Security blown out of the water
A CHIP COMPANY called Microsoft said its "highly secure" Vista operating system has a whopping great security hole in its User Account Control.
According to the hackette who found it, Joanna Rutkowska, the hole means that the legendary default no-admin setting isn't a security mechanism any more. Got that?
Rutkowska told
ZD Net that the UAC automatically assumes that all setup programs should be run with administrator privileges.
When you run such a program, you get a UAC prompt and you can either to agree to run this application as administrator or to disallow running it. Still awake?
So if "punters" download the Tetris "game", they would have the choice of giving the program total rights to their file system, registry and kernel drivers or not run it. At no point did Vole wonder why a Tetris installer be allowed to load kernel drivers.
In her bog 'Invisible Things', Rutkowska said that she should be offered a choice whether to fully trust the software or add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. This much better security option was possible under XP but has been dropped from Vista.
A Security Vole has dismissed the hole, claiming that the way Vista allowed access to different bits of the operating system was not that easy. He admitted that it was a weakness, but that was really a "design choice".
Rutkowska told
ZD Net that she wasn't happy with Vole's flippant attitude to the potential risk by declaring that that all *implementation* bugs in UAC are not to be considered as security bugs. More
here and also
here. Is that clear now?
The REGister
Threaded Mode
