UAC flaw found...

And everyone complained about the jarring switch to the secure desktop in Vista...

http://feedproxy.google.com/~r/istartedsomething/~3/lOAX18yFb9g/

 

i like uac on vista. thanks to the ssd, the switch is instant, so the only issue i ever had with it is solved. i love the savety to know i can't change my system except when i get such a dialog.

it's one of the things i actually really disliked in win7. i can manipulate tons of things in the system without ever getting a dialog. this is NOT the way its "solved".

and no, i don't get much uac at all anymore. never, if i don't try to mess around with my system, actually.

 

Exactly, I liked having the dialog box switch to the secure desktop so that I would know that nothing else could interact with the box. Also, one of the other points of UAC could be to control what other users of the computer can do to the settings and such, lowering the effectiveness to squat does no good in that department.

One of the first thing's I did in Windows 7 was to slide the UAC slider back up to the top to reenable the secure desktop.

 

Seems that "fixing" UAC for the whiners actually made it more insecure

I never had a problem with UAC in the first place, and always liked the extra security it brought.

I'd laugh if Windows 7 proved to be far more insecure than Vista

 

I know and it would be a shame really, as Windows 7 seems to be the perception changer that Microsoft needs...

 

Yeah, this is a loophole big enough to drive a truck through.

I was a little worried when I heard that Win 7's UAC by default wouldn't apply to changing system settings...

What they should do IMO is block programs from scripting the control panel (i.e. from sending it clicks and keystrokes).

Alternatively, they could let you elevate the whole control panel -- so you do get a prompt on the first setting change, but then if you change something else right afterward you wouldn't get another prompt. (This is a security compromise too, but not quite as bad as what they've done.)

Or they could do both of those things. But just exempting the control panel from UAC entirely without changing anything else is a giant loophole.

I realize they need to get good usability reviews of Win 7 and stuff... but I think they could have found a better compromise.

 

I see it already ... Windows 7 SP1 ... September 2010 ... UAC changed back to the way it was in Vista ... Windows 7 SP2 ... July 2011 ... UAC changed to actually remember what it has previously and repeatedly been told.

 

But if it was set to remember what it was told, couldn't something (or someone) simply take advantage of that?

 

I suppose. If the module attempting to take advantage was the exact same name, in the same location, had the same size and date/time attributes, the same MD5 hash, and the same security certificate.

Without UAC checking at least all those, it seems it would be easy enough to defeat anyway.

As it is now all it does is say "here's a module you have run a bazillion times before, want to run it again?"

 

My firewall does everything UAC pretends to do.

 

I, like many, have never had a problem with UAC in Vista. They should just leave it alone.

 

I did have issues using UAC until I changed some of the software I was running. Since then, I have enabled UAC. I guess using Ubuntu Linux has conditioned me to tolerate these minor annoyances.

 

Updated: http://www.istartedsomething.com/20...indows-7-uac-security-flaw-insists-by-design/


*sigh* let's hope this doesn't end up being a disaster when it ships....

 

They better change this. This will be a big miss if they leave it alone, and will make 7 worse than Vista. To be honest, there won't be nearly enough reason for me to switch if security is compromised. I'll stick with Vista.

Big mistake by Microsoft if they don't change this.

 

IMO it's not really a reason to avoid Win 7, since you can easily close the loophole and make UAC like Vista's by adjusting a slider in the control panel. It's only a problem with Windows 7's default UAC setting... and for all the millions of people who will never change it.

 

I really wish people would stop complaining about UAC. It seems that no matter what MS does, people always have to complain.

I guess people are having a hard time knowing that Win7 might actually be a good product.

 

yeah, right!

i agree.


I really hope MS decides to keep UAC level to highest by default.

a quote from some where:

 

WIN!


10char

 

New Flaw in UAC found: http://feedproxy.google.com/~r/istartedsomething/~3/4RZjsEcdmPA/

The house of cards is falling.....

 

I would have to agree with you that they really need to fix the issue. Swarmer says that it's adjustable, though, so maybe we won't have to avoid the OS altogether.

Man, I hear you. I remember posting similar rants in the millions of 'I Hate Vista' or 'XP vs Vista' threads in the past year. No matter what, there will be unhappy people who find something to complain about. It's just the nature of most people, I guess.

 

I read that there have been some significant changes in W7 UAC made in the unreleased to the public versions based upon the circumvention that was widely published.

 

MS now says they're making some changes to address the issue:
http://blogs.msdn.com/e7/

Here's my quick summary of the changes they describe:
1. UAC settings control panel will now be immune to being scripted (with SendKeys etc.)
2. Changing the UAC setting will now cause a UAC prompt regardless of the UAC setting.

I hope they make all the other control panels immune to being scripted too... it's not really clear to me whether they're planning that or not. They really should though.

 

nobody needs a control panel to change a system wide setting if it's not blocked by uac. but we'll see. the changes are at least nice. and it's nice they react to the community.