UAC Whitelist Hole In Windows 7

David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"

Re:OSX UAC

[e4g4]

As best I can tell from what this guy is saying, there are some places (like, for example, deleting a file in the /System or /Library directory) where the Finder would prompt you for a password. As OS X matures, there are still some times where the Finder simply doesn't do it right - and simply refuses permission, when it should prompt you for permission. This happens less frequently in Leopard than it did in Tiger. There is nothing separate from the POSIX permissions in OS X, there is nothing like UAC that can be turned on and off. If you have permissions, you can do something, if you don't, you can't, or you are prompted for a password (the gui equivalent of 'sudo').

Re:No Script Bragging -- please stop

[mysticgoat]

You don't know anything of what you speak.

No Script is about MY having the choice of whether to run an arbitrary program on MY computer. I set up the whitelist, and I decide whether to make an exception.

My ruff & reddy rules of usage:

1. On first visit to any trustworthy site, add all its javascript sources that I also think are trustworthy to my white list. A one-time overhead of maybe 3 seconds.
2. When following a /. lead to a site that I don't know anything about, assess whether any useful content is being hidden by a NoScript block
   • If so, unblock the bolded item in NoScript's list of javascript sources being used on the page. If the page smells worthy of it, I'll add this source to the whitelist, otherwise I'll do the unblock as a one-time thing. Reassess whether useful content is still being hidden, and if so repeat until good.
   • Else, leave all script sources blocked since I can get what I came for without them, and I'm unlikely to come back.
3. When mucking about in the web's darker corners, do as above, except never permanently add a javascript source to the whitelist. Do it all as one-time only.

Web pages that are using scripts from three different sources are not uncommon any more. Web pages that are using scripts from 5 or 6 sources are not rare. There are web pages that are using sources that in turn draw on other sources. When running NoScript, I decide not only whether I trust the developer of this web page, but whether I trust his judgment about the scripts that he is importing from elsewhere. I decide how wide I will let the circle of trust get.

It's really a no-brainer. If you recognize the possibility that you might do something of value with the computer you are using, then use NoScript or something like that as a low cost method of protecting that potential. Otherwise, I would appreciate it if you would disconnect your virus infected, zombied machine from the internet, because your negligence is diminishing the common good.

Re:No Script Bragging -- please stop

No Script is about MY having the choice of whether to run an arbitrary program on MY computer.

Yeah, an "arbitrary program" that is already sandboxed by the browser anyway. The worst it could do is use up some system resources [...]. Those people need to learn to chill and trust their browser sandbox.

[ ] You know that most security holes needing little to no user interaction require JavaScript to function properly.
[ ] You know that NoScript can also block other techniques (Flash, Java) that are posing security risks.

No?