New
#11
Sorry Layback Bear, you have to wait until I finally came back from work
Golden, here are just a few links showing that security flaw introduced in Windows 7:
Windows 7 UAC whitelist: Code-injection Issue (and more)
Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code) – istartedsomething
Microsoft dismisses Windows 7 UAC security flaw, continues to insist it is “by design” – istartedsomething
There is a sample program elevating itself (provided the conditions of the default Win7 install) with its full source code and explanations, a lot of discussion and the full explanation of the issue. And some MS employees trying to justify the unjustifiable (that they created a bug and don't admit it).
Long story short, here's how it works:
In the default UAC level, some built-in Windows programs are "white-listed" so they can elevate without a prompt (so it isn't as annoying as in Vista). The trick is that ANY program running with low privileges can leverage that by injecting its own code in one of such allowed programs, then launching it elevated WITHOUT any prompt, basically running as admin any code that the non-admin app wants, without the user knowing.
The very same thing at the highest UAC level (as in Vista) triggers an UAC prompt, as it should (possibly alerting the user with an unexpected elevation request).
Thanks to this, the default Win7 UAC is as effective as no UAC at all, as programs can elevate themselves at will. And yes, there are already viruses out there that take advantage of this. Note that the links date since the betas of Win7.
Therefore, ALWAYS use the highest level for security. Or sacrifice it for convenience and put at the lowest. The middle settings are a complete non-sense.
Thanks for you reply. I noticed how old they were as you pointed out. I have no doubt that hackers are trying to work around this small security effort of UAC. Other than a few and you are their other opinions out there. OH hell I will just Google. Thanks again.
Mate, there have been many patches for windows since that time. However, I agree the safest UAC level is the highest level. But having UAC is better than not. If it doesn't stop all malicious activity, at least it will stop some.
Thanks Alejandro - have you seen this:
Users prevail: Microsoft changes Windows 7 UAC control panel behavior to address security flaw – istartedsomething
I'd suggest AVG since the free version is good enough to use and the premium doesnt cost all that much
But out of the two, probably Avast.
Yes, many updates and patches have appeared since then, nevertheless, the bug I pointed out is still there, and the default UAC level happily lets any program elevate itself by exploiting the white-listed ones. Up to the last patch of Win7 and in Win8 too.
True, even the default is better than nothing at all , but only against unaware viruses unfortunately.
No, didn't knew that link, but knew the "solution". But really, it's no solution at all. All it does is prevent a virus from disabling the UAC altogether, but it can anyway elevate itself at will and wreak havoc in every other place like any admin process. It's a little better, but really doesn't solves anything.
Just try the proof-of-concept program there and see how easy is to bypass the default UAC. Still works on a fully patched Win7 and Win8.
First off I don't know anybody that even in a small or big way stipulates that UAC is the do all answer to security on a computer. It's a little added goody that doesn't cost anything and does add a little security. Microsoft was thoughtful enough to made settings that a user could choose. Many don't use it at all. I do because I have a choice. Later I will try it on full bore and see how I like it. Their has been many updates sense 2009 but I don't know whether any of them covered UAC. Honestly I'm not going to take the time to find out. It's there and I use it.
UAC I assumed was a stepping stone, it makes app vendors get their software to work in limited mode which allows the next logical step of making people use limited user accounts by default. But this doesnt happen in win8 right thats still admin accounts with UAC?