Filed under: Security, Windows, Microsoft
Windows 7 UAC flaw-by-design now classified as malware by Microsoft?
by Adam Maras Aug 1st 2009 at 10:00AM
However, another UAC flaw has been discovered in Windows 7. In fact, it's been quietly lurking around in the dark corners of the internet since February. What's different about this one is that not only does Microsoft not intend to fix the exploit, they're saying the functionality is by design, because UAC's primary purpose isn't security, or something like that.
I think.
After all, this whole situation would make a little more sense if Microsoft didn't just mark the popular proof-of-concept for this vulnerability as malware in the beta version of their new Microsoft Security Essentials software, as pictured above. Just to add a little more confusion to the situation, Windows Defender (another Microsoft security tool, which happens to be bundled with Windows 7) doesn't detect the exploit.
The verdict? It looks like the jury is hung on this one.
This vulnerability could be exploited to essentially circumvent UAC on some Windows 7 machines, and that's bad news. We'll keep you up-to-date with any developments on this security flaw.
So, just how good at time waster games are you? Think you've got the stuff? Well, The World's Hardest Game 2.0 doesn't think you do.
Yes, amazingly, it's possible to have a sequel to a game called "The World's Hardest Game". It doesn't seem logically possible, since if the first one was actually the world's hardest, how could another one come along and share the moniker? It made me doubt the name in the first place. That is, until I tried the game.
The mechanics of the game are very simple. You are a small red square, ...
Reader Comments (Page 1 of 1)
Molly said 10:38AM on 8-01-2009
Oh my Gawd! Windows' security is flawed? and the good folks at Microsoft don't care?
we're DOOMED!
and thanks for the heads-up, Adam :)
Reply
Jon said 11:18AM on 8-01-2009
"This vulnerability could be exploited to essentially circumvent UAC on some Windows 7 machines"
I had that too .. i called it turning off UAC forever
Reply
Saint Seminole said 4:20PM on 8-01-2009
Circumventing UAC was the first thing I learned how to do in Vista. I hope it's as easy on Win7. Because UAC is possibly the most damaging piece of software that MS included.
Reply
Brandon said 5:02PM on 8-01-2009
UAC is one of the most useful security mitigations that exists today. The "exploit" referred to is often misunderstood, and is not an exploit. It will not let a Low Integrity process elevate to user or admin permissions. That means the very useful security mitigations used by high risk apps like Internet Explorer and Google Chrome, are unaffected.
Disabling UAC is unwise. Windows 7 gives you additional options to control the frequency of UAC prompts. If you want it to work exactly like Vista, turn the slider up to the top. If you don't want the prompts to appear on the secure desktop, turn it down a notch. Turning it off is ill-advised.
Reply
maradv said 6:19PM on 8-01-2009
ill advised if your slightly retarded. ive been running vista since it came out without uac... its the most annoying thing about winddows and everyone should learn to gid rid of it.
Kevin said 9:21PM on 8-01-2009
I'd advise luddite family members to keep UAC on, but there's no way I'm living with that thing on my personal PC. I have anti-virus/malware, a firewall and I don't click on weird links or download strange attachments.
Reply
Ryan Beesley said 1:56AM on 8-02-2009
UAC doesn't really help those who don't understand it... Does anyone really think that someone uneducated about computers is going to understand a dialog box that asks if they want to elevate their permissions?
UAC prompts don't happen often enough that it is really a problem, and it only benefits the more knowledgeable computer users that might actually realize that some super cool game (trojan) shouldn't be asking for administrative rights.
Unfortunately there is a daft group of users that think they know better, and choose to turn UAC off "because it annoys" them. Do yourself, and anyone else who doesn't want your computer turned into a Zombie, leave UAC on and don't use warez unless you've installed them first in a Virtual Machine to make sure they don't have any malware payload.
Reply
Rocketboy said 11:45AM on 8-02-2009
"UAC prompts don't happen often enough"
No, the problem with UAC is that the prompts happen too often, when there was DIRECT instruction just a moment before by the user telling the PC to do something. Thats why people find it annoying, and in the long run, makes it useless as a security device.
Ryan Beesley said 6:12PM on 8-02-2009
Really you're helping me prove my point. If you have performed some action that you expect to generate that UAC response, then you can easily take the extra mouse click to dismiss it and move on with your life. It is when you don't expect to see a UAC prompt and you are running some potentially rogue app that it would greatly behoov you to have it turned on. If "BritneySpearsNaked.jpg.exe" is prompting you to elevate privleges, then you may want to reconsider it.
UAC isn't any more annoying than having to run certain Linux commands with sudo, unless you are the type of individual that simply logs in as root...
acme said 9:05AM on 8-03-2009
the more you hammer people with popups about "security" the less people care. noone reads the stupid thing after it pops up for the 30th time. Everyone will simply allow whatever the hell it wants to do. thus destroying any level of "security" it provided.
Reply
Rocketboy said 11:59AM on 8-03-2009
For every naked.exe program, there are 100 prompts for things that you have no idea why it bothered to ask.
Reply
Ryan Beesley said 12:50AM on 8-09-2009
Rocketboy, you sound like an expert on such matters...
Reply