Tricking Vista's UAC To Hide Malware 221
Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.
Importance? (Score:4, Funny)
Re: (Score:2, Insightful)
I did try to cut the number of warnings given, but uac still is not yet at a level it is user friendly.
Let me point out:
-It sometimes tells the publisher is unknown, and sometimes it show the publisher, but say it is unverified. It is just a conspiracy with verisign [microsoft.com] to sell code signing certificates.
-Java vm had fine grained access controls [unix.org.ua] a long time ago, and the NSA build these into windows NT 4.0 also. But all UAC allows is to give full access(=admin that can install d
Re:Importance? (Score:4, Interesting)
If I had to enter my password to continue I would understand the difference, but just a click to continue? Does this work at all?
Re:Importance? (Score:4, Interesting)
Re: Importance? (Score:3)
The anti-password-keylogging protection which you mention is at least initiated by the user, by pressing Ctrl-Alt-Delete, which the Windows kernel treats specially and only dispatches to the security subsystem -- therefore, it is impossible to write a trojan which would simulate the Windows C-A-D logon procedure, since the trojan couldn't know if the user presses C-A-D.
On the other hand, a UAC prompt, at least as I've understood it, is initiated by
Re: (Score:2, Informative)
I guess if you didn't notice, it's possibly because you knew what you were doing at the time and just clicked allow/continue without second thought. Or maybe you just didn't install/run unsigned software, which would generally be a good idea anyway.
This is essentially allowing a trusted program (RunLegacyCPLElevated.exe) to load and execute untrusted (unsigned, etc) code in its own, trusted, context... I don't see how that can possibly be secure, or how they can say it's not a problem. The obvious choice
Re: (Score:2)
If ths software is supposed to come from a major publisher, (like Microsoft, or adobe, or symantic) it might be worth something. However if you run
Re: (Score:2, Insightful)
Yet another bad car analogy (Score:4, Insightful)
No.
People don't build their own cars for the same reason they don't write their own OS from scratch: it's too much work, and they don't need to.
People use free OSes for the same reason they don't buy cars with the hoods welded shut. The difference is that there's no auto manufacturer with sufficient monopoly that that they'd ever sell any cars with the hood welded shut.
Re: (Score:2)
UAC is not that big of a deal.
Re: (Score:2)
So MS decided that running such apps should be a pain in the ass - at first it will be bad, but once developers rewrite things to works a standard user (and they will be forced to do it, or users will get mad), UAC warnings will appear when something does really need user attention.
Except that by default, whether it needs permission or not, installers ask for and run with admin permission. That means developers have no motivation to to stop writing installers that require administrative permissions and malware writers' trojans that ask for suck permission will not stand out even if developers did change their behavior for some other reason.
paraphrase (Score:2, Interesting)
I love Microsoft's response:
Meh... the same users who show enough common sense to click on the "you've won a free ipod enter your credit card information here" will obviously be able to know the difference between a good system message and a bad system message
Hooray for apathy!
Re:paraphrase (Score:5, Funny)
I don't know which is worse.... (Score:2)
meh...who knows?....who cares?
{so, is this joke beaten to death yet
Re: (Score:2)
I mean, I guess so... Why you gotta make such a big deal about it man?
Re:paraphrase (Score:4, Funny)
Screw that, if i'm the 999,999th vistor I deserve a prize and I dont care what no washington computer fatcat wants to do with my internet windows.
Re: (Score:2)
"It would start with a user falling for any one of the current hacker tricks."
Now, call me dense, but... why exactly doesn't the hacker use this trick to DO WHAT HE WANTED?
I mean, think about it. Assume you can convince a user to run any program once, and you want to set up a botnet.
Should you:
A. Send the user a program that sets up an elaborate trust circumvention mechanism so he can be convinced to run the program which installs the botnet?
or:
B. Just send him th
Re: (Score:3, Insightful)
Everybody wants to believe that the people installing botnets are hackers, but they're not. They're criminals. The people running security companies are hackers. They think building these fantastic sce
Its tricking the user as much as Vista (Score:2, Interesting)
Re: (Score:3, Interesting)
The problem is that while we may actually read those warnings, most users are going to see it as an extra step they need to do in order to get their free ipod/car/vacation/porn. It wouldn't surprise me if directions to help users "get rid of those annoying uac popups permanently" soon show up on a few malware-providing websites. Just look at the firewall rule set on some people's comp
No tricking involved (Score:5, Insightful)
I have found myself clicking continue at the same time my thought registers to *not* click because of something not looking quite right. Since I am no longer developing software for a living, the only OS on my system is Ubuntu! Thank God for Debian, Ubuntu, Red Hat, et al. for their tremendous efforts to give everyone a reasonable alternative; whether we choose to use it is certainly a choice, but we do have the choice.
Re:No tricking involved (Score:4, Insightful)
The "OK/Cancel mistake" has been in usability textbooks as an example of what no to do for more than a decade now. It is quite clear to anyone who has had any formal training in human-computer interaction that either MS hires the worst UI people on the planet, or the marketing department overrides all of the UI people's proposed changes. It is also clear that either MS is only vaguely aware that UI deign is an important part of security, or they are a lot more interested in providing the perception of security than the reality. My opinions is that Vista security is a lot like searches at the airport. For the most part it is completely ineffective at actually increasing overall security when it is important, but it is very, very visible and "in your face" so people assume "something is being done" and are mollified.
Re: (Score:2)
Re: (Score:2)
So, first they make you accept the EULA which says something like "yeah, you did pay us for this software, but if something goes wrong, it sucks to be you", then they give you the kind of security where everything that goes wrong is your fault because hey, you allowed it...
Does anyone need any more proof that Microsoft is Lawful Evil?
Re: (Score:2)
Wait, I thought Vista stole it's UI from OS X, which supposedly has the best UI on the planet. Hmmm...
You're probably trolling, but on the off chance you're not, I'll respond. While a lot of both the feature set and the graphic effects in Vista seem influenced by OS X, the UI itself is still pretty much based upon Windows 95. Just because you are copying elements from a UI, by the way, does not mean the end result will be usable if you don't copy everything exactly and don't understand why certain elements were used in certain ways. For this particular case, you'll note OS X itself does not run afoul of t
Re: (Score:2)
And IIRC, the Vista buttons are labeled "Allow" and "Cancel", which I believe are both verbs. I agree that Windows should have more unique dialog boxes, as to not lull the user into clicking when the see a box that they recognize. And for the record, I think Microsoft and Apple both stole the bases of their respective UIs from Xerox at the Palo Alto Research Center way back in the day...
Re: (Score:2)
And IIRC, the Vista buttons are labeled "Allow" and "Cancel" which I believe are both verbs.
They are verbs, but they are not unique verbs associated with the action being taken, so much as generic terms. By presenting them repetitively, users are subjected to operant conditioning. People aren't machines, or at least not the same kind of machines as computers. After the 20th or 30th time clicking the same button, it starts to become a conditioned response and after a few years, users often don't even remember having clicked it.
And for the record, I think Microsoft and Apple both stole the bases of their respective UIs from Xerox at the Palo Alto Research Center way back in the day...
Well, you could say "Apple" stole the UI, but that is a pretty bias
Re: (Score:2)
You can turn off the Desktop Cleanup Wizard by going into the Display Properties and clicking the Customize Desktop button on the Desktop tab and unchecking the box that says "Run Desktop Cleanup Wizard every 60 days".
You can turn off printing notification by going into Printers and Faxes and from the File menu, select Server Properties. Click the Advanced tab
Not an issue (Score:3, Insightful)
Re: (Score:2)
We need to cut down on the complexity. (Score:4, Insightful)
So maybe what they need to do is to get back to the fundamentals. We only need to look as far as OpenBSD to see how keeping things simple and intelligent results in a very secure operating system. Instead of writing new (and probably buggy) code to try and prevent things like malware, they just repeatedly go over the code they already have, to try to ensure that it is exploit-free. And it works. OpenBSD is a damn secure system.
Re: (Score:2)
Re:We need to cut down on the complexity. (Score:4, Insightful)
To clean a Windows box means reinstalling the entire damn thing.
It is also a lot harder to use a *nix based box as a botnet zombie. It isn't impossible, but each machine has to be manually cracked, unlike Windows up to XP which it can be fully automated. I will hold off on final Vista judgments until more information can be gathered.
To Quote Scotty in Star Trek III The more they over think the plumbing the easier it is to stop up the drain.
Simple *nix user level security has proven for over 20 years to be more effective than anything MSFT has produce in the same amount of time.
ACL's make life easier for large installs, but it is the small ones that cause the most problems. That is why large *nix installs use both.
Re: (Score:2)
Eh? Says who?
Re: (Score:3, Insightful)
Re: (Score:2)
To the *NIX crowd: Please, please, please stop trivializing the destruction of a user's home folder. For home use, there is rarely more than 1 user, and loosing[sic] all documents/etc is marginally better than reinstalling the whole OS.
There is one important reason why compromising a user account versus compromising a machine makes a difference and that is, just compromising a user account does not necessarily give a worm author sufficient access to add a machine to a useful and profitable botnet. As such, even if a worm author can destroy everything in the user's home directory, they aren't going to because it doesn't make them any money. Being so poor you can't afford shoes won't help you outrun any muggers, but it is likely to decrea
Re: (Score:2)
If you can execute arbitrary code* at the user's permission level, you have access to everything the user can do; set up a user cron job, for example, to get instructions from a botnet. or even just launch your great ad popup campaign every 30 seconds while the user is logged in.
Ahh, but does the user's non admin account have permission to open up the port to connect to the IRC control channel, or whatever is being used in the current botnet control tools? Does the user have permission to root the box, so that it can disable the antivirus, so it is not detected? Does it have permission to send ICMP pings to DoS some server?
In many cases the answer to these questions is "no." Most worms these days are trying to root machines and setup a botnet. Some uses of the botnet can be acco
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
OpenBSD is just as susceptible to someone downloading an evil binary and clicking "Yes" as Windows is.
This is not exactly true. On OpenBSD finding a local elevation vulnerability to allow you to root the machine from an untrusted account is nontrivial. To date, that is not the case with Windows, including Vista which already has unpatched, outstanding elevations. Further, on OpenBSD the user can install software as the local user for the most part, whereas users are prompted for admin access to run installers, by default, in Windows. Finally, you can install TrustedBSD and run said malicious evil binary w
Re: (Score:2)
Different colors?? (Score:5, Interesting)
To be honest, Vista's UAC saved my butt recently. I have no idea what application was vulnerable -- but it somehow tried to run exec.exe, which was downloaded into one of my temp folders. The file was deleted after it failed to run (because I said "no"), and then would appear back in a few seconds and try to run again. I'm happy that whatever application was vulnerable wasn't able to do anything to my system.
<tangent> Anyway, while some people may say it's annoying, I'm not sure exactly how many actions a typical user would take that would require UAC prompts. After the first few days of configuring, installing apps, etc..., I have little need to do anything that requires UAC prompts. Defrag is set up to run every night, anti virus is set up to download updates, my resolution settings don't change, etc... </tangent>
Re: (Score:2)
Colorcoding is an attempt to make the user differentiate, not a piece of extra information.
Consider the situation of the unknowing user, who is confronted with a warning but has insufficient information on its meaning. There will be many of those. In some cases, denying access can give no feedback, in others it can immediately make
Re: (Score:2, Insightful)
I wouldn't be too sure about that. The article mentions that "the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system". Since this dialog will likely pop up frequently with a low chance that the user triggered it unintentionally (i.e. the user knows what he/she is doing) it might actually lower the barrier of clicking "Allow".
Don't forget that even though a user might not consciously notice the color after a lot of us
Let me get it straight. (Score:2)
Re: (Score:2)
You just described the normal everyday experience of 99% of people running any application on Windows. They don't know from "temp folder", and they sure as hell don't know what else that application -- whether it's Office or IE or Ou
Re: (Score:2)
box is already owned.
Re: (Score:2)
C'mon, give MS a break here! (Score:5, Insightful)
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?
Sorry, this does not constitute a threat. Just one more indication that we need some form of licensure before letting people anywhere near a computer.
I'll gladly join in on the MS bashing - when appropriate. In this case, any blame rests solidly with users who have no idea what they should or shouldn't let run on their computers.
Re: (Score:2)
Computers seem to be heading in the direction of becoming more like appliances; something you just use to do what you want. Why should a normal computer user know exactly what's going on behind the scenes for every action they do?
I consider myself an advanced windows user, but I'm still not sure at all times what every application and service and background process is doing. If you tell me you DO know EVERYTHING that is happening -- well you are very special. Also, why should I
Re:C'mon, give MS a break here! (Score:4, Insightful)
True, and we are in a dangerous "middle-ground" between a complex tool that only knowledgeable people use, and a true appliance that anybody uses.
The problem is that the operating system is too brittle and vulnerable to be considered an appliance. Do you ever think about how you use your toaster? If I put this new organic untrusted bread in the toaster will my toaster be taken over and corrupt the blender and waffle maker and start a kitchen rebellion? If I put in this DVD of "Ishtar" in my DVD player will it require a weekend to reinstall it's OS and useful applications?
No, that doesn't happen because appliances are robust and there isn't much a user can do to hurt them when used in their intended ways.
Now the current computers (particularly windows) are becoming appliances but haven't gotten to the critical point where they really become appliances. that transition will happen when a big chunk of the OS is hidden from the user and the user works in a Sandbox. It will be a lot less useful because it will only do what it was designed to do, but it will be safe and reliable for it's intended purpose. Then it will be an appliance.
The problem is that computers are sold as the answer to lots of the average user's non-problems. Like any good for sale in a capitalistic society, it's jammed down the throats of everybody the seller can get their hands on. So lots of people who maybe shouldn't be using computers (in their current unrestrained form) are using them (they are the ones who you get your spam from).
This is a windows problem not only because of shoddy engineering, but also because of Microsoft's position in the market. Let's look at the three major OS's:
Linux (BSD et al): It's a computer hobbiest's paradice, lots of great code, well defined heirarchy. Plus in general hard to get your hands on if you are "Joe User" who just wants to get a computer to e-mail the kids at school. This means that the people who are using this os WANT to use it for some reason (insert long list here), and they are going out of their way to use it. This means that this segment is typically very computer savvy and not likely to be pwned as a group.
Macintosh: This is also a "Harder to get" computer for two reasons. First, they are very expensive compared to the best-buy special. Second they are only sold in a few places. These two reasons make the Mac a sought-out computer rather than what the sales droid told you to buy. The average user is probably less computer savvy than the average Linux user, but in the case of the Mac, apple also "has your back" to some degree with frequent patches and a well designed core OS that minimizes your risk to begin with.
Windows: This is the default OS you get if you close your eyes and pick a computer. This means that if you have no clue about computers, chances are you get a windows box. Its fertile ground for stupid users to take advantage of (can I interest you in a free screensaver?). And in addition to that, MS has huge legacy issues that they can't change or they break business apps. MS has painted itself into this corner by selling to the lowest common denominator.
Change the borders to any color you like, there are still a huge amount of computer users that shouldn't be computer users under the current OS choices.
Re: (Score:2, Insightful)
I think (hope, pray, etc) that Open Source will provide well constructed (custom?) Sandbox OS for all of my relatives who look to me to fix their little problems now - with a ser
Re: (Score:2, Insightful)
I know, right? Daring to think that people would bother to learn how to properly feed and care for a $500+ investment. I can act like quite the insensitive bastard some days...
Also, why should I care? Sometimes I just want to get my work done!
And I just want my car to get me to work. But if I don't know the condition of literally hundreds of seemingly-irrelevant aspects of that vehicle, it either won't continue getting me there every morning for very long, or in the w
Re: (Score:2)
In the 70s and 80s you could buy dedic
Re: (Score:2)
There is a problem with this, ever seen a dialog box pop up saying that such and such is attempting to run, will you allow?
This is especially the case with Norton Internet Firewall, and the such and such can often be something like mspooler.exe, which to a standard user, or total novice is utterly meaningless.
Rather than pop up and say some obscurely named app is trying run, wha
Re: (Score:2)
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel
I believe that the Homeland Security system is mainly employed to incite fear in the voting public. That is why it's disparaged and believed to be useless - those of us who dislike it see it as a propoganda reinforcement apparatus.
UAC can also be seen through a cynical lense: it alerts the user to even the most trivial harmless request so that when anything of any sort goes wrong, Microsoft can plausibly say that the user permitted it.
Nonetheless, UAC using the color green to incorrectly indicate that the
Wrong color for danger! (Score:2)
I know, red isn't the color of danger, heck if they watched Dr Who they'd know that
Mauve is the color of danger.
Sheesh, how unprofessional can you get?
Better listen up, guys... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
I got Norton Utilities for Windows once, as I needed to undelete some files.
After I was done, I noticed it had some Norton Desktop performance tuner stuff, which I installed out of curiosity (I wasn't expecting much, tbh).
It was a goddamn joke - it displayed a shedload of shiny dials and meters, and had all sorts of omnipresent UI crap for me to play with to 'improve' my settings and performance.
The only trouble was, the mere act of installing all this shit made my PC take twice as long to start up, a
Re: (Score:2)
or, get it to look like spam (Score:5, Funny)
Re: (Score:2)
Anti-Virus makers, make Virus.... same old scare (Score:5, Insightful)
This is a corporate propaganda directive, possibly directly from the CEO him/herself. "Find something, and lets use it to make us money"
The old anti virus company making viruses, just to fuel sales... has come true. They dont have to release the viruses though, but simply they figured something out, and to tell the world that something.
Profit at all costs.
Re:Anti-Virus makers, make Virus.... same old scar (Score:2, Funny)
Re: (Score:2)
These are the same guys that sell Mac OS antivirus through fear [slashdot.org] and can never have enough access [informationweek.com] to the Vista kernel.
Microsoft has some big problems with security, but Symantec is sickeningly desperate. I used to depend on Norton/Symantec to keep my computer from dying. Now I just want the company to die (as desperate companies sometimes do). They sound like one big Mad Money "sell-sell-sell" button, just wanting to sell something to the public for whatever they use.
Old Unix security issue (Score:2)
I am colourblind (Score:4, Informative)
Isn't this the whole point of UAC? (Score:2)
1) Sneak in a file with a virus payload
2) Execute that file, triggering the UAC
3) User blindly clicks "OK"
Of course, the point of UAC is to prompt the user when something is trying to run that requires admin privledges. Users know that when they see this box randomly pop up that something unusual is happening.
Unless they just said to install some software or tried to change a setting themselves, seeing this pop up when they visit
Re: (Score:2)
The UAC is not a magic bullet, but it is a far better solution than anything we have today. Do you have a better idea? Don't let these programs run at all?
Re: (Score:3, Insightful)
At which point I would expect the user to go "hmm, this isn't right" and then attempt a virus scan or to stop visiting the website that keeps prompting them.
That sort of depends upon how high the false positive rate is in general.
The UAC is not a magic bullet, but it is a far better solution than anything we have today. Do you have a better idea? Don't let these programs run at all?
I'm not saying UAC is worthless, just that it is far from ideal, or even sufficient to provide the security needed by the average user. As for having a better idea, I sure as hell do. I think any reasonable security engineer who looked at Windows with the goal of solving the malware problem would conclude several things. First, Windows is attacked so much more often due to its dominance that the security mechanisms on more secure
Re: (Score:2)
I also think this is the best alternative to just not letting a normal user run a program at all. We have to find a happy medium between security and convinience, and I think this is it.
Wow... (Score:2)
If I can infect your system with a trojan and drop files onto your hard drive and then remotely run code, I can get you to click OK to a box that could infect your system.
Truly groundbreaking work here. Seriously, I mean, if all I have to do to possibly infect your system, is infect your system... well hell, Vista will probably be recalled!
As usual, TFA doesn't live up to the summary hype. But that won't stop the MS haters from jumping on board with a "See! It's broken!"
Really, the story for me here i
My biggest beef with UAC (Score:3, Interesting)
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode.
- Making sure the heap is in a different place on each computer.
- UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good.
- Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.
Re: (Score:2)
Yes and no.
Maybe if UAC was less repetitive when first configuring Vista I'd agree, but to turn it off and then turn it back on when configured proves that computer savvyists don't need it, but afterwards it may save our butts when we'll one day accidentally run an executable but get a warning.
Computer illiterates on the other hand, they get bloatware on IE cause they click yes to accept and run any ActiveX and certificate bs so they'll d
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:3, Funny)
From what I understand, the UAC thing comes up all the time
It does not.
I'm rather amazed at the number of posters who criticize Vista without having used it. Many people make good points about the all-or-nothing permission granting of the UAC, but it is better than having people run as Admin. My guess is that the typical user will still run as admin most of the time, since it's convenient. Microsoft should guide people through the simple steps of setting up a user account when the OS first comes u
Re: (Score:2)
Re: (Score:2)
Re:UAC is not there for *user* protection (Score:5, Insightful)
I would be interested in what you consider would protect the user. You have three options here.
1/ No-one decides what goes on your computer. It's an open free-for-all.
2/ Microsoft decides what goes on your computer. Corporate lock-down.
3/ You decide what goes on your computer. You're the boss.
We've already seen what happens with option 1. It's a security nightmare for everyone. I can imagine just how popular the second option there would be, people already have plenty to bitch about the controlling nature of Microsoft without adding to it.
So it's got to be option number 3. The only other thing Microsoft can do then is to warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide.
Which is pretty much what is happening here. And still people complain.
Re: (Score:2)
I agree with the choice. It's the user-friendlyness that's in question.
Re: (Score:3, Insightful)
I would be interested in what you consider would protect the user. You have three options here. 1/ No-one decides what goes on your computer. It's an open free-for-all. 2/ Microsoft decides what goes on your computer. Corporate lock-down. 3/ You decide what goes on your computer. You're the boss.
The basic problem is the assumptions behind your classification. You assume that "something on your computer" equates to "your computer is compromised." I agree that the user needs to be the one determining what is installed an further, I agree that the OS should, "warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide." You're still missing a piece of the puzzle here. The OS needs to let
Re: (Score:2)
Not until Microsoft ships systems with all ports closed and no services running, by default. If the user wants Remote Administration, they should be able to turn it on. It should be easy and clear how to do so, but be off at the start. Remember DCOM? That's how not to do it.
Look at OSX - all ports closed, no services running, but trivial if you want to turn them on. As a result, the Aunt Tillys never enable File Sharing accidentally, and the LeetUberUsers can
Re: (Score:2)
4/ Whatever goes on your computer still requires privileges to execute.
5/ Whatever executes on your computer should not require all the privileges you have (e.g. delegate a small set of them to each process instead). Does this tetris game really need low level access to the disk driver? And a network connection? etc. etc.
Re: (Score:2)
Re: (Score:2)
"3/ You decide what goes on your computer. You're the boss."
THis is the best option but the word "you" needs to be better defined. "you" can ware many hats and have different roles and different times. The best way to do it would be to understand the "you" can be both a user and a system admin. The OS needs to force the Admin to make any changes to the computer.
Also programs started by a person run ONLY with the privelage of that person. So if you the user is running nothing you do can run as you the ad
Re:UAC is not there for *user* protection (Score:4, Insightful)
It wouldn't be their fault. Nor should it be their fault.
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
If Microsoft was held liable for the actions of third party applications, it would open up the way for lawsuits against pretty much every other OS provider that gave their customers a chance to run nasty programs on their OS. Imagine the lunacy that would result from that. Imagine the ass-covering lockdown that would most likely result. Not very nice at all...
Re: (Score:2)
Microsoft should be held responsible, not for you running annakournikova.exe, but for having DCOM, Remote Administration, Messenger, etc. running by default. They are respons
Re: (Score:2)
Re: (Score:2)
Not that moot... Click-through EULAs have been held to be non-binding in a few court cases.
Re: (Score:2)
"Few cases have considered the validity of clickwrap licenses. However, in the cases that have challenged their validity, the terms of the contract have ultimately been upheld [wikipedia.org] [...] Essentially, under a clickwrap arrangement, potential licensees are presented with the proposed license terms and forced to expressly and unambiguously manifest either assent or rejection prior to being given access to the product."
Re: (Score:2)
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
The purpose of a Smith and Wesson is to shoot a person. The purpose of a consumer desktop OS is to run that user's software. If during the normal course of operation I needed to be some sort of an expert in order to safely fire a Smith and Wesson without the bullet hitting my foot, then yes they would be liable. Since most people are not coders and most software is not open source the fact of the matter is almost all users have to run software they don't completely trust in order to perform normal operati
Extent of Microsoft's duty (Score:2)
Let's jail the malware authors no matter what, but let's face it, attacks on Internet-connected machines are as predictable as rain in Seattle. Seattle homebuilders aren't allowed to leave off a roof and then say "what, you expect me to control the weather?".
A computer is a software player, its value comes from being able to install and run software. If it runs a web browser, it runs Javascript so
Re: (Score:2)
Smith and Wesson sell guns to (almost) everyone, but they can't make the guns discriminate based on who's holding it. They don't know if people are going to use their gun to go hunting, shoot up a school or blow their brains out.
It's the same deal with Windows; Microsoft doesn't know whether people are going to be security conscious or if the
Re: (Score:2, Insightful)
Ok. Time for a question. So you've programmed a screen to mimic UAC. Good job. Now, to do any damage, your app must request elevation from Vista. Uh oh, guess what. Time for a REAL UAC prompt. Now what?
Well, one obvious answer is to provide fake UAC authorization prompt for dozens upon dozens of applications and hide the real UAC prompt in the middle of them. After six or seven the average user will just start hitting "Allow" for everything under the assumption that they need to to get their OS to work again, or they will turn of UAC entirely.
Re:But, What Now? (Score:4, Insightful)
Re:But, What Now? (Score:4, Insightful)
Will it happen all the time? Absolutely. Are a significant number of computer operators basically shaved apes without a clue about security? Absolutely. Does that make it Microsoft's fault? Absolutuely not.
How do you suggest Microsoft cures the world of dumb computer users who won't do what they are told, and what go against what common sense would dictate? Say someone bought a car, drove it until it died and then brought it to a repair shop where it was discovered there was no oil or engine coolant in it. ("Well, I saw some lights go on, but there are so many lights on the dashboard I just ignored them and kept driving.") Would it be the fault of Chevrolet because the operator couldn't be bothered to RTFM or understand how to properly operate a car before doing so?
Re: (Score:3, Informative)
If you read the article, you would have seen that they are not mimicing the UAC screen but actually causing Vista to prompt the user a real UAC dialog that grants Admin priveledges.
From the Article: