ordinary user with the end game being users will be able to run their software logged on as a 'restricred user'. This will of course eventually bring about a default secure system.
So go ahead and disabled UAC
as 90% of the time it doesn't work anyway.
Besides, the sad fact is people likely to get malware will click "yes" to anything and everything they see without reading it.
Maybe they should replace the "yes" button with a second "no" button?
Then users will 'choose' the right option but applications can still bypass it because it doesn't work. It's win win!
Autorun: nope, alive and well - you have to disable it :( And the default is to run a prompt to ask what you should do with the CD/DVD. Oh yeah, and you still have to turn off "hide extensions of known file types".
@Avalanche: with Vista I would get on average 3 or 4 UAC prompts a day just from using it. BUT I was doing dev work and needed to be able to edit the hosts file and various other config files and run services etc. I dare say for normal email and letter writing / web browsing you wouldn't see any prompts at all, other than those you already mentioned.
Finally: were the tests conducted using a "limited user" account or an "Administrator" account? I would be interested to know what the results would be in that instance and if that makes any difference at all (likely not).
Some AV firm says windows 7 needs AV..........
Thanks for that.
If you really expect an OS, any OS to be safe from viruses and/or malware you really are living with your heads in the cloud...and the cloud is a very stupid place to be.
Look, let's all just grow up a bit. The simple fact is that there are a bunch of a*seholes out there who want to take your private data and financial information (called Google - ahhhh, fight! fight! fight!), and the ability to spread the software that does these very things. There will always be more ways to make it happen being spread, and there will always be methods to combat it.
(And yes, I don't need any pedantry surrounding the term 'always')
The sooner we just get visual confirmation of people spending the better. I mean, we live in the most camera'd country in the world...why not put cameras to some real use and only purchases to be sent along with an on-the-spot-taken image?
A contender for...
..."least surprising headline of the week/month/year/decade"
Can of worms
Fair enough, this is just a "Hey, you'll still have to buy OUR product!!!" announcement - and a bit of what would appear to be free advertising to boot.
The pity is that we now have a situation whereby should Microsoft actually implement effective malware controls (for prevention as well as cure) in the next Windows release, several companies will go scurrying to the EU to complain and demand some sort of system to allow their own product instead. Throw costs into that, and it's just made it almost pointless for MS to bother securing Windows - to the detriment of us all, no matter what the OS.
...the outcry from the freeloaders (like the Opera saga) if they included an anti-virus
I'll go further than that, I'll get off at the depot. Why not get a mainframe? Afterall, do you hear about home users having trouble with a virus on their mainframe? And with 70% of the lines of code in the world written in COBOL, it's obviously got more software than anything and the de facto standard for software.
Seriously, though, with OS X being built upon BSD, the security model is going to be inherently better at a base level than the Win.* model, which is based on slapping things together. I know that any computer system that is connected to a network is going to have risks and issues. However, there is such a thing as degree of difficulty. It is true that the WinNT core/kernel/etc is based on the work of Dave Cutler, who was a key player in the development of VMS. However, per the culture of MS, a lot of slapdash work has been done along the way and, in the name of backwards compatibility, has been fixed in the nature of spit-and-bailing-wire.
OS X may have its issues (I own Macs and I admit that they aren't perfect), but good gravy, the comparisons speak for themselves. If the big money places (banks, corporations, governments) use a lot of *nix and mainframe servers, wouldn't that be the best target for the black hats? Recall the John Dillinger line, when someone asked him why he robbed banks: "Because that's where the money is." Okay, so why aren't Linux, Solaris, Oracle, DB/2, etc, breached far less often than Windows? Perhaps there is something inherently less secure in Windows ...
So my question is...
What AV software would people put on their machines?I used to use AVG on my home PC until it started to become intolerable bloatware. Now I use Avast and it seems to work quite well. Does anyone else have any recommendations?
I think you'll find that the MS programmers very specifically designed it so that they didn't pop up on top of everything else. Its less intrusive that way, and much less likely that you'll accidentally click the wrong thing. Imagine if you will that you're typing away in a Word document and a UAC prompt pops up from something running in the background just as you come to the end of a paragraph and press Enter. You've just given permission to something to do what it wants. What was it? No way to tell now.
MS listened to many many users who complained that the UAC prompts were coming up system modal an interrupting their work flow. So they stopped them being system modal and allow you to carry on with whatever your foreground task was until you decide that you're ready to deal with that background UAC prompt.
Much better that way.
UAC - good idea, implemented far too late.
If UAC had existed from Win 95 onwards, then I suspect we wouldn't be seeing most of the problems associated with it.
After all, UNIX/Linux was built from the ground up to request elevated permissions when doing potentially risky stuff (e.g. Mandriva Control Center, writing to any folder other than /home/username) application developers made darn sure their apps only wrote user data to 'safe' folders.
Windoze didn't have anything like that, so app devs were free to write user data wherever on the system they darn well wanted to ( C:\Windows used to be a favourite, then the app folder within Prog Files). So trying to shoehorn a set of security protocols onto a system that wasn't designed to have any was bound to cause problems - as oodles of applications tried to write data to 'unsafe' locations and prompted the UAC prompt.
Oh, then there was the problem of graphics drivers. Unless you had exactly the right version of graphics driver (not necessarily the latest), switching to the "Secure Desktop" would take painful seconds to do so. And between taking a snapshot of your desktop, storing it somewhere in the recesses of your computer's memory, and drawing the image onto your screen, you'd be presented with err...nothing. Literally.
And with this research, once you fall off the end of the 30 day AV trial most PC manufacturers bundle with Windoze, if you haven't already upgraded to a full AV package, you're b*gg*r*d if you venture onto the 'net...
So user bitching results in less protection
That's why I slide the UAC setting back up to its Vista-level equivalent. And install MSE. So far MSE actually caught (and cleaned) a browser modifier trojan that Bitdefender missed. This was on Vista though.
Home users with Win 7? Definitely use MSE, and return that UAC slider to the highest setting! It's simple:
1. On the Control Panel click "Review Computer Status".
2. Click "Change User Account Control Settings" (second choice on left pane)
3. Give an administrator password
4. Slide the UAC slider all the way to the top.
5. Click OK. You may be prompted for the admin password again.
"The most secure version of Windows yet."
Need anyone say more ??
Running 'as an administrator' in Vista/Windows 7 ought to be less of an issue because of UAC.
The privileges are (or should be) disabled until required. When something tries to use those privileges that's when the screen darkens and the OS asks if you want to be elevated. If you select 'No' then you don't get elevated and the operation fails. If you aren't running as an administrator the prompt invites you to specify credentials for a different account.
It's basically just an automated version of the 'su' command with the advantage that it automatically rescinds the privileges when the process ends.
It all sounds perfectly reasonable and in my experience it works well. You don't get prompted very much in normal use and selecting 'No' always seemed to terminate the operation. The only time the prompting is a pain is if you are dicking around in system folders. Then again that's when it's doing it's job.
UAC was designed to encourage users and developers to move toward a more secure environment. That ought to offer some protection against malware but it still relies on the user. It's the difference between having a condom in your bathroom cabinet and actually stopping to put it on :)
UAC? Viruses? Huh?
*sigh* UAC has nothing to do with preventing viruses. It's not designed to stop them working. As a "security researcher" you'd think Chester Wisniewski would know this. Perhaps he needs a lesson in basic research.
In other news
Rumors of the Pope's conversion to Buddhism prove unfounded.
The only mention of Mac in this entire page up to now is your post.
Back on topic - Windows get viruses. Hardly shocking news.
Sophos seem to be pushing for
An antivirus ballot page just like the web browser ballot page. Either that or they want Microsoft to release an OS so secure that it puts them out of business and breaks backwards compatibility.
Did the UAC prompt up and the tester click on OK? If it wasn't invoked then did the malware actually do anything other than run and, if so, did it infect more than the local user account? Do any of these pieces of malware use remote exploits, or are they all run by the user themselves?
Every single operating system in the world is vulnerable to executable code that the user explicitly runs (and elevates) themselves.
Plus, 10 cherry-picked pieces of malware is hardly a representative sample size. And the headline is incredibly misleading.
Then again, Sophos is trying to sell a product. Makes you wonder whether the AV vendors are any different to the scareware vendors.
8 of 10 viruses?
Maybe I've lost count of how many viruses target the OS, but I thought that the VAST majority of viruses target specific applications like Office. I have no doubt that there's a large number that still apply, but not 80% applying to a fresh OS install.
This really smacks of searching for a stat to justify a POV rather than developing a POV based on overwhelming statistical data.
What AV software ?
I've been impressed by MSE. You'll need more than 512MB of RAM on XP, or else your system gets a bit bogged down. Apart from that, it's the least conspicuous AV package I've ever used under Windows.
"It's basically just an automated version of the 'su' command with the advantage that it automatically rescinds the privileges when the process ends"
So like sudo then ...
"If the big money places (banks, corporations, governments) use a lot of *nix and mainframe servers, wouldn't that be the best target for the black hats...so why aren't Linux, Solaris, Oracle, DB/2, etc, breached far less often than Windows? Perhaps there is something inherently less secure in Windows ..."
Or perhaps soft targets are easier than banks and companies with teams of guys to do battle with the black hats. Path of least resistance. As for Dillenger's quote, if you rip of ten thousand cretin's credit cards that's where the money is...I'd like to see the bank that stores their account details on USB sticks and leaves them on trains.
System modal does not have to mean "default==yes". Whether you take the Gnome-style approach of asking for a password, or an easier tick-box or default to "ask me again until I decide" the UAC window means that something very important is about to happen to your PC and you have to know about it.
In what situation would you be working on an innocent document and UAC had to pop up?
thats like saying.... Yep poopie still gets on toilet paper!
Ah yes :)
Yup, I'd forgotten about sudo, it's been a while. I wouldn't wish to claim that Microsoft had invented anything here, just making the point that 'running as an administrator' is not the stupid idea that it used to be. It's debatable just how much more safe it is but UAC is a huge improvement over running as a limited user under XP :)
UAC in Vista was never an ends in and of itself, it was a means to an ends.
The point of UAC was to start disciplining software developers to write code properly. Which they now have to do to use the Windows 7 platform.
This is a GOOD thing, and only the completely ignorant and arrogant could suggest otherwise.
Two Trojans down.
"Two Trojans - a variant of Bredo and a banking trojan - failed to work on Win 7 machines."
Meaning APIs have changed and that many other things will turn out to be broken. Probably the Trojan's code is fixed already/
@Paul Charters re virus-free OS
'i' running on IBM system i. Oh, and all it's predecessors too - right back to OS/400 running on the AS/400.
There, fixed that for you.
Wassup with you?
Can't afford a Mac so you go all anti?
Stick with Windows and use the money for AV software. Much better choice.
You poor Windows zealots. You poor poor people.
Get a grip get a life get a Mac.
Windows in "still a bag of old shit" shocker.
I DEFINITELY didn't see that coming.
Rock and a Hard Place
Microsoft can't win here MSE which is very low end and does a more or less decent job should be included with the OS but if they did the Antitrust lawyers would be rubbing there hands.
Hang on... It is designed to do WHAT?
"UAC debuted in Windows Vista as a technology designed to prompt users for permission before allowing applications to run."
No. That makes absolutely no sense.
It was designed to prompt users for permissions before letting applications run as root/admin/thebigkahuna. Normal usermode apps will still execute normally without prompting, just like God intended. Only elevation will trigger the prompt.
So... What exactly did the researcher do? See if a bunch of infected apps would run? Duh... Of course they would! The interesting bit is: Did the virus manage to infect something that an admin could be tricked into launching later? Did it corrupt the system itself? Or did it simply just jerk around with the user's own files? (the latter solved by simply creating a new fresh user profile for the victim)
Err, banks do use Windows, as well as unix, linux, OS400, ZOS, Tandem, VMS etc, etc. You name it, banks run it. Typically in major financial comapanies all desktops are Windows (some flavour of NT) and there is a ratio of about 3 to 1 Windows to UNIX servers. You'll usually find a few AS400s, a couple of Tandems (usually for payment processing) and one or more Z Servers. There is also various lecacy crap hanging around too.
In answer to your question, banks are targeted, but not that often because banks employ people who know how computers work. You'll never see a UAC pop up in a bank, because joe user isn't allowed to do anything that would pop it up in the first place. Far easier to target someone who isn't going to understand what is happening and if you're going to target a company, best not to target one that has a direct line to the fraud unit of the Met.
Competition is an excuse for security?
'I'm guessing they can't include this with Windows becuase the European bonks would cry about anti-competition!'
I'm guessing they couldnt code a secure OS if they tried...
Damned if you do ....
To the guy who is saying mainframes, corporates have the most market share so why don't they get hacked (win vs linux etc) .. These are corporate environments that are secured with multiple firewalls, intrusion detection systems, security at all levels and IT professionals who design and operate it all. Hardly a comparison to your average home user. Sure they're not 100% secure but a damn site more than my granny's router.
Take it back to the desktop and the majority of market share is windows. If the majority was OSX or Linux there would be an equal number of viruses, of that I have no doubt. If you believe otherwise you are deluded. In fact, I would say it would easier with Linux as the source code is staring you in the face.
I've used all the main OS's and my experience leads me to believe a few rules:
1. People who want to get things done quickly - go with windows.
2. Gamers can only realisticly go with windows.
3. People who want to invest the least time in learning computers go with Macs.
4. People who want to invest the most time learning computers go with Linux,
They all have their ups and downs, some are good for certain situations, some or not.
What I would say is that the global recession has certainly boosted the case of open source. The new Ubuntu release has damaged their reputation. Jackalope was spot on :(
UAC Security Theatre 3000
Just like the US's tragicomic TSA, UAC is brought to you by incompetent sadists enjoying your pain.
Get a grip get a life get a Mac.
Can you honestly tell someone to get a life with that quote?
There is so much wrong and misguided about your comment it's unreal. Seriously.
I suggest you visit other sites than technology from now on. It's just not your thing.
Poor old chap.
Thanks for trying though!
"If the majority was OSX or Linux there would be an equal number of viruses, of that I have no doubt. If you believe otherwise you are deluded"
No, it's you who are deluded. Tell us why BeOS and OS9, both of which had significantly less market share than OS X, had plenty of viruses. Or why there has been a virus in the wild for Linux powered iPods which number only in the thousands, yet there are still no viruses in the wild for OS X which number in the tens of millions. Also, please explain why, when somewhere near half of all web servers run Linux, we haven't seen the vast number of viruses and worms that have plagued Windows servers.
If everyone who drove a cheap Hyundai switched to driving a Volvo instead would there be more or less road deaths?
- On the matter of shooting down Amazon delivery drones with shotguns
- OHM MY GOD! Move over graphene, here comes '100% PERFECT' stanene
- Lightning strikes USB bosses: Next-gen jacks will be REVERSIBLE
- Google's new cloud CRUSHES Amazon in RAM battle
- Beijing leans on Microsoft to maintain Windows XP support