1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Symantec proves Vista's UAC is flawed

Discussion in 'Article Discussion' started by Tim S, 23 Feb 2007.

  1. Tim S

    Tim S OG

    Joined:
    8 Nov 2001
    Posts:
    18,881
    Likes Received:
    78
  2. DougEdey

    DougEdey I pwn all your storage

    Joined:
    5 Jul 2005
    Posts:
    13,933
    Likes Received:
    33
    I never liked Symantec, but they just seem to be no better then hackers.
     
  3. Iago

    Iago What's a Dremel?

    Joined:
    4 Oct 2005
    Posts:
    202
    Likes Received:
    0
    I don't like Symantec either, and I'd rather have unnecesary surgery than Norton on my system, but they are a business, they have to keep or improve their marketshare...I don't have any problem with them pointing out flaws with UAC. Perhaps if MS hadn't hyped it so much and tolds us that we were due for a new era in computer security, people wouldn't be looking so hard for holes on it.
     
  4. Djpuk

    Djpuk What's a Dremel?

    Joined:
    1 Sep 2006
    Posts:
    93
    Likes Received:
    0
    Perhaps Symantec should go for a new tag line in their advertising,
    "Scaring users and helping hackers, Symantec the lack of common sense company!"
     
  5. antiHero

    antiHero ReliXmas time!

    Joined:
    19 Jan 2005
    Posts:
    2,037
    Likes Received:
    13
    I dont want to rant about Symantec (it would take to long) but i dont like them. They gave just a bit to much info out on this one.

    I love this one!
     
  6. randosome

    randosome Banned

    Joined:
    17 Sep 2006
    Posts:
    226
    Likes Received:
    0
    frankly i think symantec is making a good point here

    I mean, their trying to say your safer with UAC on, but UAC is flawed, because most users don't understand whats going on, so they probably likely to click yes, in any situation
    When you start saying, well you can trust x colour, then their not even going to bother reading what it is

    I'm not sure how easy it is to fake a signed file, but if you can do this the security just falls over anyway
    UAC is stupid anyway because it comes up with messages so often that people are just going to click yes because their fed up with reading it (like the T&C's/EULA that you agree to when you install any software)

    Personally, i'm glad Symantec released this information, if they didn't show you how easy this is to do, then you wouldn't see the problem with UAC, or even what to look for
    so Microsoft basically ignored the fact that there is a pretty serious problem with UAC - really good idea there
    I see most people just disabling UAC anyway because its an irritant
     
  7. Redbeaver

    Redbeaver The Other Red Meat

    Joined:
    15 Feb 2006
    Posts:
    2,061
    Likes Received:
    35
    i have to agree with brett...

    sure, symantec found a flaw, they are a security company... sure, M$ doesnt seems to want to do anything about it, i mean, hey, what else is new...

    but to clearly explain it in details for the whole world to see, i have 2 things that made me believe that that is a low blow....
    - like brett said, symantec, as a security provider, should rather lean towards a white hat hacker; finding out what the problem is, then notify the developer to take actions to fix it. Not rubbing it on their face, "look, u dont give access to us to get into Vista, i'll prove it to u that its flawed! in ur face, M$!!!"
    - great, now instead of a few selected talented group of people, anybody with an internet can hack into Vista with a few click of mouse.... Thanks, Symantec, i feel more secure now.........



    sorry, randosome, i think symantec is NOT making ANY good point here.
    i mean, come on, to explain how EASY it can be done, u dont need to go as detailed as that. probably symantec, or rather, olie whitehouse *intended* to make a good point, but he failed miserably in doing so because of his methods. period.

    just my 2c of course.
     
  8. KenL

    KenL What's a Dremel?

    Joined:
    23 Feb 2007
    Posts:
    2
    Likes Received:
    0
    Bad Journalism

    I think that this comment is BS and unresearched. While Symantec was dumb in showing just how this bug works and how you can exploit it, there are plenty of black hats and white hats that are more than willing to detail exploits and bugs.

    The Month of Apple Bugs: http://projects.info-pull.com/moab/
    The Month of Kernel Bugs: http://projects.info-pull.com/mokb/
    The Month of Browser Bugs: http://browserfun.blogspot.com/

    There are companies that sell this exploit notifications: info:http://www.frsirt.com/english/services/

    Heres one that gives them away: http://insecure.org/sploits.html

    Here is an expolit tool: http://www.metasploit.com/
     
  9. Djpuk

    Djpuk What's a Dremel?

    Joined:
    1 Sep 2006
    Posts:
    93
    Likes Received:
    0
    Mmmm Symantec, huge multinational multi million $ supposedly responsible company, can any of the people you list here say the same?
     
  10. Cthippo

    Cthippo Can't mod my way out of a paper bag

    Joined:
    7 Aug 2005
    Posts:
    6,783
    Likes Received:
    102
    Keep in mind, Symantec is a company, they're role is to make money. Period. They do this by selling products that improve security, but they have only a secondary interest in improving security, and no interest at all in creating an impression of improved security except for their customers.

    In otherwords, spreading FUD about MS products is a sound business strategy and if it causes a few more users, who are not their customers, to get screwed, well, so what?

    (please note, this is my interpretation of what they are up to, not my view of how it should be)
     
  11. KenL

    KenL What's a Dremel?

    Joined:
    23 Feb 2007
    Posts:
    2
    Likes Received:
    0
    I agree that Symantec was stoopid in giving out this info and should be ashamed of their business tactics. My point/reaction was only with the comment made by Mr. Brett Thomas. His assertion that neither black or white hat hackers don't care to broadcast flaws is in my opinion wrong.

    In no way was trying to say that Symantec was doing the right thing is publishing the details of the UAC flaw. I too think that they are doing it to cause FUD and to show that Vista is still security flawed.
     
  12. pendragon

    pendragon I pickle they

    Joined:
    14 May 2004
    Posts:
    717
    Likes Received:
    0
    articles like this make me feel better about my friend's pirated copies of NAV
     
  13. dtek

    dtek What's a Dremel?

    Joined:
    11 Dec 2006
    Posts:
    3
    Likes Received:
    0
    So.. are these the bad guys now?

    I don't support this kind of beahvior, specially, because is MS the big Corp that is doing these "unethical but still not Illegal" stuff daily (Heard about use of patent infringmnent lately?); so by going all way against Symantec only, is missing the big picture here; yes what they did is questionable, but, way behind MS doings.
     
  14. Kipman725

    Kipman725 When did I get a custom title!?!

    Joined:
    1 Nov 2004
    Posts:
    1,753
    Likes Received:
    0
    Look m$ already told them it wasn't going to be fixed, I don't see the problem here. People need to know if the software there using is insecure and using broad terms about it instead of showing exactly how its done creates confusion. This flaw will hopefully be fixed very quikly now.

    *btw I prefer the older defenition of hacker which didn't even have to involve computers :eyebrow:
     
  15. DougEdey

    DougEdey I pwn all your storage

    Joined:
    5 Jul 2005
    Posts:
    13,933
    Likes Received:
    33
    That definition has not changed. It's a common misconception.

    Hacker = Someone who makes something do what it was not designed to

    Cracker = Complete waste of life.
     
  16. Redbeaver

    Redbeaver The Other Red Meat

    Joined:
    15 Feb 2006
    Posts:
    2,061
    Likes Received:
    35
    LMAO at the above post (by DougEdey, incase somebody posted right when im typing this)(btw, Doug, im in canada but i have a coworker that used to live in Bath, England - nice town!)

    @cthippo,
    *In otherwords, spreading FUD about MS products is a sound business strategy and if it causes a few more users, who are not their customers, to get screwed, well, so what?*

    to cause a few more users who are not their customers to get screwed is, in my honest oppinion, is not a "sound" strategy. but yes, it is a business strategy.

    @Kenl,
    the general conception and description of white and black hat hackers given by mr. brett thomas is, or perhaps, was, the original definition and "purpose". yes, there are many who does not follow this *standard*, and nobody blames them... but u should know that there many MORE who do follow this definition. Therefore, calling it BS is abit too harsh, dont u think?
     
  17. DougEdey

    DougEdey I pwn all your storage

    Joined:
    5 Jul 2005
    Posts:
    13,933
    Likes Received:
    33
    @Redbeaver: Nice town, but VERYVERY expensive if you are a student on a meagre government salary.

    I'm hopefully heading to Ajax next summer.
     
  18. dyzophoria

    dyzophoria Minimodder

    Joined:
    3 May 2004
    Posts:
    393
    Likes Received:
    1
    This is how pissed was when symantec was refused access to the kernel with windows vista 64?lol, anyway, still even with a company primary goal in money shouldn't just release information like this so freely to the public,more that they are a security firm, yeah i know the uac prompt gets annoying (just the same as the similar prompts in linux and osx), but its still a small step to warning the user, getting used to the uac is just the same as getting used to ones in other os.
     
  19. Buzzons

    Buzzons Minimodder

    Joined:
    21 Jul 2005
    Posts:
    3,020
    Likes Received:
    31
    Couple of things

    if i try to run shite code on my vista box, it warns me, and asks me if i wish to run it (so i give it my admin details and it happily runs)

    on my linux box, if i want to run shite code, i type sudo ./thing/i/want/to/run -- no warnings etc, and it runs with full root.

    both will have the same daming effect -- box broken. Both require me to log in as an admin - so how is the UAC BROKEN! its not like it does it for you, you can never protect a user from their own stupidity, that is why help desks exist :)
     
  20. GoodBytes

    GoodBytes How many wifi's does it have?

    Joined:
    20 Jan 2007
    Posts:
    12,300
    Likes Received:
    710
    If Symantec says: "Microsoft Windows Vista is the safest OS ever, in fact 95% of virus/trojan/worm out there don't work under Vista." (which could be true, ok maybe not that high of a percent, but a good deal)

    No one will buy there **oh so mighty** Symantec software that deeply slow down your computer.
     
Tags: Add Tags

Share This Page