Slashdot Mirror

← Back to Stories (view on slashdot.org)

Users' Admin Logins Make Most Windows Malware Worse

Posted by samzenpus on from the protect-yourself-at-all-times dept.

nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."

5 of 420 comments (clear)

  1. What they need to do... by the1337g33k · · Score: 5, Interesting

    What they need to do is limit all users to not be administrators. They should create the admin account so that it can ONLY do admin tasks. It cannot run programs like office or games. It can only run security and diagnostic apps, adding-remove apps. If they restricted admin users from using their account for daily use and only for admin use, that would significantly reduce the attack surface for crackers.

  2. Re:You mean... by Opportunist · · Score: 5, Interesting

    The question is why it hasn't been meaningfully addressed in Windows for such a long time.

    Because it would break compatibility. Actually, and I hate to say it, it ain't MS's fault. Or at least not only theirs.

    A simple example: In the good (bad) old days of 95 and 98 and the lack of sensible rights management, it didn't matter whether you use the HKLM or the HKCU registry branch. Both were equally unprotected, and since your software worked with every user (and you needn't care about such trivialities as watching out for a lack of reg keys), software vendors simply dumped their registry junk into the HKLM tree.

    The same applies to access to sensible system areas, like drivers (copy protection crapware) or code injection. Programmers simply assumed it is possible because hey, the system didn't really care about it!

    In comes Win2k and suddenly, when you are not logged in as admin, your games don't work. Now why the hell does a friggin' game need admin rights, you ask? Because it wants to load a copycripple driver, because it wants to write in the HKLM (or similar sensible) hives or because of other things that didn't matter earlier due to a lack of rights management and due to being the easy way out of a programming problem.

    MS is to blame to allow this for far too long. Users are to blame to put up with it and accept that they're "forced" to use admin privs to run programs. And most of all, programmers are to blame that took the easy way out and ignore rights. No, they needn't be able to forsee it (even though they should have). But since the practice still prevails (run a copy protected game without admin rights, see if you succeed), the blame is squarely on third party software. Not MS this time.

    I hate to say it, and I know it's unpopular on /. to "defend" them. But it's not MS that has dropped this ball.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Re:Cancel or Allow by flowsnake · · Score: 5, Interesting

    "Polite", a virus for Microsoft Word, already did this back in the mid 90's! When you try to save a file the virus macro asks "Shall I infect the file?", and kindly refrains from doing so if you click say no.

  4. Steam won't run without admin privileges by XCondE · · Score: 5, Interesting

    But Valve will go after you for trying.

    My question:

    Customer 06/11/2006 04:15 AM

    I am not willing to play (and let other people play) HL2 using the Admin account on my computer because of the obvious security implications (I don't want my computer infested with malware).

    Is there any way to run it without admin privileges? I installed it using admin privileges and went back to my unprivileged account but turns out it needs to write data to the install folder (bad programmer - no donut for you).

    Which are the files STEAM tries to write to in the install folder?

    If it turns out to be too complicated I'll just download the no-steam version with BitTorrent ;-).

    Their response:

    Response (Josh) 06/13/2006 01:34 PM

    Thiago, It cannot be run without admin privileges. I know you were probably joking, but I would also encourage you to avoid any product that claims to get around Steam. We take cheating and hacking very seriously.

  5. Re:You mean... by ShakaUVM · · Score: 5, Interesting

    >>which is hard to figure out because Windows won't tell you because you don't need to know.

    Yep. In Linux you get the rather common sense "permission denied" message when you try installing something and it tries to write to a directory you don't have rights to. In Windows, it fails silently most of the time. Drove me up the wall when a program I'd installed was working on a computer I set up for my mother, when it turns out even though she could see the program with her "mom" account, something or other needed admin privs, and it was dying silently.