Main Area and Open Discussion > Living Room

Is UAC as bad as I think it is?

<< < (3/5) > >>

f0dder:
I find UAC somewhat annoying when setting up a system right after a fresh installation - but you can just disable it temporarily while doing that (although that might affect the whole shadow copy junk that Vista introduced - that I'm not a fan of). But in daily operation? Nope.

Even though NortonUAC does file hashing (reassuring to hear!) I still don't think it's a super good idea. I can't help but think that
1) it might be exploitable, leading to backdoors.
2) it's probably hooking the system in somewhat shady ways.

Deozaan:
After tinkering with Ubuntu for the past several months, I don't find UAC any more annoying than having to type in a password all the time to "sudo" this or that.

NoWhereMan:
Having said that the UAC rules in Vista are deliberately stupid. The fact that you need admin rights to even look at device manager (OK if you want to update drivers etc. you should need admin rights but just to look at the current settings shouldn't need access rights).
-Carol Haynes (June 12, 2009, 03:10 AM)
--- End quote ---

there are indeed some quirks, but, for instance, what you are talking about happens (IIRC) only when you're loggedin as an administrator. as a standard user you can for instance look at the device manager without being asked for a password (unless you decide to modify some settings).

here, I've just typed in "device manager" I just get this message, http://i41.tinypic.com/2l9rw48.jpg and the the panel pops up as usual.

Something that could be done is to set up a timer in which you are admin without more prompts.-urlwolf (June 12, 2009, 04:13 AM)
--- End quote ---

you can't. otherwise malicious software might launch a trusted program, requiring elevation. You would then get an "elevated permission" cookie for enough time to let the malicious program to perform an administrative tasks without asking again for your consent.


Unix is pretty bad in some aspects, but permissions, they got right. And the ubuntu way of doing things (timed sudo) is pretty good.
--- End quote ---

no it's not. On Ubuntu you might feel secure since there is almost no real treat, but on windows the time frame might be well exploited as I explained above.

After tinkering with Ubuntu for the past several months, I don't find UAC any more annoying than having to type in a password all the time to "sudo" this or that.
-Deozaan (June 12, 2009, 10:10 AM)
--- End quote ---
exactly my feeling

f0dder:
Something that could be done is to set up a timer in which you are admin without more prompts.-urlwolf (June 12, 2009, 04:13 AM)
--- End quote ---
you can't. otherwise malicious software might launch a trusted program, requiring elevation. You would then get an "elevated permission" cookie for enough time to let the malicious program to perform an administrative tasks without asking again for your consent.
-NoWhereMan (June 12, 2009, 01:16 PM)
--- End quote ---
Pretty good point, embarrassing I hadn't thought about that :-[

dhuser:
Long Zheng recently demonstrated a vulnerability with auto-elevation with UAC in Windows 7. Here he also gives a  video demo of it.
http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/

Microsoft is yet to admit that the vulnerability exists. It looks like it might come down to user pressure to get Microsoft to fix this issue.

Navigation

[0] Message Index

[#] Next page

[*] Previous page