Filed under: Internet, Security, Windows, Microsoft
Windows 7 security defeated by 8 out of 10 malware applications
by Sebastian Anthony Nov 9th 2009 at 5:00PM
Leading up to its release, there was a lot of concern regarding Windows 7's default User Account Control (UAC) settings. Namely: it doesn't actually provide any damn security. Alas.
Basically, Microsoft went ahead and reacted to the public outcry regarding the Vista security confirmations. I think we can all agree that they were really annoying (and most power-users turn UAC off because of how irritating they are). As a result, there are significantly fewer UAC warnings in a default Windows 7 installation -- hooray! The problem is that the new default setting in Windows 7 leads you to falsely believe that you have a secure installation right out of the box. Sadly, this is not the case.
It's no surprise then that 8 out of 10 malware applications defeated the default Windows 7 UAC setting in tests.
So practice safe surfing (duh!) or go and hoik your UAC settings up to the most secure -- and annoying -- setting. Ars Technica has a great guide on patching up your UAC for new Windows 7 users -- or even an experienced user like myself that falsely believed the default setting to be secure.
[via ZDNet]
Get a WordPress.com Blog
So, just how good at time waster games are you? Think you've got the stuff? Well, The World's Hardest Game 2.0 doesn't think you do.
Yes, amazingly, it's possible to have a sequel to a game called "The World's Hardest Game". It doesn't seem logically possible, since if the first one was actually the world's hardest, how could another one come along and share the moniker? It made me doubt the name in the first place. That is, until I tried the game.
The mechanics of the game are very simple. You are a small red square, ...
Reader Comments (Page 1 of 1)
sRc said 5:28PM on 11-09-2009
the setting change had been off-putting to me ever since Beta. I turn it up to maximum ever time
even "safe" surfing is relative, as more often mainstream sites turn up having hacked ads and trying to throw infected PDF's or other such in the ads. UAC really is no different than having to su/sudo in Linux, so people really shouldnt complain
Reply
Sebastian Anthony said 5:44PM on 11-09-2009
Yup, indeed -- there has to be some compromise, if people want more security while they use their computer!
I guess most of the world are used to doing things one way, and having some kind of nag-window really goes against the 'Windows' thing.
I wonder how Mac would go about the same thing...
Rob said 12:26AM on 11-10-2009
As OS X is a BSD system, it basically has a graphical sudo prompt. Also, the "behavior" wherein a program could turn off UAC without confirmation has been patched, so the default settings provide a good barrier between running processes in an elevated or nonelevated state.
Matt said 5:46PM on 11-09-2009
The problem with this study is that they do not tell you if the viruses were "drive-by" attacks, or "click on this awesome .exe" attacks, or "visit a corrupted website with a vulnerable browser" attacks.
The first should never happen...
The second... well, "THIS JUST IN! SOFTWARE WRITTEN FOR WINDOWS RUNS ON WINDOWS!!!"
The third has nothing to do with Windows. (NOTE: I said *Windows*... not MS. Using IE is a great way to get infected)
Reply
Sebastian Anthony said 5:51PM on 11-09-2009
Wasn't IE8 proven to be pretty damn secure nowadays?
I wouldn't know as I don't use it but...
Rob said 12:23AM on 11-10-2009
This has little to do with UAC; the article just states that UAC can't detect and stop viruses if the user continues onward. That's pretty basic knowledge. Also, the linked ars article is almost a year old; as it says in the article the UAC hack has been nullified. Changes to the UAC level now prompt a dialogue UNLESS the user has already disabled UAC, and have since at least the RC.
set said 5:46PM on 11-09-2009
DEP is also set to OptIn by default, instead of the more secure and just about as functional OptOut. Microsoft should have made OptOut the default.
That being said, there is a prompt whenever unsigned downloaded executable code is launched, unrelated to UAC. I bet there were warnings for every of these trojans, that might have been even more cautiously-worded than the typical UAC prompt.I think this post is needlessly sensational. Windows 7 is decently secure.
Reply
Sebastian Anthony said 5:51PM on 11-09-2009
Hey, don't shoot the messenger...!
sitruc said 7:32PM on 11-09-2009
SophosLabs did the test...
Reply
80scartoon said 12:44AM on 11-10-2009
Apparently Microsoft Security Essentials is all the average consumer needs (I use different software, personally).
It's free to download, perhaps Microsoft should include it in a future Windows Update for those who haven't heard of MSE until now.
Reply
Draaaainage! said 3:43AM on 11-10-2009
They can't include it; any time MS includes some bit of free software as an compulsory update or with the OS itself, everyone and their brother waves their arms about and legal bodies slap heavy fines on MS.
MS needs to encourage people to get virus protection, and mention in passing that they make a free product that is more resource efficient that many pay-for products. Free items are always a big seller.
Randomness said 4:21AM on 11-10-2009
1. They executed the malware directly on the computer! No download required. If a user wants to execute malware on their system, is the OS supposed to know and stop them? No, they should know better not to execute apps they don't know. How is the OS supposed to know they don't want that browser plugin that serves ads? It isn't and can't know.
2. This 'test' was done by an antivirus company.
This 'reporting' left out some pretty key facts.
Reply
Sebastian Anthony said 7:51AM on 11-10-2009
I hang my head in shame!
Fernando said 4:16PM on 11-10-2009
I love this argument... "No, they should know better not to execute apps they don't know." So you telling me that your or anyone's grand mother/uncle/sister/anyone know the difference between InstallFlashPlayer.exe from adobe and InstallFlashPlayer.exe from a Malware place? Let me answer that for you nope! The whole "They should know better..." argument is so retarded how the hell is someone that is clueless about computers, and is just surfing the net going to know the difference?
Marcel said 5:32AM on 11-10-2009
UAC is very useful for Windows 3.1 because there is no virus scanner or personal firewall available for it.
Its good to know that Microsoft didnt integrate such an ancient feature into Windblows 7 tho. *ironyOFF*
Best Regards,
Marcel
Reply
Eric H said 9:06AM on 11-10-2009
Lately I have been installing Microsoft Security Essentials and Web of Trust on most of the computers that I have been cleaning from malware and viruses and that has really been helping things along. Though 99 times out of 100 the problem most people have is when that 30 day subscription to Norton/McAfee expires and they don't realize/ know enough to get some time of virus protection at that point.
Reply
NotRocketboy said 10:38AM on 11-10-2009
If only there was a way to give a program full permission at all times, I could crank my UAC up to high.
It's still better than Vista though.
Reply
Scrayn said 1:30PM on 11-10-2009
Microsoft's Paul Cooke has issued a good rebuttal:
http://windowsteamblog.com/blogs/windowssecurity/archive/2009/11/06/windows-7-vulnerability-claims.aspx
The simple fact that no AV software was installed at all for this "test" debunks the findings completely.
Reply