Print 107 comment(s) - last by weskurtz0081.. on Nov 11 at 8:55 AM

Windows 7 may be more secure, but its UAC is less functional than Windows Vista's, according to a recent security study. The study suggests that only antivirus protection can properly protect Windows 7.  (Source: Switched)
Antivirus protection still necessary, says firm

One of the most unpopular features of Windows Vista among casual users was the User Account Control (UAC).  Ironically, while the UAC provoked irate comments from these users, like "why is my computer asking me to approve everything", the feature was one of the most appreciated features by power users as it gave them much more control over their security and ability to prevent inappropriate actions.

With Windows 7, Microsoft pledged to go the OS X route on this topic, tuning down the UAC's warnings to a lesser level.  Many security firms complained about this approach and Microsoft relented slightly, restoring some of the UAC's warnings, in particular a warning about the disabling the UAC altogether (experts showed that attackers could disable the UAC without prompting the user in early builds of Windows 7).

While these changes helped make Windows 7's release edition more secure than the test builds, the UAC's default setting is still neutered compare to Vista's robust solution, indicates Sophos Senior Security Adviser Chester Wisniewski.  He's just completed a study of attacking Windows 7 with malware and seeing how the new UAC responds.

Of the ten pieces of malware tested, Windows 7 wouldn't install two of them.  Of the remaining eight only one generated a UAC warning, allowing the user to disallow its installation.

Microsoft officials, though, minimized the test, saying the UAC just isn't that important a security feature anymore.  They point to Windows 7's improved memory protections and Microsoft free Security Essentials antivirus suite as two critical tools that can be used to fight infection, in addition to the UAC. 

States a Microsoft spokesperson, "Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)."

"Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released," the spokesperson added. "Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions."

While he understands that with other supplemental protections Windows 7 will likely be safe, Mr. Wisniewski seems mildly disapproving of defaulting the UAC to reduced functionality.  After all, users of Windows Vista may be lulled into a false sense of security expecting prompts to save them from malware.  Ultimately, though, there's little that can be done to convince Microsoft to change this, though, and he concludes, "Lesson learned? You still need to run antivirus [protection] on Windows 7."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Flawed Methodology
By rs1 on 11/5/2009 2:13:31 PM , Rating: 5
If you go back through the articles to find out how the actual test was conducted, they did it by manually executing the malware programs on the machine. That makes their whole test nonsense. I'm sorry, but if you tell your machine to execute a piece of malware, then you deserve to end up with a piece of malware running on your system.

It's not the job of the operating system to prevent user stupidity. The job of the operating system is to prevent remote exploits that allow code to be executed without any intervention (buffer overflow attacks and the like). If they had shown that a computer could be infected with these programs without the user needing to manually execute the malware code, then I would be concerned. As it is however, all they have shown is that if you do stupid things on your computer, bad stuff can still happen to you.

RE: Flawed Methodology
By Chapbass on 11/5/2009 2:24:53 PM , Rating: 2
Oh come on, rs1...I thought you liked rubber kid gloves on everything? :)

RE: Flawed Methodology
By erikejw on 11/8/2009 9:36:23 PM , Rating: 2
The antivirus manufacturers would most likely find W7 unsafe even if you removed all possibilities of an internet connection and unplugged the network cable and put a bolt through any WLAN devices.

RE: Flawed Methodology
By Iaiken on 11/5/2009 2:33:58 PM , Rating: 5
Let's not forget that for extra stupid users that will run just about anything you send them, you an always raise the UAC alert levels to be just as annoying as Vista. It's this neat little slider under ControlPanel>UAC that even a retarded monkey could use.

RE: Flawed Methodology
By lightfoot on 11/5/2009 2:57:42 PM , Rating: 3
The problem is that the retarded monkeys turn off the UAC because they don't like being prompted when they are trying to run malware. You can put a safety on a gun, but it won't stop you from shooting yourself in the foot if that's where you're aiming.

RE: Flawed Methodology
By StevoLincolnite on 11/5/2009 9:38:53 PM , Rating: 3
I think it's a case of "Your damned if you do, and your damned if you don't". - One of the biggest issues people had with Vista was UAC, Microsoft tones it down... And now one of the biggest Issues is the lack of UAC.

Unfortunately Microsoft can't please everyone it seems.

RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 9:57:04 PM , Rating: 4
And now one of the biggest Issues is the lack of UAC.

No it's not.

RE: Flawed Methodology
By StevoLincolnite on 11/5/09, Rating: 0
RE: Flawed Methodology
By DominionSeraph on 11/6/09, Rating: 0
RE: Flawed Methodology
By damianrobertjones on 11/6/2009 6:27:05 AM , Rating: 2
As most people run as admin, which in itself is very silly, the point of UAC is to stop un-authorised installing/launching/access to the system and it's sections. Supposedly, when a web app tries to install, UAC should appear and warn you about this action.

Something trying to access the management section, UAC prompt. It's simply another level of protection that people turn off. Damned if they do, Damned if they don't

UAC does serve a purpose. At least try to add more than 'no it's not'.

RE: Flawed Methodology
By wallijonn on 11/9/2009 1:39:18 PM , Rating: 2
As most people run as admin, which in itself is very silly, the point of UAC is to stop un-authorised installing/launching/access to the system and it's sections.

And seeing how XPHome defaults to admin rights for all accounts created, the problem still lies with MS. Many people don't know what to do with Restricted or Limited accounts. So they just create another account, which has Admin rights by default, and get back onto the Internet. Installing Firewalls don't help either since they'll just get the same type of Vista UAC prompts. Eventually they disable all Internet access and end up calling me...

RE: Flawed Methodology
By StevoLincolnite on 11/6/2009 9:33:27 AM , Rating: 2
nd that purpose would be...? Please say, "Security." I do so much like laughing at fools.

Well it's obviously not to assist in rendering Direct 3D based games is it now? What else would it be for?

In essence the greatest cause of computer issues was because of the person using it, which has been true for decades, the UAC was supposed to be a "Cure" for the ailment, which unfortunately ticked allot of people off with it's annoying prompts.

The idea of UAC was to stop:

* Malicious Programs from executing without a users consent.
* To verify your actions, so you can reverse what may be a potentially catastrophic mistake.
* So you aware on what is going on in the back ground of your system.

I think that pretty much falls under "Security" which UAC achieves, like it or not.

RE: Flawed Methodology
By DominionSeraph on 11/6/2009 9:01:33 PM , Rating: 2
Ahhh... typical American consumer egotism, thinking that everything is engineered to directly cater to you.

The purpose of UAC is to socially engineer towards the use of limited user accounts.

Prior to Vista, everyone ran as Admin. They had to, because their programs didn't work under limited user access, and programmers kept programming for system area access because everyone ran as admin.
Cute little self-supporting structure there.

With Microsoft's use of limited access tokens with UAC elevation in Vista's administrator account, programmers could no longer presume admin access. To make a program that would work without constant UAC nags, they had to design programs that would behave under a limited user account, just like Microsoft had been telling them to do for the last decade.
They now do this, which makes actually running as a limited user a valid option.

The security is in the limited user account. UAC just nags it into viability.

So you see, UAC was never meant to secure the inherenly unsecure admin account. Microsoft isn't weighing usability against administrator account protection, they're weighing usability against programmer coercion. Windows 7 increases usability while maintaining the same degree of pressure on programmers to program in alignment with the security model of limited access users.

The decrease to security in user-initiated actions in the administrator account is a meaningless aside, as the administrator account is not meant to protect the user from himself.
Limited accounts are there to protect the system from idiots running, "format.bat." The administrator account, however, is the place you're supposed to be able to run it.

RE: Flawed Methodology
By neogrin on 11/6/2009 10:55:36 AM , Rating: 2
No it's not.

Shush, the adults are talking.

RE: Flawed Methodology
By Reclaimer77 on 11/5/09, Rating: 0
RE: Flawed Methodology
By The0ne on 11/5/2009 3:03:21 PM , Rating: 4
Max level for UAC in Win7 is much less annoying than Vista. I usually have it off as I am picky on what I install but have been using it at max and have been pretty satisfied with the prompts. I'm keeping it at max unless it really does becoming annoying, which I doubt.

RE: Flawed Methodology
By Sulphademus on 11/5/2009 3:36:03 PM , Rating: 5
I upped my UAC to max and upped it to max on the PC Im building for my bro. Vista UAC has been fantastic in a corporate environment (prevented so much stupid crap!).

I'd like for them to do a full test with whatever crapware they wish and compare the results between XP SP3, Vista SP2 w/ UAC, Vista SP2 w/o UAC, and Win7 at all 4 levels of UAC. THEN tell me numbers!

RE: Flawed Methodology
By Souka on 11/5/2009 6:06:47 PM , Rating: 2
in my last two jobs, UAC is disabled in Vista...and Win7 RCs.

No need really... users are only given "USER" level authority on the system. If they need an app, they request it and it gets pushed to their system.

Standard apps they can simply selected from the published apps (via control panel or sharepoint site).. Non standard apps we have a process for that also.

Number of virus outbreaks at my last two companies... zero
Number of users corrupting their
Number of support/IT related calls...very few

I'm now at a company that runs XP, Vista, and now Win7... most users have admin authority on their boxes.

Wouldn't ya know it.. we have over 3x the support personel, and the IT dept. spends it time putting out fires instead of working on real projects for company growth...

Glad I don't have to deal with it...but hate having my projects put on hold because they're so busy on things that could be avoided...

Ugh...sorry....long day.... anyhow.. UAC? Hmm... no matter how good the programming is, I'm sure there's a way for a person like my parents to say "sure, go ahead and install!"


RE: Flawed Methodology
By Master Kenobi on 11/5/2009 10:26:10 PM , Rating: 5
Yes, I have noticed overwhelmingly that companies that choose to give end users admin level functionality locally end up with a massive increase in problems and support calls related to those problems. It's a never ending stream of brush fires.

RE: Flawed Methodology
By FITCamaro on 11/8/2009 12:30:35 PM , Rating: 2
I agree. It is extremely annoying to have to call IT when you need a tool. Especially since companies are cutting back on local support staff and going to remote administration.

RE: Flawed Methodology
By mark3450 on 11/6/2009 11:45:47 AM , Rating: 4

Number of virus outbreaks at my last two companies... zero
Number of users corrupting their
Number of support/IT related calls...very few

This may be true, but it doesn't necessarily mean your doing a good job. This is classic IT mentality. The purpose of IT is not to minimize the number of computer issues, it's to maximize the productivity of the employees using those computers. You may very well be doing that as well, but it doesn't follow from these results. You can simply remove all the power cords from the computers and get the same result.

RE: Flawed Methodology
By Cerin218 on 11/6/2009 5:11:22 PM , Rating: 1
Umm hello, you can maximize productivity of the user when the user isn't sitting at their desk twiddling their thumbs because they clicked on that UPS tracking number email and installed the .exe contained in there even while questioning the origin of that email to themselves, and as the IT staff you are now working to remove that virus from their computer before it infects other users or your server.
You are obviously not an IT person. If you can prevent problems, they do not become problems, and as stated it allows you to focus your attention on other products that may in fact, increase productivity.
Think before you speak.

RE: Flawed Methodology
By mark3450 on 11/7/2009 12:07:32 AM , Rating: 3
No I am not an IT person, however I do know computers and the shortcomings of IT mentality. Yes having some bozo infect his computer with a virus isn't good for productivity, but locking out users from admin causes it's own problems for productivity you so blistfully ignore.

Simple example, say I have a scientific paper in PDF I need to read, but it requires an updated version of adobe reading to view. With admin privliges it takes 5 minuites to get the new reader, without it's a major headache to get IT to install one for you. The difference in productivity is huge.

What I'm calling IT mentality is this thought process that the only goal is to minmizing the number of problems. The goal is to maximize productivity and that's not the same. Yes problems like viruses reduce productivity, but so do draconic IT measures like denying users admin privliges.

RE: Flawed Methodology
By DominionSeraph on 11/7/09, Rating: 0
RE: Flawed Methodology
By Alexstarfire on 11/7/2009 5:50:32 AM , Rating: 2
If IT is doing their job properly it shouldn't take much longer than doing it by yourself. That is of course assuming that the end user actually knows how to do it by themselves... of which many times I highly doubt.

RE: Flawed Methodology
By damianrobertjones on 11/8/2009 9:27:24 AM , Rating: 2
The moment you give users the rights to install, your days are numbered. Users are... to put it bluntly, thick. Really, really thick. You can train, state, send them FIFTY DAMN emails and they STILL won't take a blind bit of notice.

P.s. Adobe acrobat? Why? Foxit reader. With apps think quick and easy instead of bloated and slow.

P.P.s Admins can remotely update hundreds upon hundreds of pcs without even leaving their desk. You're not an it person so please try not to think like a user who 'wants' everything. :)

RE: Flawed Methodology
By mark3450 on 11/9/2009 5:04:12 PM , Rating: 2
Users are... to put it bluntly, thick. Really, really thick.

Yes some users are thick, but many are not. I know folks in IT can give endless examples of how clueless users are, but users can also give examples of how IT policies like locking out admin destroys their productivity. Obviously it's easier on IT to lock down admin, but quite honestly it's IT's job to make life easy for the user not the other way around.

RE: Flawed Methodology
By Cerin218 on 11/6/2009 5:15:25 PM , Rating: 2
That's what my father does. He doesn't read any windows, just clicks until it does what he wants it to do. My favorite is the last time his computer was infected and I asked him what happened. He told me a computer program wanted to install but he didn't know what the program was and it told him that it needed to shut off his antivirus in order to do so. So he said great and installed an unidentified program that subverted the security and didn't know what happened, only that his computer didn't work now.

UAC is only as smart as the person using it. Of course if you are smart enough to use it, you are smart enough not to need it. Kind of an odd little catch.

RE: Flawed Methodology
By Fox5 on 11/5/2009 3:35:19 PM , Rating: 3
What operating system even has to worry about automatically executing viruses and malware anymore? We're not in the Windows 98 days anymore, and most people aren't running servers.

The fact of the matter is, most people who get viruses and malware install them on their own. Much of this will come from pirated content, and the rest probably from random shareware programs people find around the net and download because they think they need it.
We're at a point where the software installation model probably needs to be rethought. Virus scanners can of course blacklist known bad programs. We could also just digitally sign everything, meaning any program not attached to a known vendor can't be run.

Or even go with the Linux/iphone software model. Keep just about everything in an approved repository/store so essentially only white listed programs can be easily installed. Probably the most secure way of doing things, but a bit restrictive.

RE: Flawed Methodology
By Hoser McMoose on 11/5/09, Rating: 0
RE: Flawed Methodology
By Screwballl on 11/5/09, Rating: 0
RE: Flawed Methodology
By rs1 on 11/5/2009 4:33:29 PM , Rating: 5
Even on Linux you can get yourself in trouble if you intentionally run a program that's designed to harm your system. Granted, permissions will keep the program from running amok with the core of the system (as they do on Win 7 as well), but a properly designed malicious program (or shell script, even) could trash a Linux user's account plenty easily, and without the OS raising any warning flags. Linux is no more secure than Windows in this regard. If you tell it to run a malicious program that only trashes your user-level settings/account and does not try to access any privileged areas, then the OS will allow you to without complaint. Just like Windows.

The only real difference is that there aren't many malicious programs out there that target Linux, relative to the number that target Windows. And also that the company selling the anti-virus software doesn't offer a linux version, so there's no incentive for them to come up with a contrived test that shows just how "vulnerable" Linux is to malware.

RE: Flawed Methodology
By Fox5 on 11/5/2009 4:35:55 PM , Rating: 2
Windows has unfortunately become too synonymous with computing. I could see a big player like Dell or HP changing that IF they pushed Linux (probably Ubuntu) as the biggest thing since Apples. Seriously, many of Apple's big selling points are even more true in favor of a Linux system. Flashiness, security, things 'just working' (to a certain level of functionality, Linux handles pretty much all of the common tasks well, it's specific apps it fails in), system responsiveness, I'm surprised some enterprising enterprise hasn't tries to use Linux as the off-brand Mac.

Ultimately though, the security model is broken. Who cares if malware can't get admin rights, there's still a crap ton of damage it can do at just the user level. Identify theft, loss of probably all the data that matters to the user, and it can still make freeze programs or crash the computer at a user level.
Google's security model for Android (and probably Chrome OS) sounds like a smarter way to do things, read up on it, it's a good attempt to fix a flawed model instead of just continually patching it and wondering why Windows Vusta/7 now has one of the best security implementations around, yet it is still one of the most vulnerable OSes around.

RE: Flawed Methodology
By Screwballl on 11/5/09, Rating: 0
RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 5:02:48 PM , Rating: 5
You are creating a self fullfilling prophecy. Look, NOTHING built or coded by man is foolproof. If everyone started using Linux, then guess what, Linux would be the number 1 target OS.

You Linux guys... just go away. We are NOT interested, we are NOT going to switch. And until you can pull your elitists collective heads out of your asses and come up with a Distro that runs ALL our programs, ALL our games, and does it all without emulation, compilers, and terrible driver support..well, I think I speak for most Windows users when I say you can just go screw off.

Linux is great for certain things. Prime time on our desktops ? Nope, it's not ready. And please, save your "my mother uses Linux and loves it" stories. Been there, heard that, not interested.

RE: Flawed Methodology
By bupkus on 11/5/2009 5:34:47 PM , Rating: 1
I propose a compromise. How about installing linux in a virtual machine with Windows as host and using that for all your dirty work. Whatever you absolutely need Windows for, use that.
I have Windows 7 for games and... I'm still using W7 for this right now but I'm still testing VirtualBox. When content I intend to use linux for all else where risky exposure is involved.

RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 5:43:18 PM , Rating: 5
Why bother ?

If you have WIndows 7, with even the default UAC settings, Windows Security essentials installed, and do a decent job of keeping Windows updated ( which is retardedly easy because it's automatic ), unless you are a flaming IDIOT there is no way you will have a problem.

I propose a compromise, take off your tin foil hat, and stop downloading questionable porn from seedy websites. And for god sakes, think twice when you download a warez with a "patcher.exe" before you open it.

RE: Flawed Methodology
By Alexstarfire on 11/7/2009 6:10:42 AM , Rating: 2
I'd end up using Windows for everything but the internet and IMing people. Not very useful. I can't imagine how hard it would be to find all the converting programs I have for Linux. And I don't just mean command line interfaces either. No sense it taking a giant step backwards for no reason. I have quite a few that I use fairly often. Ohh, and I'd be playing ALL my games on Windows.

Not that Linux isn't fairly easy to use, but the lack of programs keeps me from switching.

RE: Flawed Methodology
By DominionSeraph on 11/5/2009 11:55:56 PM , Rating: 2
Android? Seriously?

Android's security model is crippling. It's fine for a phone due to the nature of their apps, but PCs actually have to do things.

A PC is not a console. Its openness is what makes it great.

RE: Flawed Methodology
By erple2 on 11/5/2009 3:55:21 PM , Rating: 2
I wouldn't call the test nonsense, but ...

The issue at hand is that there are applications that you can run on the local machine that can gain elevated privileges by running them as a non-privileged user. UNLESS they're actually running these things as an Admin User to begin with. In which case, the entire testing methodology is total garbage. Once you are root, there's little to nothing you can't do on a standalone machine, regardless of whether it's a Mac, Linux, or BSD machine, including accepting connections...

Perhaps I'll have to read the methodology again to see what they really did.

RE: Flawed Methodology
By rs1 on 11/5/2009 4:43:59 PM , Rating: 3
The malware apps didn't gain elevated privileges, at least not as far as I understand it. They just managed to install/run for the current user, without performing any operation that required elevated privileges. I assume that the 3 that actually did get flagged were the ones that tried to perform some privileged action.

Malware doesn't always need elevated privileges to do its job. To use linux as an example (because picking on Windows would be a bit cliche), a trojan could execute without elevated privileges if it ran its server on a port >1024, and only allowed access to/modification of files belonging to the user that ran the trojan program. A keylogger could run without privileged access if it worked by editing the current user's .bashrc to spawn the key-recording process whenever they logged in. And so on.

As I understand it, the malware apps that made it past UAC did the same thing. It's not that they were able to exploit some hole to gain privileged access (which would be a legitimate bug), it's that they are able to do their job without needing privileged access in the first place (which is just the reality of computing...unless the user's privileges are so restricted that they can't do anything useful, then somebody's going to be able to come up with a program that can use just the user's privileges to do something malicious).

RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 4:03:29 PM , Rating: 4
lol I knew before I even clicked on the article Jason Mick wrote it.

Please tell me exactly how the UAC is supposed to stop you from opening malware even AFTER you have told it "yes open it" when it asked you if you were sure ??? Come on Jason, give me a break.

I guess the UAC should just forcibly block you from doing things you want to do based on certain risk factors ? LOL can you imagine the angst and chaos that would cause !?

RE: Flawed Methodology
By Reclaimer77 on 11/5/2009 4:49:56 PM , Rating: 4
Also saying the 7 UAC is "less secure" than Vista's is retarded. It's the same exact UAC, except because of overwhelming customer feedback, it was set one notch lower on 7 by default then it is on Vista. WOW, I mean, talk about a HUGE issue !! Thank god we have Mick here to tell us about these...oh wait, that's right, he didn't actually put that into context.

RE: Flawed Methodology
By Yawgm0th on 11/5/2009 11:27:59 PM , Rating: 1
That makes their whole test nonsense. I'm sorry, but if you tell your machine to execute a piece of malware, then you deserve to end up with a piece of malware running on your system.
While on the one hand I agree with this statement wholeheartedly, let me play Devil's advocate.

Half the point of UAC is that it warns the user if an executed application needs higher privileges. Many programs that people download do not need higher rights to achieve what they desire. UAC is a way of letting the user know that. In some ways, it is a way for the more tech-savvy amongst us to know if a downloaded application is trying to do something it shouldn't.

Furthermore, it definitely can help prevent accidentally running an application that a user did not realize was an application. In the world of digital IP piracy, files downloaded from the USENET (sorry for breaking rule #1), bittorrent, or P2P networks are frequently some sort of malware rather than the described file. An extremely common technique is to include apparent "self-extracting" Zips and Rars, which in fact are neither. Even more common is to give the application the Windows Media Video or Audio icon so as to make it appear like the multimedia the user was searching for.

In any case, why should Microsoft protect pirates and less-savvy users from manually running malware? Because it's in everyone's best interest, especially Microsoft's. It is a smart security feature. The vast majority of intrusion occurs through social engineering, Trojans, and any other willful (but not knowing) execution of malware. Obviously remote exploits and application exploits should still be a big concern, but just because user behavior is the cause of a security breach doesn't mean there aren't technical solutions (UAC) to that user behavior.

RE: Flawed Methodology
By jdietz on 11/6/2009 6:49:20 AM , Rating: 2
Write a batch file that executes the malware?

Start a remote desktop session and launch the malware that way?

How do you execute code on a machine without the user doing it? Isn't such a method a security bug that needs to be fixed?

RE: Flawed Methodology
By foolsgambit11 on 11/6/2009 2:11:55 PM , Rating: 2
It's no surprise, considering the company that did the 'study' markets Antivirus software for Windows.

RE: Flawed Methodology
By Kahnivorous on 11/7/2009 6:40:40 PM , Rating: 2
RS1 basically points out the more important issue that defeats the purpose and validity of the article. Nicely put.

It also didn't take long for a sour-faced-Apple-fan or two to defeat the purpose of the discussion.

Here's the basics for anyone who missed Computers 101: If it uses ones and zeros, it can be infected, broken, and/or manipulated. Only the naive would even believe anything otherwise.

"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki