Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coding Around UAC's Security Limitations

Posted by kdawson on from the bounce-pass-out-of-bounds-while-the-ref-isn't-looking dept.

Mariam writes "Free software developers from the non-profit NeoSmart Technologies have published a report detailing their experience with coding around Windows Vista's UAC limitations, including the steps they took to make their software perform system actions without requiring admin approval or UAC elevation. Their conclusion? That Windows Vista's improved security model is nothing more than a series of obstacles that in reality only make it more difficult for honest ISVs to publish working code and not actually providing any true protection from malware authors. Quoting from the post: 'Perhaps most importantly though, is the fact that Windows Vista's newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.'"

5 of 334 comments (clear)

  1. Re:Must do better... by somersault · · Score: 2, Funny

    Nah - musta taken them at least 4 years to get that 'glass' effect just right!

    --
    which is totally what she said
  2. Film at 11 by symbolset · · Score: 4, Funny

    Some clever programmers found a way to force a Vista PC to obey a user with admin rights.

    I'm sure there will be a patch to fix this glaring security hole in the next batch of updates.

    --
    Help stamp out iliturcy.
  3. Re:Where have I heard this before? by imbaczek · · Score: 4, Funny

    Gee, sounds to me like UAC is working exactly the way it should!

    Something from MS working like it should... sounds strange, isn't it? And what's more - Slashdot agrees that it works!
  4. Re:A privileged service is not a "hack." by homesteader · · Score: 2, Funny

    Obligatory Disclaimer: I work for the criticized company. So can you make Vista suck less? Please?
  5. Nay!! to those who shun Vista by Shadow-Copy · · Score: 1, Funny
    Vista is new, bran new, but IE 7 is not. Which that is the weak point. Which the core dynamics that have now been shelled from the internet worming methods, finally, and are now only limited to the Certificate spoofing, and temp file clog of Js-scripts are what can only work they're way in. Which even then writing registries, and other worm methods that use to be easily done by just using the cookies an automated synchronization of xml automated check feature for rss feeds have been fixed
    • mildly
    . In xp and 2000 you still have to watch your temp files an make sure they don't grow to an extension of a full blown worm. To get around that, simply download Windows defender which renders any temp file useless as long as IE7 is not open, or any other http PNG running program that exchanges xml docs are not encrypted.
    Meaning, If another program is not configured to run with its own syncronized xml doc exchange or better known as 'encryption'. Then Microsoft believes thats the composer's problem of who made that program. Such as yahoo messenger, VEOH, Winamp, ect.. Programs that uses Microsoft Internet Explorer's Temp file resources. Microsoft believes they are not paid to make anyone elses programs 100% safer then to certify they're own(Microsoft) programs. Even when Microsoft made they're open source active x resources so easily spoofed. They still would make you pay in order to get customer service. of ANY type.

    But you know it is possibly made that way to allow the common user or program vender to need to call Microsoft an pay a nice sum of money to fix they're computer problem(s). Which is all beyond the point.

    Which as you see No new IE 8, no new framework patches.. yet. Microsoft seems to be letting all the other browsers(Fire Fox, Opera, Netscape) update first before they toss the new Internet Explorer 8 into the field. Which by then all exploits in frame work Certificate encryptions should be 100% safe once more.
    Have you seen the new Silverlight? Microsoft's adobe flash look a mock-up. Seems Microsoft isn't only trying to buy Yahoo! but plow over adobe's internet content handler as well with they're Silverlight.

    The way Bill Gates is handling all the internet problems seems pretty devious. As you may have noticed that the Vista is alot more critically dynamic and secure. Sort of like Linux secure, Picky over drivers. Some programs wont even launch if you do not adjust some things. Bill Gates probably never anticipated for the internet to be Windows failing point, but The way Vista runs.. Seems like Bill Gates is not going to let the Internet stop Windows, but Windows conquering the net.. VERYY DEVIOUS..

    Bill Gates have seen the certificates, and the js exploits. As you an I can see in the certificate been the 2 small fraudulent certificates. Out of the billion that have been most likely set off threw the net. Bill Gates has an ace up his sleeve, and it looks like one of his moves is taking out adobe along with what ever else he finds wrong.

    Other then the old IE7 Vista is a monster that is yet to be completed in its superirority over the net. Linux is fishing for something to top it, an have not yet.. Have you gotten your first service pack yet?? I know i haven't did i mention the silver light???