Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole In Windows 7 UAC

Posted by kdawson on from the cancel-or-allow dept.

An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."

16 of 388 comments (clear)

  1. "Gerald" by plasmacutter · · Score: 5, Funny

    Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.

    Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.

    --
    VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
  2. The beta worked! by jamesmcm · · Score: 5, Funny

    The beta worked perfectly!
    Even the malware will be ready for Windows 7!

  3. Mechanical Analog by pm_rat_poison · · Score: 4, Funny

    So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!

    1. Re:Mechanical Analog by Anonymous Coward · · Score: 5, Funny

      the worst car analogy I've seen on slashdot for a while.

    2. Re:Mechanical Analog by pm_rat_poison · · Score: 4, Funny

      It's so bad a car analogy, that it doesn't even have cars.

    3. Re:Mechanical Analog by Anonymous Coward · · Score: 2, Funny

      You must be new here, that IS a proper car analogy on slashdot.

    4. Re:Mechanical Analog by mdielmann · · Score: 2, Funny

      (from GGP)

      So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!

      the worst car analogy I've seen on slashdot for a while.

      It's so bad a car analogy, that it doesn't even have cars.

      I prefer to think of that as a chastity belt analogy. Put in that light, I think it's a great design!

      --
      Sure I'm paranoid, but am I paranoid enough?
  4. whoa, recursive Meta-UAC by rarel · · Score: 5, Funny
    From TFA: Microsoft could remedy the problem by prompting the user when the UAC setting is altered.

    ==============

    "It look like you're trying to alter the UAC settings, Cancel or Allow?"
    *click*
    "It looks like you've confirmed the change in UAC settings, Cancel or Allow?"
    *click*
    "The UAC settings have been altered, Cancel or Allow?"
    *click**click**click**click**click*-----INPUT DEVICE FAILURE

  5. Re:Short: Don't work as Administrator by ta+bu+shi+da+yu · · Score: 2, Funny

    Apparently Raymond Chen posted a response at http://blogs.msdn.com/oldnewthing/archive/2009/01/21/9353310.aspx

    It appears that they are getting a "Service unavailable" prompt. Could it really be that they are running their blogs on an IIS server that is running Windows 7? Shock horror, it appears that someone has elevated privileges using vbscript to bypass UAC and has changed the IIS app pool to run under a guest account!

    --
    XML is like violence. If it doesn't solve the problem, use more.
  6. UAC by essence · · Score: 4, Funny

    all this talk of UAC makes me feel like playing some doom again.

  7. Watchmen by Thanshin · · Score: 2, Funny

    But... Who controls the user acces to the user access control?

  8. Re:Security in UAC by Anonymous Coward · · Score: 1, Funny

    Dude, you're a hole!

  9. Re:Long Zheng seems like a nice bloke by moriya · · Score: 2, Funny

    Actually... I doubt I'd call him nice since... well, I'll quote a small excerpt from the link:

    First, I was originally going to blackmail Microsoft for a large ransom for the details of this flaw, but in these uncertain economic times, their ransom fund has probably been cut back so I'm just going to share this for free.

    Let's see what other people think of him now...

    --
    ~ Old Warriors Society
  10. Re:Anonymous submitters by Coppit · · Score: 3, Funny

    What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?

    Yeah, I sure as hell would want to know that!

  11. Re:It's a double-edged sword by ciderVisor · · Score: 2, Funny

    Put in some porn and computer security will rise at once!

    Ah, so you call him "Computer Security", do you ?

    Kinky !

    --
    Squirrel!
  12. Re:Ooh goody! by Culture20 · · Score: 2, Funny

    Evil genius if it also works on the Y and N keys.