Facebook Plunges Again
Tumblr 101: Tips And Tricks To Get Started
Windows 7 security defeated by 8 out of 10 malware applications
Leading up to its release, there was a lot of concern regarding Windows 7's default User Account Control (UAC) settings. Namely: it doesn't actually provide any damn security. Alas.
Basically, Microsoft went ahead and reacted to the public outcry regarding the Vista security confirmations. I think we can all agree that they were really annoying (and most power-users turn UAC off because of how irritating they are). As a result, there are significantly fewer UAC warnings in a default Windows 7 installation -- hooray! The problem is that the new default setting in Windows 7 leads you to falsely believe that you have a secure installation right out of the box. Sadly, this is not the case.
It's no surprise then that 8 out of 10 malware applications defeated the default Windows 7 UAC setting in tests.
So practice safe surfing (duh!) or go and hoik your UAC settings up to the most secure -- and annoying -- setting. Ars Technica has a great guide on patching up your UAC for new Windows 7 users -- or even an experienced user like myself that falsely believed the default setting to be secure.
[via ZDNet]
Comments
20
Subscribe to commentssRcNov 9th 2009 5:28PM
the setting change had been off-putting to me ever since Beta. I turn it up to maximum ever time
even "safe" surfing is relative, as more often mainstream sites turn up having hacked ads and trying to throw infected PDF's or other such in the ads. UAC really is no different than having to su/sudo in Linux, so people really shouldnt complain
Sebastian AnthonyNov 9th 2009 5:44PM
Yup, indeed -- there has to be some compromise, if people want more security while they use their computer!
I guess most of the world are used to doing things one way, and having some kind of nag-window really goes against the 'Windows' thing.
I wonder how Mac would go about the same thing...
RobNov 10th 2009 12:26AM
As OS X is a BSD system, it basically has a graphical sudo prompt. Also, the "behavior" wherein a program could turn off UAC without confirmation has been patched, so the default settings provide a good barrier between running processes in an elevated or nonelevated state.
MattNov 9th 2009 5:46PM
The problem with this study is that they do not tell you if the viruses were "drive-by" attacks, or "click on this awesome .exe" attacks, or "visit a corrupted website with a vulnerable browser" attacks.
The first should never happen...
The second... well, "THIS JUST IN! SOFTWARE WRITTEN FOR WINDOWS RUNS ON WINDOWS!!!"
The third has nothing to do with Windows. (NOTE: I said *Windows*... not MS. Using IE is a great way to get infected)
Sebastian AnthonyNov 9th 2009 5:51PM
Wasn't IE8 proven to be pretty damn secure nowadays?
I wouldn't know as I don't use it but...
RobNov 10th 2009 12:23AM
This has little to do with UAC; the article just states that UAC can't detect and stop viruses if the user continues onward. That's pretty basic knowledge. Also, the linked ars article is almost a year old; as it says in the article the UAC hack has been nullified. Changes to the UAC level now prompt a dialogue UNLESS the user has already disabled UAC, and have since at least the RC.
setNov 9th 2009 5:46PM
DEP is also set to OptIn by default, instead of the more secure and just about as functional OptOut. Microsoft should have made OptOut the default.
That being said, there is a prompt whenever unsigned downloaded executable code is launched, unrelated to UAC. I bet there were warnings for every of these trojans, that might have been even more cautiously-worded than the typical UAC prompt.I think this post is needlessly sensational. Windows 7 is decently secure.
Sebastian AnthonyNov 9th 2009 5:51PM
Hey, don't shoot the messenger...!
sitrucNov 9th 2009 7:32PM
SophosLabs did the test...
80scartoonNov 10th 2009 12:44AM
Apparently Microsoft Security Essentials is all the average consumer needs (I use different software, personally).
It's free to download, perhaps Microsoft should include it in a future Windows Update for those who haven't heard of MSE until now.
Draaaainage!Nov 10th 2009 3:43AM
They can't include it; any time MS includes some bit of free software as an compulsory update or with the OS itself, everyone and their brother waves their arms about and legal bodies slap heavy fines on MS.
MS needs to encourage people to get virus protection, and mention in passing that they make a free product that is more resource efficient that many pay-for products. Free items are always a big seller.
RandomnessNov 10th 2009 4:21AM
1. They executed the malware directly on the computer! No download required. If a user wants to execute malware on their system, is the OS supposed to know and stop them? No, they should know better not to execute apps they don't know. How is the OS supposed to know they don't want that browser plugin that serves ads? It isn't and can't know.
2. This 'test' was done by an antivirus company.
This 'reporting' left out some pretty key facts.
Sebastian AnthonyNov 10th 2009 7:51AM
I hang my head in shame!
FernandoNov 10th 2009 4:16PM
I love this argument... "No, they should know better not to execute apps they don't know." So you telling me that your or anyone's grand mother/uncle/sister/anyone know the difference between InstallFlashPlayer.exe from adobe and InstallFlashPlayer.exe from a Malware place? Let me answer that for you nope! The whole "They should know better..." argument is so retarded how the hell is someone that is clueless about computers, and is just surfing the net going to know the difference?
MarcelNov 10th 2009 5:32AM
UAC is very useful for Windows 3.1 because there is no virus scanner or personal firewall available for it.
Its good to know that Microsoft didnt integrate such an ancient feature into Windblows 7 tho. *ironyOFF*
Best Regards,
Marcel
Eric HNov 10th 2009 9:06AM
Lately I have been installing Microsoft Security Essentials and Web of Trust on most of the computers that I have been cleaning from malware and viruses and that has really been helping things along. Though 99 times out of 100 the problem most people have is when that 30 day subscription to Norton/McAfee expires and they don't realize/ know enough to get some time of virus protection at that point.
NotRocketboyNov 10th 2009 10:38AM
If only there was a way to give a program full permission at all times, I could crank my UAC up to high.
It's still better than Vista though.
ScraynNov 10th 2009 1:30PM
Microsoft's Paul Cooke has issued a good rebuttal:
http://windowsteamblog.com/blogs/windowssecurity/archive/2009/11/06/windows-7-vulnerability-claims.aspx
The simple fact that no AV software was installed at all for this "test" debunks the findings completely.
GailWDec 27th 2009 8:55PM
the whole userspace design in 7 follows the same base concepts from Vista, and they should not rely on 3rd party AV for protection from basic intrusion/attacks. even free apps like Spybot S&D or Malwarebytes (full version) can deal with this, and they already have Windows 7 versions. but it is true, when asking someone to shell more money to protect the OS from malware, besides viruses, any PR rebuttal becomes mandatory (just in case you wondered, if you run Windows 7 you can get Malwarebytes with realtime protection and scheduled updates for 20% less using a coupon from http://news.dtcdeals.com/malwarebytes-coupon-code)
Sebastian AnthonyDec 27th 2009 8:57PM
Cheers for the tip!