Comments on: Vista UAC: Faux Security or What? http://www.theopensourcerer.com/2008/04/28/vista-uac-faux-security-or-what/ The Magic of Open Source Thu, 18 Mar 2010 11:17:49 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Keith http://www.theopensourcerer.com/2008/04/28/vista-uac-faux-security-or-what/comment-page-1/#comment-3631 Keith Fri, 02 May 2008 21:04:29 +0000 http://www.theopensourcerer.com/?p=256#comment-3631 Sorry, but I think this is overhyped. The vulnerability is created by creating a service that has admin controls (that is approved by the user through UAC), so it doesn't seem like much of a failure from UAC - the user has been asked by UAC to add the service, and agreed. However, I think UAC fails by just being a yes/no option, with little to no information on exactly what rights an application needs. If a UAC dialog appears, I don't know what the application wants to do - maybe it wants to just add a registry key somewhere, or maybe it wants to start a ddos service for someone. The advantage of unix based systems is that if you don't trust an application you can create limited access acounts to run them under, and set the exact limits of an applications access to your system. UAC was not created to improve security, or to teach windows developers to write more secure applications - it was created to teach windows developers not to use restricted parts of the system unless they actually needed to, rather than the free-for-all of old windows applications. Sorry, but I think this is overhyped. The vulnerability is created by creating a service that has admin controls (that is approved by the user through UAC), so it doesn’t seem like much of a failure from UAC – the user has been asked by UAC to add the service, and agreed.

However, I think UAC fails by just being a yes/no option, with little to no information on exactly what rights an application needs. If a UAC dialog appears, I don’t know what the application wants to do – maybe it wants to just add a registry key somewhere, or maybe it wants to start a ddos service for someone.

The advantage of unix based systems is that if you don’t trust an application you can create limited access acounts to run them under, and set the exact limits of an applications access to your system.

UAC was not created to improve security, or to teach windows developers to write more secure applications – it was created to teach windows developers not to use restricted parts of the system unless they actually needed to, rather than the free-for-all of old windows applications.

]]> By: Nevaar http://www.theopensourcerer.com/2008/04/28/vista-uac-faux-security-or-what/comment-page-1/#comment-3455 Nevaar Tue, 29 Apr 2008 16:08:49 +0000 http://www.theopensourcerer.com/?p=256#comment-3455 heh - Not surprised about Vista UAC workarounds. Microsoft knows nothing about security, and never has. My son's laptop came with Vista Home Basic(ally retarded) and was slower than the kids on the short-bus. It should come with a padded helmet. It runs Mandriva now. I just installed kUbuntu 8.04 (rc1) and cranked the compiz to full-blown eyecandy & mirror-shades! I dual boot kUbuntu with XP64 (XP is only for games). I also have FC8 on another system for the wife, and a PClinuxOS upstairs inthe library for general surfing and research. shrug. Not all distros support all hardware equally. heh – Not surprised about Vista UAC workarounds. Microsoft knows nothing about security, and never has. My son’s laptop came with Vista Home Basic(ally retarded) and was slower than the kids on the short-bus. It should come with a padded helmet. It runs Mandriva now.

I just installed kUbuntu 8.04 (rc1) and cranked the compiz to full-blown eyecandy & mirror-shades! I dual boot kUbuntu with XP64 (XP is only for games).

I also have FC8 on another system for the wife, and a PClinuxOS upstairs inthe library for general surfing and research. shrug. Not all distros support all hardware equally.

]]>