Security Hole In Windows 7 UAC 388
An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."
"Gerald" (Score:5, Funny)
Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.
Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.
The beta worked! (Score:5, Funny)
Even the malware will be ready for Windows 7!
Mechanical Analog (Score:4, Funny)
Re:Mechanical Analog (Score:5, Funny)
the worst car analogy I've seen on slashdot for a while.
Re:Mechanical Analog (Score:5, Funny)
Re:Mechanical Analog (Score:2, Funny)
You must be new here, that IS a proper car analogy on slashdot.
whoa, recursive Meta-UAC (Score:5, Funny)
==============
"It look like you're trying to alter the UAC settings, Cancel or Allow?"
*click*
"It looks like you've confirmed the change in UAC settings, Cancel or Allow?"
*click*
"The UAC settings have been altered, Cancel or Allow?"
*click**click**click**click**click*-----INPUT DEVICE FAILURE
Re:Short: Don't work as Administrator (Score:2, Funny)
Apparently Raymond Chen posted a response at http://blogs.msdn.com/oldnewthing/archive/2009/01/21/9353310.aspx [msdn.com]
It appears that they are getting a "Service unavailable" prompt. Could it really be that they are running their blogs on an IIS server that is running Windows 7? Shock horror, it appears that someone has elevated privileges using vbscript to bypass UAC and has changed the IIS app pool to run under a guest account!
UAC (Score:5, Funny)
all this talk of UAC makes me feel like playing some doom again.
Watchmen (Score:3, Funny)
But... Who controls the user acces to the user access control?
Re:Security in UAC (Score:1, Funny)
Dude, you're a hole!
Re:Long Zheng seems like a nice bloke (Score:2, Funny)
Actually... I doubt I'd call him nice since... well, I'll quote a small excerpt from the link:
First, I was originally going to blackmail Microsoft for a large ransom for the details of this flaw, but in these uncertain economic times, their ransom fund has probably been cut back so I'm just going to share this for free.
Let's see what other people think of him now...
Re:Anonymous submitters (Score:4, Funny)
What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
Yeah, I sure as hell would want to know that [slashdot.org]!
Re:It's a double-edged sword (Score:3, Funny)
Put in some porn and computer security will rise at once!
Ah, so you call him "Computer Security", do you ?
Kinky !
Re:Ooh goody! (Score:3, Funny)
Re:Mechanical Analog (Score:3, Funny)
(from GGP)
So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!
the worst car analogy I've seen on slashdot for a while.
It's so bad a car analogy, that it doesn't even have cars.
I prefer to think of that as a chastity belt analogy. Put in that light, I think it's a great design!