Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Very Severe Hole" In Vista UAC Design

Posted by kdawson on from the she-said-he-said dept.

Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

11 of 813 comments (clear)

  1. Re:An even bigger hole... by dotpavan · · Score: 5, Funny
    offtopic, yet:

    no doubt, thats why Dell is marketing its harware for Vista as great for "booting the OS, w/o running apps or games" (link via this)

    Since when did booting an OS become a "feature" of the OS?

  2. Steve is that you? by tiltowait · · Score: 5, Funny

    Video version of the above commentary here.

  3. Balancing Security with Ease of use by ThatsNotFunny · · Score: 5, Funny

    Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.

    --
    "Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
  4. Re:An even bigger hole... by nuzak · · Score: 5, Funny

    You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to turn your machine into a child porn and warez server, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay?

    One of these things is not like the others,
    One of these things just doesn't belong,
    Can you tell which thing is not like the others
    By the time I finish my song?

    --
    Done with slashdot, done with nerds, getting a life.
  5. DOOM: History repeats itself by MarkGriz · · Score: 5, Funny

    Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?

    I guess MS didn't learn anything from id.

    --
    Beauty is in the eye of the beerholder.
  6. Re:It's not the software. by LiquidCoooled · · Score: 5, Funny

    Sounds like Clippy has been re-incarnated.

    *shudder*

    --
    liqbase :: faster than paper
  7. Re:It's not the software. by Minwee · · Score: 5, Funny

    He did warn us that if we struck him down he would become more powerful than ever.

    Maybe we should have listened.

  8. Re:It's not the software. by Bastard+of+Subhumani · · Score: 5, Funny

    Classic windows security. You can either do anything, or you can't even change the background picture.

    --
    Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  9. Re:It's not the software. by maxwell+demon · · Score: 5, Funny

    You have just clicked yes. Did you really want to click yes?

    --
    The Tao of math: The numbers you can count are not the real numbers.
  10. Re:It's not the software. by smittyoneeach · · Score: 5, Funny

    a good operating system should make you feel like you're in control of your computer
    Kernel (Jessup): Son, we live in a world that has firewalls, and those firewalls have to be guarded by software with guns.
    Whose gonna do it? You? You, Slashdotter? Windows has a greater responsibility than you could possibly fathom.
    You weep for Tux, and you curse the DRM. You have that luxury. You have the luxury of not knowing what Windows knows.
    That Tux's death, while tragic, probably saved lives. And Window's existence, while grotesque and incomprehensible to you, saves lives.
    You don't want the truth because deep down in places you don't talk about on Slashdot, you want Windows on that firewall, you need Windows on that firewall.
    Windows use words like honor, code, loyalty. Windows uses these words as the backbone of a codebase spent defending something.
    You use them as a punchline. Windows has neither the time nor the inclination to explain itself to a Slashdotter who rises and sleeps under the blanket of the very freedom that Windows provides, and then questions the manner in which Windows provides it.
    Windows would rather you just said thank you, and bought copies for your entire extended family. Otherwise, Windows suggests you pick up a browser, and send a POST.
    Either way, Windows doesn't give a damn what you think you are entitled to.

    ;)
    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  11. Re:It's not the software. by macserv · · Score: 5, Funny

    Are you sure you want to cancel the operation?
    [ OK ] [Cancel]