Bink.nu Services

Subscribe to our feed 
Alerts 
 


Order Now!

Windows 7 for XP Professionals
Updating Support Skills from XP to Windows 7
by Bink.nu's Raymond Comvalius

Who is online

There are 99 guest(s) online.

There are 0 member(s) online.

Sponsors



Popular Tags

Microsoft: UAC not a security feature
Posted by Spy February 15, 2007 11:23 AM with 2 comment(s)
Filed under:
For those who thought the User Account Control (UAC) feature introduced in Windows Vista was intended to set security boundaries, Microsoft has made a clarification: it isn't.

The message is attracting criticism from security experts, one of whom said it made features such as UAC seem like nothing more than a "joke".

The most direct communication about UAC to date came on Monday from Mark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, who joined the company when it bought Russinovich's Winternals Software. Russinovich is a noted developer of Windows utilities and is credited with being the first to discover the rootkit in Sony BMG's copy-protection software.

In a Microsoft TechNet blog post, Russinovich explained that Vista features such as UAC or Protected Mode Internet Explorer that are dependent on limited user privileges - which Microsoft calls Integrity Levels (ILs) - are designed to allow some IL breaches.

"Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use," he wrote.

Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," Russinovich wrote. "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."

He said Microsoft had communicated this in the past, but that the point needed reiterating.

Full Story At Source
Send via e-mail | Submit to Digg | Add to Live Favorites
3555 Views
Source: www.techworld.com

Comments

 

LoneWolf15 said:

"Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," Russinovich wrote. "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."

He said Microsoft had communicated this in the past, but that the point needed reiterating."

I respect Mark, but I'm curious --is this going to result in a new Microsoft policy of claiming that a bug/exploit isn't truly an exploit any more because a user had to click okay to allow it to happen?
February 15, 2007 6:59 PM
 

Zac B said:

I hope so LoneWolf... well unless there is no Cancel button.
February 15, 2007 10:29 PM

About Spy

Hello world, as they say. I'm in Melbourne Australia and work as a Systems Administrator. I go to work every day with a smile on my face as I just love my work. Our company works across 30+ sites around the state so I travel a bit. We use mostly MS products, IBM hardware and 100% Cisco networking...it's a sweet mix for sure. I've been around Bink's site since it's inception way back when it was just a group on the MS site...that was a while ago. Bink.nu is the leading source of Microsoft news on the web that's for sure and I love being a part of Steven's team. Anyway, hope you enjoy the site.
Powered By IIS 7 Powered by ASP.NET
Bink.nu 3.0. Copyright © 1999-2010 Steven Bink. All Rights Reserved.
Microsoft and Microsoft logo's are trademarks of Microsoft Corporation.