Facebook Plunges Again
Tumblr 101: Tips And Tricks To Get Started
Windows 7 UAC flaw-by-design now classified as malware by Microsoft?
However, another UAC flaw has been discovered in Windows 7. In fact, it's been quietly lurking around in the dark corners of the internet since February. What's different about this one is that not only does Microsoft not intend to fix the exploit, they're saying the functionality is by design, because UAC's primary purpose isn't security, or something like that.
I think.
After all, this whole situation would make a little more sense if Microsoft didn't just mark the popular proof-of-concept for this vulnerability as malware in the beta version of their new Microsoft Security Essentials software, as pictured above. Just to add a little more confusion to the situation, Windows Defender (another Microsoft security tool, which happens to be bundled with Windows 7) doesn't detect the exploit.
The verdict? It looks like the jury is hung on this one.
This vulnerability could be exploited to essentially circumvent UAC on some Windows 7 machines, and that's bad news. We'll keep you up-to-date with any developments on this security flaw.
Comments
12
Subscribe to commentsMollyAug 1st 2009 10:38AM
Oh my Gawd! Windows' security is flawed? and the good folks at Microsoft don't care?
we're DOOMED!
and thanks for the heads-up, Adam :)
JonAug 1st 2009 11:18AM
"This vulnerability could be exploited to essentially circumvent UAC on some Windows 7 machines"
I had that too .. i called it turning off UAC forever
Saint SeminoleAug 1st 2009 4:20PM
Circumventing UAC was the first thing I learned how to do in Vista. I hope it's as easy on Win7. Because UAC is possibly the most damaging piece of software that MS included.
BrandonAug 1st 2009 5:02PM
UAC is one of the most useful security mitigations that exists today. The "exploit" referred to is often misunderstood, and is not an exploit. It will not let a Low Integrity process elevate to user or admin permissions. That means the very useful security mitigations used by high risk apps like Internet Explorer and Google Chrome, are unaffected.
Disabling UAC is unwise. Windows 7 gives you additional options to control the frequency of UAC prompts. If you want it to work exactly like Vista, turn the slider up to the top. If you don't want the prompts to appear on the secure desktop, turn it down a notch. Turning it off is ill-advised.
maradvAug 1st 2009 6:19PM
ill advised if your slightly retarded. ive been running vista since it came out without uac... its the most annoying thing about winddows and everyone should learn to gid rid of it.
KevinAug 1st 2009 9:21PM
I'd advise luddite family members to keep UAC on, but there's no way I'm living with that thing on my personal PC. I have anti-virus/malware, a firewall and I don't click on weird links or download strange attachments.
Ryan BeesleyAug 2nd 2009 1:56AM
UAC doesn't really help those who don't understand it... Does anyone really think that someone uneducated about computers is going to understand a dialog box that asks if they want to elevate their permissions?
UAC prompts don't happen often enough that it is really a problem, and it only benefits the more knowledgeable computer users that might actually realize that some super cool game (trojan) shouldn't be asking for administrative rights.
Unfortunately there is a daft group of users that think they know better, and choose to turn UAC off "because it annoys" them. Do yourself, and anyone else who doesn't want your computer turned into a Zombie, leave UAC on and don't use warez unless you've installed them first in a Virtual Machine to make sure they don't have any malware payload.
RocketboyAug 2nd 2009 11:45AM
"UAC prompts don't happen often enough"
No, the problem with UAC is that the prompts happen too often, when there was DIRECT instruction just a moment before by the user telling the PC to do something. Thats why people find it annoying, and in the long run, makes it useless as a security device.
Ryan BeesleyAug 2nd 2009 6:12PM
Really you're helping me prove my point. If you have performed some action that you expect to generate that UAC response, then you can easily take the extra mouse click to dismiss it and move on with your life. It is when you don't expect to see a UAC prompt and you are running some potentially rogue app that it would greatly behoov you to have it turned on. If "BritneySpearsNaked.jpg.exe" is prompting you to elevate privleges, then you may want to reconsider it.
UAC isn't any more annoying than having to run certain Linux commands with sudo, unless you are the type of individual that simply logs in as root...
acmeAug 3rd 2009 9:05AM
the more you hammer people with popups about "security" the less people care. noone reads the stupid thing after it pops up for the 30th time. Everyone will simply allow whatever the hell it wants to do. thus destroying any level of "security" it provided.
RocketboyAug 3rd 2009 11:59AM
For every naked.exe program, there are 100 prompts for things that you have no idea why it bothered to ask.
Ryan BeesleyAug 9th 2009 12:50AM
Rocketboy, you sound like an expert on such matters...