Vista UAC: Faux Security or What?
I came across this article via slashdot.
If you are a sysadmin or have just fought to get Vista installed because of it’s much-vaunted security model based around UAC, read this and weep.
… Perhaps most importantly though, is the fact that Windows Vista’s newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up “for good security reasons” can be coded to work around these limitations with (relative) ease. The “architectural redesign” of Vista’s security framework isn’t so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.
Oh dear.
Basically, it seems, by writing a two part application and an inter-process API – any hacker can circumvent UAC with relative ease.
It’s just as we always thought – Vista is just XP wearing an imitation fur coat.
Now where did I put that Ubuntu 8.04 CD?
heh – Not surprised about Vista UAC workarounds. Microsoft knows nothing about security, and never has. My son’s laptop came with Vista Home Basic(ally retarded) and was slower than the kids on the short-bus. It should come with a padded helmet. It runs Mandriva now.
I just installed kUbuntu 8.04 (rc1) and cranked the compiz to full-blown eyecandy & mirror-shades! I dual boot kUbuntu with XP64 (XP is only for games).
I also have FC8 on another system for the wife, and a PClinuxOS upstairs inthe library for general surfing and research. shrug. Not all distros support all hardware equally.
Sorry, but I think this is overhyped. The vulnerability is created by creating a service that has admin controls (that is approved by the user through UAC), so it doesn’t seem like much of a failure from UAC – the user has been asked by UAC to add the service, and agreed.
However, I think UAC fails by just being a yes/no option, with little to no information on exactly what rights an application needs. If a UAC dialog appears, I don’t know what the application wants to do – maybe it wants to just add a registry key somewhere, or maybe it wants to start a ddos service for someone.
The advantage of unix based systems is that if you don’t trust an application you can create limited access acounts to run them under, and set the exact limits of an applications access to your system.
UAC was not created to improve security, or to teach windows developers to write more secure applications – it was created to teach windows developers not to use restricted parts of the system unless they actually needed to, rather than the free-for-all of old windows applications.