Comments on: UAC in Windows 7 still broken, Microsoft won’t/can’t fix code-injection vulnerability

By: Windows 7′s security ‘time bomb’ | The Last Watchdog

Windows 7′s security ‘time bomb’ | The Last Watchdog — Tue, 17 May 2011 23:52:03 +0000

[...] researchers like Voskuil and a 21-year-old Melbourne college student and security blogger, named Long Zheng, argued that Microsoft was obligated to somehow mitigate the auto-elevate vulnerability. However, [...]

By: ttx

ttx — Sun, 13 Feb 2011 02:13:06 +0000

i have a good one for you all leave you computer running windows vista or 7 off for 4 weeks and then turn it back on and it will tell you are running a hacked windows and yes i have the real deal

By: Ghilli

Ghilli — Sat, 05 Jun 2010 19:47:48 +0000

Off topic, but not really: Don’t you just love it when people tell you that you’re wrong, but then they say something that is almost identical to what you just said?

I know I didnt say it exactly what you said but “unless you’re downloading a lot of programs (from random sites)” is really close to “In short, don’t click on shit unless you know exactly what it is, where it’s from, and why you need to click on it.”

In other words don’t tell me I’m wrong if I’m not, but thanks for providing some fancy terms to back up what I was saying.

By: WeaselSpleen

WeaselSpleen — Sat, 05 Jun 2010 19:22:40 +0000

Ghilli, you don’t need to visit porn sites or download warez to be exposed to malware. That’s 1990s thinking. Today’s malware is written by sophisticated teams of developers, and distributed via a wide range of methods, including:
Salting of mainstream advertising systems with fake ads that distribute malware. Yes, Google, Yahoo, and Bing are all now vectors for malware. No, I’m not kidding.
Direct infection of random IPs via zero-day exploits in various third-party packages. Not just browser bugs, but bugs in Flash, Acrobat, and even more obscure products, like the Backup Exec exploit that allowed a remote user to gain full control of your SERVER.
Sophisticated and highly targeted social engineering attacks against individual companies, and even individual people.

FireFox with NoScript is a great way to avoid automatic driveby downloads, but anyone who thinks installing antivirus software and avoiding the red-light district is enough to keep them safe is just a disaster waiting to happen.

In short, don’t click on shit unless you know exactly what it is, where it’s from, and why you need to click on it.

By: Ghilli

Ghilli — Sat, 05 Jun 2010 02:20:52 +0000

and really unless you’re downloading a lot of programs (from random sites) or visiting a lot of porn sites (lol), the chances of you actually getting a virus (if u have virus protection software like avg, mcaffee, etc…) aren’t even that significant. I admit there is always the risk no matter which site you visit, but generally speaking if you’re careful of which sites you visit you should be okay. Firefox’s NoScript is a good thing to have too along with some type of AV software.

By: amn

amn — Thu, 03 Jun 2010 11:27:06 +0000

A solution I have been using since XP days, which, as most know, did not have UAC at all, is to work as a User (as opposed to an Administrator) with the default built-in Administrator account for all the system work (upgrade, application installation etc). Additionally, for all the applications I need to run which do require Administrator role simply for running (let’s call them “legacy” applications) and not for installing or maintaining anything, there is the “Run As…” menu option, which then use.
UAC is not needed then and can be completely disabled and/or removed.

The above is what UNiX has been doing all along – root vs non-root, and su/sudo.

UAC is worthless, unless the path from keyboard to elevated privileges is secure. Software that can send event to UAC control panel applet to make changes FOR the user without even asking them, is not part of such secure path. And so on…

By: Nyerguds

Nyerguds — Wed, 27 Jan 2010 10:53:44 +0000

Wait, you mean YOU can tell in ANY CASE what exploit a virus has used to get into your system? Nope, you can’t. Not like the antivirus gives you the virus’ source code. The fact remains that this is yet another way for viruses and malware to totally take over your system.

By: Nyerguds

Nyerguds — Wed, 27 Jan 2010 10:50:48 +0000

If we were only talking about a program, there wouldn’t be a problem. This is the entire OPERATING SYSTEM. They had a good opportunity to implement stuff like this when they made NTFS, and they didn’t. What’s stopping them from making an NTFS2 for their next Windows and integrate a full user rights file system into it?

And I AM a programmer. This isn’t about “fixing bugs” at all, because it’s not supposed to be an “new implemented features” that can have bugs at all. This is about ignoring a core requirement of the operating system, by building on a previous one instead of starting by revising some of the core.

By: Ghilli

Ghilli — Sat, 02 Jan 2010 12:14:18 +0000

I posted twice because I want this to be separate.

You guys ask for change but you don’t give a description of what you want. You sit there at your computer reading an article, by someone you don’t know you can trust who based it on the info of another person (who is apparently not a trust-able source any way – a few posts up), typing that you agree that its a problem.

You guys wanted more security > they gave it to you > you get mad because it’s “annoying” > they tweak it to give you an option to turn it off > u get pissed because now viruses can turn it off as well (not: “it doesn’t work”)

You admitted in the beginning of your article that you are not a programmer, which brings me to my question do you have any idea how much time goes into writing a program? do you have any idea how long it takes to fix the bugs in the program? do you know how long it takes to even find these bugs? I’m a programmer, and even as a novice I realize the difficulties that exist in this field of work.

By: Ghilli

Ghilli — Sat, 02 Jan 2010 11:21:13 +0000

I’m agreeing with GS1 – If you run antivirus software you will be FINE; I also used to run firefox (with the no script add-on) nearly everday, i downloaded anything that I wanted, my hard drive space was my limit, and I never got a serious virus, all I EVER got was some addware, and that is not luck.

BTW my computer ran great for the 4-5 years that i used it, and it still works now; though i am having problems with it – the reason i bought a new comp with win7 (also the need to upgrade played a part)

anyway u want a solution to your win7-UAC problem here it is: get some AV and malware protection and stop the viruses from even getting to the point where they are able to “exploit” anything – and if it’s a program that you downloaded chances are that you know what it is; if you don’t then its your own fault

To be honest with you when I was google-ing and found this i was looking for some info on why certain programs wouldn’t run on win7 because of new security features

Just a question: Can ANY of you HONESTLY say that you have gotten a virus (or other) because of THIS “exploit”?

And just so you know, thanks to your article and video, hackers/programmers who wouldn’t have figured it out just did.