Neowin.net

After many years of testing, one thing I've noticed is that Microsoft will only change/fix what they want to change/fix. The views and opinions of the testers rarely count for anything. Sometimes I wonder why I even bother... having said that, a couple of my bugs have been passed on to teams this time around, so hopefully it'll be better this time but I'm not holding out much hope.

The fix is out:

http://www.istartedsomething.com/20090130/...s-7-beta-proof/

The UAC dialog has a "high" security setting. I'm no expert, but I'm not terribly surprised that it's more secure than a lower setting...

Last edited by Brandon Live on 30 Jan 2009 - 17:28

That's not the issue; the issue is with UAC being unable to protect itself when a less paranoid security level is used.

Everybody says Windows should offer more options, so now it does. You can have the option to have UAC be a major hurdle for medium -> high IL elevations if that's what you want.

The thing is, malware running even with standard user privileges is plenty bad. It can still add itself to run at start-up (for that user), and can still read / write / delete data in any locations that user can access.

So the most important boundary is the Low IL -> Medium IL one, used by IE in Protected Mode and some other processes, which is still protected just as much as in Vista (or moreso) in this default state.

Last edited by Brandon Live on 31 Jan 2009 - 21:02

Using vbscript...

When you let a program run that would act just like a user, that is already beyond the protective scope of UAC.

That's precisely what UAC is there for, to limiting application software to standard user privileges until an administrator authorizes an increase in privilege level. There is no authorization using this method so the bad guys can totally disable the protection and then execute much worse commands on the system without UAC protecting it.

You can run keyboard commands WITHOUT UAC authorization.

^ lol, yes, and there's your problem

UAC is there to stop users owning their computer from running trojans. So the "machine already compromised" argument don't apply here; it's not there to protect from remote exploits, it's there to protect users from themselves.

@Jugalator: I'm not sure what you mean. The point is, a user could download an app that said "FreeOffice.exe", execute it, and it'd shut off UAC without any prompts. That shouldn't be able to happen.

I agree with you long, I didn't write that reply in sarcasm to you.

The second paragraph was in general about the topic and billyea, sorry if I was unclear.

Totally agree, users are used to UAC now, just bring the full UAC over from Vista and users can then choose to place it into silent mode if they want.

Because of those "experts" crying wolf over UAC.

The best suggested workaround as posted is to force a Secure Desktop UAC dialog whenever the security level is being changed. Or better yet, if they have the ability to temporarily modify the UAC prompt level for a particular task (in this case, switching UAC levels) make the user enter their password for that dialog only.

Yes, obviously prompting at changing the UAC level should pop up a dialog. That's the odd part here -- that that suggestion is written of by Microsoft as "wont fix, by design".

That doesn't matter. UAC /has/ prompts telling you when system settings are being changed. But that prompt /doesn'/t appear with this code so unless that behavior is changed it doesn't matter what you want to do to test if a user is doing it, it won't appear anyway.

+1

That would be a mistake if you value performance.
I am running 7 on a testbed PIII with only 512MB of RAM and it works way better than Vista with 2 or 3X that.

Most Vista users are using semi-modern hardware.

As much as I love Win7, I could deal with sticking with Vista on both of my computers (E4500 and 2GB RAM, and a Q6600 8GB RAM). Is 7 faster? Yes. But Vista is already extremely fast.

Shouldn't happen on Vista, provided you didn't mess around with UAC's settings.

On 7 you can up the slider to its max level and it'll be just as noisy as Vista. But of course, secure at the same time.

So that means reducing slider level down means you are prone to attacks? why all this FUD. I had thought about this when they had shown this in 6801 build for first time

Yup. I don't know why it doesn't anyway. Changes of UAC should automatically run in the highest UAC level regardless of what the user has UAC set to.

Yes, that's the obvious fix to this problem, but MS is rejecting changing the behavior. :p

It's a major problem as long as that security setting is chosen. It shouldn't be there if it just provides a false sense of security. It is of no use.

Hey, they don't call this "Unprofessional Journalism" for nothing. More sensationalism, less straight-forwardness.

Cork yourself!

I need to find some of this malware so I can send it around to everyone that's ever been irratated by this. People would probably ask for it, if they knew of it and didn't know how to disable that irratating piece of crap! It does NOTHING for security. UAC is EXACTLY the reason I've wiped at least a 100 computers clean of Vista and restored back to XP.

How's that for corking myself? LOL

UAC in Vista was good. It worked like it should.
But because of dumbass ikspertz like you, Cork, MS cripped its default mode in Windows 7.

It's funny, you're so monumentally thick that you forgot that Vista is not affected by this.

Hit the nail on the head there.

I suppose you run as root on your *nix machines, too, huh?

LOL! What *nix machines?

sudo rm -rf /home/cork1958

Oops... He has been erased from Neowin...

Oh? He's using OS X?

sudo rm -rf /Users/cork1958

Problem solved.

Couldn't say it any better.

With XP, I used to run as Limited User, and it was a pain to run all sorts of "Run As" CMD files. But with Windows Vista, I am able to skip my batch files and go straight to putting Administrator password thanks to UAC.

Exactly. Vista UAC is very secure even if annoying. And it's a fair price to pay.

Has anyone tried using ZoneAlarm? Between ZoneAlarm and Vista UAC, I'd rather use Vista UAC!

Except that in this case windows is supposed to notify you when a program changes system settings, but it isn't doing so.

Because a program isn't directly modifying settings. A program is indirectly modifying settings.

This vulnerability was known about back in the Vista days, and it's one of the reasons why Secure Desktop exists (so that an application emulating a keyboard can't confirm a UAC dialog).

Some people don't like to admit it, but Microsoft does listen to user feedback, and they listened to user feedback on this. Unfortunately.

Translation: "I care for Windows, I really do, I'm so bitter."

Well I don't really care for it. It's a third-rate product. But it's still important for MS to stay in business. And Windows 7 needs to be a decent product, at least in relation to previous versions. MS can't afford another Vista nightmare.

Funny how the niche computer fanboy is calling the world's leading operating system (in EVERY category, by 20:1) a third-rate product...ahem.

I told you many times. It WAS the same as in Linux/MacOSX. Even better sometimes.
If you want to try to sound credible then provide some differences at least.

It's "leading" because of licensing. LOL, do you honestly think ubiquity has anything to do with quality or reliability or positive user experience?

How the hell else could a niche company be moving the entire industry forward in terms of OS design and implementation, while grabbing chunks of the premium end of the market, while maintaining the kind of margins they do, afford to price themselves out of the bulk of the market (deliberately), and still walk away with the more than the lion's share of the proceeds?? And keep doing this year after year - and even (hopefully more than just this past quarter) in a lousy economy?

This niche computer company has been setting the bar in every single area for years now. Everything is compared to Apple products. The first thing people do is do an OS X comparison, or an iPhone/iPod comparison. "OS X-like" and 'Apple-like" are not just random phrases you happen to see a lot of. They're coveted titles. Synonymous with how competitors want their products to be. If imitation is flattery, Apple must be blushing about six shades of red.

That didn't just happen because the seas parted or because the sun and moon were aligned a certain way, LOL.

Last edited by LTD on 30 Jan 2009 - 14:36

Well, that's a good laugh right there LTD. Sure I'll give you the iPhone from the simple idea of first to market with touch, but that's about it. That's the only industry they've really moved forward in that more people are looking at smartphones now, but hell, that's still mostly in the US.

Around here in Europe I don't see loads of iPhones or iPods being used.

As far as OS's go, I guess you've totally forgotten the shear mess and nightmare all those past MacOSs used to be eh? Made Win98 look like the best thing ever.

And OSX, yeah, because Apple couldn't come up with it's own good underlying code, might as well borrow it from Darwin eh? Sure helps your security overnight when you grab some unix code, but hardly innovative seeing how old that is.

And how great was OSX at first anyways? I sure don't remember it being that hot, and seeing even the Apple faithful moaning about it was something. But heck, only took how many updates later before it started working close to how it should have been? 3?

Sure it's nice business wise to be able to charge more for something when you have fanboys such as yourself willing to pay the "apple tax" for it.

I still think the OSX UI is silly, the Dock is a joke, and about the only real think users point out are expose and spaces, yay. You wouldn't need expose in the first place if you could manage and find your windows quick and easy from the get go. And as for spaces, wow, virtual desktops, any *nix user has had that years before you even new about OSX.

I remember uses them back in 96. Hardly new.

And what sites do you visit for reviews? I don't hear "OSX like" or "apple like" when I'm checking out hardware or software reviews all the time. Everyone compares Win7 to older Windows versions or Linux from what i've seen. The only people who keep bringing up OSX are the Apple fans who like to point out the new Win7 taskbar, like pinning is anything new to Windows either.

+1

You can stop laughing now.

http://edge-op.org/iowa/www.iowaconsumerca...000/PX07278.pdf

Some quotes from M$:

"The bits we deliver in Sept 05 PDC must be compelling, even in beta form. UI must be hot. We will be directly compared
against tiger."

"In many ways Jobs took our WinFS and Avalon pitch word for word and delivered it. The
difference was he had more stable bits than we did."

"He says he is blown away by the WinFS clone functionality - it’s already working"

"Any idea how I can get my hands on the developer bits apple released at their conference
this week?"


They really look up to Apple

abcdef - Apple has nothing remotely like WinFS, nor do they have anything like the functionality which was to be built on top of WinFS in early Longhorn builds.

Quoting an ignorant person's ignorant statement isn't a good way to make a point, unless your point is that some people are ignorant.

LTD -

Windows NT (including 2000/XP) has always had generally the same security model as Linux and the Mac. You can run as a standard user, and then you will have to enter admin credentials when performing an admin task.

You don't really think that running as an admin (which I believe is still the Mac OS default) is better on a Mac than on Windows, do you?

It's Mr. abcdefg to you


So Jim Allchin and Vic Gundotra are/were ignorant?
Is it that once you left M$ and jump to Google you become ignorant?

One more quote:
"I don’t believe we will have search this fast. We will have a developer message which
they don’t and won’t. But, they qot the 80% and they will receive wide credit for this." - Jim Allchin

Does it hurt?

It always hurts when the leaner and meaner competition does it about 100 times better than you can, and then keeps publicizing it.

And not just Allchin and others from the past, but current MS insiders know this. If any one of them had the opportunity to take a lateral position at Apple, they'd jump ship faster than you can say Live Live Search. Or is it the new Live Windows Live Search? Or the New Windows Live MSN Hotmail? Or Mesh something . . .

Well this niche company started quite a few trends. Apple pioneered the use of USB and Firewire, and the computer industry followed soon after. One could also say that a lot of PC manufacturers are borrowing design cues from Apple, like the slot-loaded drive that's become oh-so popular among laptops these days. Everybody's making all-in-ones now, but who was the first to make an all-in-one computer? Apple.
Windows is a third-rate product. Just because most of the world uses it doesn't mean it's better. For example, IE still has a majority, but it's clearly a dirty piece of rubbish.

No... that was before the reset. My team (WDS) are the reason that Vista ended up with faster search (post-reset).

IE has it's problems, but IE8RC1 is working great here, so "piece of rubbish" I don't think so. Hell, let me toss that back at you, I think Safari is a piece of rubbish.

And Pioneered the use of USB and Firewire? Maybe firewire but I don't see that many Firewire devices being used or sold, not with USB2. And USB3 will soon make it pointless.

When did Apple start using USB anyways? Got a date for that? Cuz I still have my old Win95b CD with USB support from 96.

Sorry LTD, but I work in ALL of the leading entertainment and technology fields, and except for Pixar (which is owned by Jobs so they have no choice), there isn't a major player in the WORLD that uses anything but PCs. Macs are used by freelancers who don't know enough about technology to support their own systems (which makes sense) and the few companies that used to have a few for the occasional creative person because the software didn't exist on the PC yet. But that was YEARS ago. Even Adobe develops for Windows first and foremost now.

The laptops are also popular in Hollywood because Apple gives them away for free marketing/product placement and there are a lot of people around here who don't mind spending more money than they need to for something sexy, like the MacBook Pro.

You bought into niche/bandwagon marketing and paid too much for your gear and programs for what amounts to PC parts with limited functionality.

PS the iPhone does rule in design and OS/interface, but not in features. Though they are getting better.

A) you'd argue the exact opposite point if OS X had 95% market share and Windows was a popcorn fart in the big picture...

B) your ignorance is PROFOUND if you think the world runs on Windows because of "licensing". Windows runs the applications people USE in business, entertainment (professional and recreational), games, etc. etc. and the hardware people OWN.

Don't get me wrong, I think OS X is a very capable OS. But the world's most powerful and successful companies, as well as the VAST majority of professional content CREATORS (despite your Mac spin to the contrary), do their work and create the digital content of the world on PCs running Windows in one flavor or another.

And those people, like me, can afford to buy whatever hardware and software we want for our homes and our companies, no compromise, period.

"Licensing" NEVER enters into the equation.

And when somebody does give us a MacBook Pro as a gift*, we install Vista on it.

* Because if we want top of the line features and design, we buy a far better Sony for far less money.

In 32 years the best the niche company could do is 8% of the desktop market, a half-baked phone (technically) and a music player.

Windows powers 90% of the desktops in the world, as well as ATM's, mobile phones, power stations, game consoles, navy warships and PDA's.

Moving the entire industry forward? Please - maybe design agencies, students and upper working-class yuppies think they are "moving forwards" but I think you'll find that's about it.

In my eyes Apple is still pretty niche when after 32 years of head on work to topple Microsoft has resulted in a phone, a music player and 8% market share. (for desktops - let's not even go along the server route!)


Best you can say for Apple is nice GUI. Seriously though, that's it. Form over function is the stigma most people that work in IT professionally assign to all of Apple's products.

Exactly what i was thinking! Why can't they just make it so you ALWAYS are served a secure UAC prompt when you're changing the actual UAC settings?

Makes sense to me.

Anyone with a high level of technical knowledge knows to leave it ON, and not to encourage the indiscriminate downloading masses to disable it.

Exactly yakumo. Seriously nunja et all, stop peeing in the pool. Its adult swim here.

Precisely. Those who know what's going on leave it enabled. They know that it'll probably save them at some point.

Those who think they know what's going on disable UAC, because they heard about it on $publication (ex. zdnet).

Wrong! Disabling UAC turned me into a SUPER1337PROFESSIONALPOWERUSER!!!!

Of course, I should start doing what you kiddies do - whining and insulting each other. I was making a living in IT before most of you were born.

Too damn bad Darwin's law has been invalidated by the self-sustaining infinite support mechanisms in place in society today.

We could do with a good bit of culling.

Your an idiot. you are less secure with UAC Off.

It's actually not a big issue with corporations. User privledges are defined server side, and disabling UAC wouldn't enable malware to run at anything higher than it could with UAC enabled.

That's what I was going to say. Everyone cried about the occasional UAC prompts and the secure desktop in Vista, and now look...

It had better not be. We're living in a different world now. The tech landscape looks quite different form a few years ago. MS can no longer take its position for granted.

Nothing is secure...if you want something that is totally secure, then dont use a computer.

Microsoft should just turn that right around on it's users though, if they want a secure Windows then put up with UAC as it was in Vista, I have UAC on all the time in Vista (never once has it popped up while doing file operations outside of the System directories, unless I don't have permission to the file (if it was created with Windows XP, or another user).) and the kicker on Vista I do use the Limited user for my account. UAC is a joke in Windows 7, makes me feel like I'm on *nix running as root all the time, which as anyone with a single braincell would tell you is not a smart thing to do..

techback we're not talking about it being 100% secure, we're talking about Windows 7's security being on the same level as Windows 2000/XP and not that of Windows Vista's. There should only be 1 level to UAC and thats the level it's at on Vista.

As many have said there is a simple fix for this, MS can just make it so you get a prompt if the UAC settings are changed.

I agree that the way it is in Vista is fine, that's how it's been in unix/linux since the start.

hit start, type uac, you get uac settings, put it up one notch and it becomes the same as Vista.

This article is entirely about a vulnerability that only exists when it's on the default level for an Administrator account.

And I do know how to adjust UAC on 7, I'm saying I shouldn't have to set it higher myself to get the protection I deserve out of a stock install. The Vista level should be the default not this joke.

And like I said there should only be one level, not two, not three, just one, if users want to cry about "too many prompts" then they can cry, at the end of the day it's about a more secure system.

Vista has basically done it the same way Linux, BSD and OS X has done it for years, yet you don't hear the *nix users bitching about it now do you?

The average Linux user and the average computer user are miles apart in comfortability with security permissions etc. That is something MS should try to educate the Average Joe Windows user about this time around.

People think its being rushed, but remember, Vista took 5 years to release!!!

Windows 7 is shaping up to be Microsoft's most impressive OS to date!

MS can't win. It's not entirely their fault. These issues will continue to plague this company at the expense of the user.

But the problem is that disabling UAC at the default setting does not raise a UAC prompt. This is a major time bomb waiting to happen.

The solution given is very simple: enable UAC and secured desktop whenever anyone or anything make changes to the UAC setting regardless of the current setting.

They can still keep the default setting (where users aren't pestered with UAC prompt for making changes with the security certificate scheme), but make UAC mandatory for any changes to the UAC setting.

I think you're confusing a beta operating system with a simple video card issue that a certain company can't seem to fix properly.

The default user group for Windows Vista and Windows 7 is administrative. If you don't create a new "standard" user account, you're running an administrative account.

Turn the slider up to the top...problem solved.

Exactly what I have done.

But if it's shipped as-is with this behavior, then the majority of home users would never even think of turning the UAC a notch higher.