Dick Montage Posted March 31, 2010 Share Posted March 31, 2010 there is a psychological difference between typing a password or clicking a button. My thought process Which means you don't need to change anything unless you just want that extra step for typing in credentials. I do want that step. She is the type of person to need to look them up each time. This creates a barrier that will ultimately defend her. Link to comment Share on other sites More sharing options...
XerXis Posted March 31, 2010 Share Posted March 31, 2010 Works like that even if she is an admin. :p Which means you don't need to change anything unless you just want that extra step for typing in credentials. You could also make a case that malware could emulate the look of this window and get her admin credentials (albeit probably without the driver disabling/screen dimming). Either way, giving something administrative privileges really doesn't mean anything. Any range of malware can run and do harm without them. sure, i'm not refuting that :). The user will always be the weakest link. Link to comment Share on other sites More sharing options...
hdood Posted March 31, 2010 Share Posted March 31, 2010 I do want that step. She is the type of person to need to look them up each time. This creates a barrier that will ultimately defend her. It's also somewhat of a false sense of security. The reason is that (as Elliott says) malware can in fact clone the credential dialog, complete with simulated dimming and all. If you enter your credentials into the malware's dialog, it now owns the system. The regular UAC dialog, on the other hand, can't be cloned because simply having you push a button is of little value to the malware. The biggest issue, though, is that this ignores the fact that everything of interest on the machine is available without admin access. There are also other issues with UAC, such as the fact that there is a window of opportunity between the time your download of an executable finishes and the time you run it. In this time, malware running as standard user can modify the executable (provided it isn't signed, of course) or add a DLL that will automatically load when it's executed. The result is that the malware will ride the elevation of what you think is legitimate software. Now, most malware won't work without admin rights, and doesn't do clever things like what I've described, so in that sense it does offer a safer experience. The point I'm really making though, is that we wouldn't really be much safer in a world where people didn't blindly run things as admin. Link to comment Share on other sites More sharing options...
Dick Montage Posted March 31, 2010 Share Posted March 31, 2010 hdood: Interesting, never knew any of that! Cheers. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted March 31, 2010 MVC Share Posted March 31, 2010 I swear the computer repair shop in the next town, disables UAC as part of a "PC Optimizing". Link to comment Share on other sites More sharing options...
Kirkburn Posted March 31, 2010 Share Posted March 31, 2010 So how much money did they get paid to come up with that foolish report..... How about you don't turn on your machine then 100% of the security holes are fixed.... Can I have ?500 for that please. What a bizarre complaint. Do you actually have an issue with their report, or are you just looking for things to whine about? Link to comment Share on other sites More sharing options...
Recommended Posts