C
Clear Windows
Mmore proof that vista is less popular than XP, basically a big fat
failure.... and well darn right stupid. UAC was a stupidly implemented and
as I predicted, it would be turned off, or just
pressed automatically without thinking. MS thought somehow that UAC would
work... well I knew it wouldn't work after 3 seconds of using vista...
Is Microsoft stupid for making UAC like it is? Well they made Vista, and
vista is for dumbbells!
http://www.zdnet.com.au/news/securi...win.com/awin/comments.asp?HeadlineIndex=43800
Experts agree that Microsoft's Windows Vista is relatively well-protected,
but its security features - such as User Account Control (UAC) - have been
highlighted by security experts as one reason why the operating system is
far less popular than its predecessor, Windows XP.
According to Scott Charney, vice president of Microsoft's Trustworthy
Computing Group, UAC was designed to give users more control over the
applications they run and help them make better security decisions by
providing them with more information.
However, the main problem with Vista's UAC, according to Charney, is that it
prompts the user far too often.
"Clearly there has to be work done on UAC user prompts, where users get
prompts at times they don't necessarily expect it - and it's not intuitive.
The challenge is - as with many of these things when we try to give users
control - if you give people too many prompts in too many situations, they
view it as an impediment," Charney told ZDNet.com.au yesterday at the
AusCERT security conference on the Gold Coast.
Mikko Hypponen, F-Secure's chief research officer, said although security
features in Windows Vista are impressive, UAC remains a problem.
"There's not much we can criticise in Vista's security. Microsoft did a good
job. UAC is not a bad idea by itself, but I don't see any way you could
implement it in a way so it doesn't buck the user," said Hypponen.
In a recent survey, security vendor PC Tools discovered that out of 1,000
Vista-based PCs, 639 had been infected by malware in the previous six
months. The company's managing director Simon Clausen blamed the high rate
of infection on users that had switched off UAC because it was so annoying:
"The majority of machines we see have UAC turned off if the user knows how
to do it," he said.
The difficulty with UAC, according to F-Secure's Hypponen, is that Microsoft
assumes the user should have administrator rights, an issue that Mac- and
Linux-based systems dealt with a long time ago.
"Most Linux installations will say that you must create a user account. The
big difference between a Mac and Vista is that, by default, on a Mac, you're
not an administrator. On a Mac you only get prompted for root password when
you're installing an application. Under Vista this happens a lot more
because you have admin rights, so the UAC pops up often. Vista installation
should end with [mandatory creation of] a user account with user access
rights, not administrator rights," said Hypponen.
Microsoft's Charney said that UAC was Microsoft's first attempt to break
away from its tradition of users being an administrator by default.
"Part of the reason UAC exists is we've been pushing people to the standard
computing model. When you're an administrator on a machine, you have these
all-powerful rights that also allow malware to do bad things. Increasingly
we want people to be standard users.
"At the same time, there are times you need to be elevated to administrator
to install programs. UAC was an attempt to say let's run a standard but when
you need a higher level of privilege, rather than doing that silently, let's
involve the user in that decision. Clearly we have to do more work in this
area," Charney added.
Microsoft security architect Roger Grimes said that although features such
UAC in Windows Vista are useful, some malware writers already know how to
defeat them - and the rest will learn once UAC-type protections are
ubiquitous.
"Least privilege permissions are a part of a good defence-in-depth strategy
but it's not the endgame. If everybody is logged-in not as admin or not as
root, it is really not going to stop the malware in the long run ... malware
is not going to disappear," Grimes told AusCERT delegates.
Grimes added malware could infect a computer using various attack vectors
but if the user is not an administrator, the attacks are generally less
dangerous.
"Can a malware program steal your password if you are not an administrator?
Can [criminals] create a program that waits for you to log into your bank,
authenticate and then take all your money? The short answer is, yes,
absolutely," he added.
According to IBRS security analyst James Turner, Microsoft's decision to
sacrifice security for user friendliness has backfired on the company.
"This is a tough legacy which Microsoft has been dealing with since the days
of MSDOS. DOS was almost like a stripped back version of Unix and Microsoft
left some of the cool stuff - things like file permissions - behind. So
they've been dealing with this fairly fundamental void in their core ever
since. Microsoft has always been the easy, user-friendly operating system
and now this same ease of use has become a liability," said Turner.
failure.... and well darn right stupid. UAC was a stupidly implemented and
as I predicted, it would be turned off, or just
pressed automatically without thinking. MS thought somehow that UAC would
work... well I knew it wouldn't work after 3 seconds of using vista...
Is Microsoft stupid for making UAC like it is? Well they made Vista, and
vista is for dumbbells!
http://www.zdnet.com.au/news/securi...win.com/awin/comments.asp?HeadlineIndex=43800
Experts agree that Microsoft's Windows Vista is relatively well-protected,
but its security features - such as User Account Control (UAC) - have been
highlighted by security experts as one reason why the operating system is
far less popular than its predecessor, Windows XP.
According to Scott Charney, vice president of Microsoft's Trustworthy
Computing Group, UAC was designed to give users more control over the
applications they run and help them make better security decisions by
providing them with more information.
However, the main problem with Vista's UAC, according to Charney, is that it
prompts the user far too often.
"Clearly there has to be work done on UAC user prompts, where users get
prompts at times they don't necessarily expect it - and it's not intuitive.
The challenge is - as with many of these things when we try to give users
control - if you give people too many prompts in too many situations, they
view it as an impediment," Charney told ZDNet.com.au yesterday at the
AusCERT security conference on the Gold Coast.
Mikko Hypponen, F-Secure's chief research officer, said although security
features in Windows Vista are impressive, UAC remains a problem.
"There's not much we can criticise in Vista's security. Microsoft did a good
job. UAC is not a bad idea by itself, but I don't see any way you could
implement it in a way so it doesn't buck the user," said Hypponen.
In a recent survey, security vendor PC Tools discovered that out of 1,000
Vista-based PCs, 639 had been infected by malware in the previous six
months. The company's managing director Simon Clausen blamed the high rate
of infection on users that had switched off UAC because it was so annoying:
"The majority of machines we see have UAC turned off if the user knows how
to do it," he said.
The difficulty with UAC, according to F-Secure's Hypponen, is that Microsoft
assumes the user should have administrator rights, an issue that Mac- and
Linux-based systems dealt with a long time ago.
"Most Linux installations will say that you must create a user account. The
big difference between a Mac and Vista is that, by default, on a Mac, you're
not an administrator. On a Mac you only get prompted for root password when
you're installing an application. Under Vista this happens a lot more
because you have admin rights, so the UAC pops up often. Vista installation
should end with [mandatory creation of] a user account with user access
rights, not administrator rights," said Hypponen.
Microsoft's Charney said that UAC was Microsoft's first attempt to break
away from its tradition of users being an administrator by default.
"Part of the reason UAC exists is we've been pushing people to the standard
computing model. When you're an administrator on a machine, you have these
all-powerful rights that also allow malware to do bad things. Increasingly
we want people to be standard users.
"At the same time, there are times you need to be elevated to administrator
to install programs. UAC was an attempt to say let's run a standard but when
you need a higher level of privilege, rather than doing that silently, let's
involve the user in that decision. Clearly we have to do more work in this
area," Charney added.
Microsoft security architect Roger Grimes said that although features such
UAC in Windows Vista are useful, some malware writers already know how to
defeat them - and the rest will learn once UAC-type protections are
ubiquitous.
"Least privilege permissions are a part of a good defence-in-depth strategy
but it's not the endgame. If everybody is logged-in not as admin or not as
root, it is really not going to stop the malware in the long run ... malware
is not going to disappear," Grimes told AusCERT delegates.
Grimes added malware could infect a computer using various attack vectors
but if the user is not an administrator, the attacks are generally less
dangerous.
"Can a malware program steal your password if you are not an administrator?
Can [criminals] create a program that waits for you to log into your bank,
authenticate and then take all your money? The short answer is, yes,
absolutely," he added.
According to IBRS security analyst James Turner, Microsoft's decision to
sacrifice security for user friendliness has backfired on the company.
"This is a tough legacy which Microsoft has been dealing with since the days
of MSDOS. DOS was almost like a stripped back version of Unix and Microsoft
left some of the cool stuff - things like file permissions - behind. So
they've been dealing with this fairly fundamental void in their core ever
since. Microsoft has always been the easy, user-friendly operating system
and now this same ease of use has become a liability," said Turner.