News Symantec proves Vista's UAC is flawed

[Tim S]

http://www.bit-tech.net/news/2007/02...ta_UAC_flawed/

[DougEdey]

I never liked Symantec, but they just seem to be no better then hackers.

[Iago]

I don't like Symantec either, and I'd rather have unnecesary surgery than Norton on my system, but they are a business, they have to keep or improve their marketshare...I don't have any problem with them pointing out flaws with UAC. Perhaps if MS hadn't hyped it so much and tolds us that we were due for a new era in computer security, people wouldn't be looking so hard for holes on it.

[Djpuk]

Perhaps Symantec should go for a new tag line in their advertising,
"Scaring users and helping hackers, Symantec the lack of common sense company!"

[antiHero]

I dont want to rant about Symantec (it would take to long) but i dont like them. They gave just a bit to much info out on this one.

Quote:

Apparently, there was comment on why it takes only one system process prompt required to run harmful executables, but three and a government security clearance to delete a year-old Word document.

I love this one!

[randosome]

frankly i think symantec is making a good point here

I mean, their trying to say your safer with UAC on, but UAC is flawed, because most users don't understand whats going on, so they probably likely to click yes, in any situation
When you start saying, well you can trust x colour, then their not even going to bother reading what it is

I'm not sure how easy it is to fake a signed file, but if you can do this the security just falls over anyway
UAC is stupid anyway because it comes up with messages so often that people are just going to click yes because their fed up with reading it (like the T&C's/EULA that you agree to when you install any software)

Personally, i'm glad Symantec released this information, if they didn't show you how easy this is to do, then you wouldn't see the problem with UAC, or even what to look for

Quote:

Originally Posted by Symantec

I went to Microsoft with this and was pointed to a document titled "Security Best Practice Guidance for Consumers."

so Microsoft basically ignored the fact that there is a pretty serious problem with UAC - really good idea there
I see most people just disabling UAC anyway because its an irritant

[Redbeaver]

i have to agree with brett...

sure, symantec found a flaw, they are a security company... sure, M$ doesnt seems to want to do anything about it, i mean, hey, what else is new...

but to clearly explain it in details for the whole world to see, i have 2 things that made me believe that that is a low blow....
- like brett said, symantec, as a security provider, should rather lean towards a white hat hacker; finding out what the problem is, then notify the developer to take actions to fix it. Not rubbing it on their face, "look, u dont give access to us to get into Vista, i'll prove it to u that its flawed! in ur face, M$!!!"
- great, now instead of a few selected talented group of people, anybody with an internet can hack into Vista with a few click of mouse.... Thanks, Symantec, i feel more secure now.........



sorry, randosome, i think symantec is NOT making ANY good point here.
i mean, come on, to explain how EASY it can be done, u dont need to go as detailed as that. probably symantec, or rather, olie whitehouse *intended* to make a good point, but he failed miserably in doing so because of his methods. period.

just my 2c of course.

[KenL]

Quote:

White hats will often email the sysadmins, explaining their points of entry and how to best correct it. Black hats will take the understanding and find out how many other things can be exploited with it. Neither is really big on broadcasting the flaws - that "honour" is apparently reserved for corporations like Symantec.

I think that this comment is BS and unresearched. While Symantec was dumb in showing just how this bug works and how you can exploit it, there are plenty of black hats and white hats that are more than willing to detail exploits and bugs.

The Month of Apple Bugs: http://projects.info-pull.com/moab/
The Month of Kernel Bugs: http://projects.info-pull.com/mokb/
The Month of Browser Bugs: http://browserfun.blogspot.com/

There are companies that sell this exploit notifications: info:http://www.frsirt.com/english/services/

Heres one that gives them away: http://insecure.org/sploits.html

Here is an expolit tool: http://www.metasploit.com/

[Djpuk]

Quote:

Originally Posted by KenL

I think that this comment is BS and unresearched. While Symantec was dumb in showing just how this bug works and how you can exploit it, there are plenty of black hats and white hats that are more than willing to detail exploits and bugs.

The Month of Apple Bugs: http://projects.info-pull.com/moab/
The Month of Kernel Bugs: http://projects.info-pull.com/mokb/
The Month of Browser Bugs: http://browserfun.blogspot.com/

There are companies that sell this exploit notifications: info:http://www.frsirt.com/english/services/

Heres one that gives them away: http://insecure.org/sploits.html

Here is an expolit tool: http://www.metasploit.com/

Mmmm Symantec, huge multinational multi million $ supposedly responsible company, can any of the people you list here say the same?

[Cthippo]

Keep in mind, Symantec is a company, they're role is to make money. Period. They do this by selling products that improve security, but they have only a secondary interest in improving security, and no interest at all in creating an impression of improved security except for their customers.

In otherwords, spreading FUD about MS products is a sound business strategy and if it causes a few more users, who are not their customers, to get screwed, well, so what?

(please note, this is my interpretation of what they are up to, not my view of how it should be)

[KenL]

I agree that Symantec was stoopid in giving out this info and should be ashamed of their business tactics. My point/reaction was only with the comment made by Mr. Brett Thomas. His assertion that neither black or white hat hackers don't care to broadcast flaws is in my opinion wrong.

In no way was trying to say that Symantec was doing the right thing is publishing the details of the UAC flaw. I too think that they are doing it to cause FUD and to show that Vista is still security flawed.

[pendragon]

articles like this make me feel better about my friend's pirated copies of NAV

[dtek]

I don't support this kind of beahvior, specially, because is MS the big Corp that is doing these "unethical but still not Illegal" stuff daily (Heard about use of patent infringmnent lately?); so by going all way against Symantec only, is missing the big picture here; yes what they did is questionable, but, way behind MS doings.

[Kipman725]

Look m$ already told them it wasn't going to be fixed, I don't see the problem here. People need to know if the software there using is insecure and using broad terms about it instead of showing exactly how its done creates confusion. This flaw will hopefully be fixed very quikly now.

*btw I prefer the older defenition of hacker which didn't even have to involve computers

[DougEdey]

Quote:

Originally Posted by Kipman725

*btw I prefer the older defenition of hacker which didn't even have to involve computers

That definition has not changed. It's a common misconception.

Hacker = Someone who makes something do what it was not designed to

Cracker = Complete waste of life.

[Redbeaver]

LMAO at the above post (by DougEdey, incase somebody posted right when im typing this)(btw, Doug, im in canada but i have a coworker that used to live in Bath, England - nice town!)

@cthippo,
*In otherwords, spreading FUD about MS products is a sound business strategy and if it causes a few more users, who are not their customers, to get screwed, well, so what?*

to cause a few more users who are not their customers to get screwed is, in my honest oppinion, is not a "sound" strategy. but yes, it is a business strategy.

@Kenl,
the general conception and description of white and black hat hackers given by mr. brett thomas is, or perhaps, was, the original definition and "purpose". yes, there are many who does not follow this *standard*, and nobody blames them... but u should know that there many MORE who do follow this definition. Therefore, calling it BS is abit too harsh, dont u think?

[DougEdey]

@Redbeaver: Nice town, but VERYVERY expensive if you are a student on a meagre government salary.

I'm hopefully heading to Ajax next summer.

[dyzophoria]

This is how pissed was when symantec was refused access to the kernel with windows vista 64?lol, anyway, still even with a company primary goal in money shouldn't just release information like this so freely to the public,more that they are a security firm, yeah i know the uac prompt gets annoying (just the same as the similar prompts in linux and osx), but its still a small step to warning the user, getting used to the uac is just the same as getting used to ones in other os.

[Buzzons]

Couple of things

if i try to run shite code on my vista box, it warns me, and asks me if i wish to run it (so i give it my admin details and it happily runs)

on my linux box, if i want to run shite code, i type sudo ./thing/i/want/to/run -- no warnings etc, and it runs with full root.

both will have the same daming effect -- box broken. Both require me to log in as an admin - so how is the UAC BROKEN! its not like it does it for you, you can never protect a user from their own stupidity, that is why help desks exist

[GoodBytes]

If Symantec says: "Microsoft Windows Vista is the safest OS ever, in fact 95% of virus/trojan/worm out there don't work under Vista." (which could be true, ok maybe not that high of a percent, but a good deal)

No one will buy there **oh so mighty** Symantec software that deeply slow down your computer.