Tricking Vista's UAC To Hide Malware 221
Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.
paraphrase (Score:2, Interesting)
I love Microsoft's response:
Meh... the same users who show enough common sense to click on the "you've won a free ipod enter your credit card information here" will obviously be able to know the difference between a good system message and a bad system message
Hooray for apathy!
Its tricking the user as much as Vista (Score:2, Interesting)
Different colors?? (Score:5, Interesting)
To be honest, Vista's UAC saved my butt recently. I have no idea what application was vulnerable -- but it somehow tried to run exec.exe, which was downloaded into one of my temp folders. The file was deleted after it failed to run (because I said "no"), and then would appear back in a few seconds and try to run again. I'm happy that whatever application was vulnerable wasn't able to do anything to my system.
<tangent> Anyway, while some people may say it's annoying, I'm not sure exactly how many actions a typical user would take that would require UAC prompts. After the first few days of configuring, installing apps, etc..., I have little need to do anything that requires UAC prompts. Defrag is set up to run every night, anti virus is set up to download updates, my resolution settings don't change, etc... </tangent>
Re:Importance? (Score:4, Interesting)
If I had to enter my password to continue I would understand the difference, but just a click to continue? Does this work at all?
Re:Importance? (Score:4, Interesting)
Re:Its tricking the user as much as Vista (Score:3, Interesting)
The problem is that while we may actually read those warnings, most users are going to see it as an extra step they need to do in order to get their free ipod/car/vacation/porn. It wouldn't surprise me if directions to help users "get rid of those annoying uac popups permanently" soon show up on a few malware-providing websites. Just look at the firewall rule set on some people's computers.
My biggest beef with UAC (Score:3, Interesting)
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode.
- Making sure the heap is in a different place on each computer.
- UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good.
- Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.