____/ Peter Köhlmann on Friday 26 October 2007 01:46 : \____
> skydweller wrote:
>
>> On Thu, 25 Oct 2007 10:01:38 -0500, Erik Funkenbusch wrote:
>>
>>> On Thu, 25 Oct 2007 15:13:41 +0100, Roy Schestowitz wrote:
>>
>> Snip ...
>>
>>>> http://www.theregister.co.uk/2007/10/24/activex_vulns/
>>>>
>>>> 'Innovating' ways of excluding competition from the Web (ActiveX).
>>>
>>> This is such a red herring. None of these problems are related to
>>> ActiveX itself. It's flaws in the plug-ins. Mozilla has binary,
>>> non-sandboxed native code plug-ins as well, and nothing in Mozilla would
>>> prevent a flaw in one of those plug-ins from being used to gain control
>>> of a machine.
>>>
>>> The difference is tha Mozilla is not the browser used, and supported, by
>>> the majority of plug-in makers, and as such has far fewer potential
>>> targets for attackers to probe.
>>
>> I'm no expert, but AFAIK it's easier to gain control of a machine if the
>> vulnerable app is running with root (or admin, in that netherworld)
>> privileges than if the app is being run as a non-privileged user. I think
>> a poll is in order here:
>>
>> How many linux users browse the web as root?
>>
> Practically none
>
>> How many Windows users browse the web as admin?
>>
>
> Practically all of them
Vista has arguably made things worse. Consider:
Windows Vista Tip: Run as administrator
,----[ Quote ]
| This will make every admin operation prompt you for credentials
| while it is great if you do a lot of remote operations it can
| become tedious if you are performing a lot of local admin operations.
`----
http://windowsconnected.com/blogs/joshs_blog/archive/2006/12/01/windows-vista-tip-run-as-administrator.aspx
http://tinyurl.com/y64c6r
The Truth About User Privileges
,----[ Quote ]
| Has the time finally come for the least-privilege user -- you know,
| setting your Windows client machines to run without system
| administrator rights?
|
| [...]
|
| Today, some Windows applications just won't run properly on a
| desktop without administrative rights. "It's a dirty little
| secret people sweep under the rug because they're not able to
| do much about the problem. A lot of applications and pieces
| of environments won't work if users aren't given admin rights,"
| says Steve Kleynhans, vice president for Gartner's client
| platforms group. "If you can get applications to function
| with lower rights, in a lot of cases it hampers the user
| experience."
`----
http://www.darkreading.com/document.asp?doc_id=110225&WT.svl=news1_1
Vista User Account Control and the Linux Superuser
,----[ Quote ]
| So, when I was researching the way to determine the shadow storage
| size on Windows Vista for my February 23rd entry, I wasn't too surprised
| when I got an error message about needing to elevate my privilege after
| I tried to run vssadmin from a standard command shell. What a Linux
| system would have done right there would be to ask me for the
| administrator password.
`----
http://weblog.infoworld.com/stratdev/archives/2007/03/vista_user_acco.html
Vista's UAC needs an overhaul. Ideas?
,----[ Quote ]
| It seems like everyone, other than possibly Microsoft's Vista team
| itself, seems to believe that the User Account Control (UAC) in
| Vista already needs an overhaul.
`----
http://blogs.zdnet.com/microsoft/?p=277
Windows Vista: Secure Or Just Frustrating?
,----[ Quote ]
| The problem with Vista’s security implementation is that lots of warning
| dialog boxes don't provide security. Users get frustrated and eventually stop
| reading them altogether. They think of them as annoyances, an extra click
| required to get a feature to work. Is Windows Vista really more secure than
| the operating systems that preceded it, or simply more frustrating? Since
| Microsoft left us with no choice but to buy a PC with Vista pre-installed,
| we’re inevitably stuck with it. Let the frustration begin.
`----
http://www.theitarticles.com/windows-vista-secure-or-just-frustrating/264/
,----[Quote ]
| "Oh, excuse me, is this supposed be a joke? We all remember all those
| Microsoft's statements about how serious Microsoft is about security in
| Vista and how all those new cool security features like UAC or Protected
| Mode IE will improve the world's security. And now we hear what?
`----
http://theinvisiblethings.blogspot.com/2007/02/vista-security-model-big-joke.html
Vista's Faux Security
,----[ Quote ]
| At the end of the new Apple ad, the security guard finally asks the
| hapless PC: "You are coming to a sad realization. Cancel or allow?"
|
| Unfortunately, after conditioning the world to click "allow," all
| Microsoft will have accomplished is to pass the buck to the hapless
| PC user, trying to make the user responsible for anything bad that
| happens because they ultimately chose to allow it.
|
| While that may allow Microsoft?s security engineers to sleep at night,
| the rest of us won't rest as easy until Vista's holes are plugged
| with something more substantial than a dialog box.
`----
http://www.esecurityplanet.com/article.php/11162_3660976_2
Vista's UAC security is hopeless, says Symantec
,----[ Quote ]
| A key security feature of Windows Vista, User Account Control (UAC) is
| still nearly unusable, Symantec has said.
|
| At a press presentation last week, Symantec vice president of
| engineering Rowan Trollope said Symantec's customers had found the
| feature so "chatty", that it was a burden on users, potentially
| creating new help-desk calls.
`----
http://www.techworld.com/news/index.cfm?RSS&NewsID=7769
Windows Vista set to overwhelm helpdesks
,----[ Quote ]
| The Windows Vista features that will most benefit end users are
| likely to cause a flood of calls to enterprise IT help desks, it
| was claimed today.
|
| SupportSoft predicted that one of the main areas in which
| end-users are likely to experience problems will be dealing
| with Vista's security features.
`----
http://www.itnews.com.au/newsstory.aspx?CIaNID=44424
Windows Forces you to use UAC to Add a Printer
,----[ Quote ]
| Another bug that got past the extensive RTM testing process? Nope.
| It's a bug that came into existence during the finalization process.
| This bug wasn't there in RC2, but it's most definitely there now. All
| we can say is, hopefully this gets patched before SP6.
`----
http://neosmart.net/blog/archives/326
Vista: Slow and Dangerous
,----[ Quote ]
| Most of the time I spent testing Vista was with sluggish pre-release
| versions. I expected things to improve when I ran the finished software
| on PCs configured for the new Windows version. I now realize that
| Vista really is slow unless you throw a lot of hardware at it.
| Microsoft claims it will run with 512 megabytes of memory. I had
| recommended a minimum of a gigabyte, but 2 GB is more like it if
| you want snappy performance.
|
| [...]
|
| The most exasperating thing about Vista, though, is the security
| feature called User Account Control. UAC, satirized in an Apple
| ad as a security guy who constantly interrupts a conversation,
| appears as a pop-up asking permission before Windows...
`----
http://www.keepmedia.com/pubs/BusinessWeek/2007/03/26/3124001
Microsoft: Turn off Vista's UAC to fix problems
,----[ Quote ]
| I've been fairly critical of the new User Access Control (UAC) in
| Windows Vista, as I feel it is too secure to be usable, which will
| probably result in many users and corporations turning off and
| losing out on what could have been Vista?s best feature.
|
| [...]
|
| He recommends turning UAC back on after fixing the problem, but
| when users need to do this more than a couple of times to get a
| usable system, they will just leave it turned off.
`----
http://beta.amanzi.co.nz/2006/11/13/microsoft-turn-off-vistas-uac-to-fix-problems/
'Vista's Account Protection: One Click and It's Gone'
,----[ Quote ]
| One of Vista's big security features is 'User Account Protection'
| (or 'User Account Control') which pops up and asks for user
| authentication before software can make any administrative changes to
| the system. But the TweakVista utility can turn off UAP in one click...
`----
http://securitydot.net/news/exploits/vulnerabilities/articles/2661/news.html
Did you know that Microsoft has just patented sudo?
>> Be truthful.
>>
>
> Erik? You've got to be kidding
--
~~ Best of wishes
.oʍʇ sɐ buıɥʇ ɥɔns ou s,ǝɹǝɥʇ 'ɹǝpuǝq 'ʎɹɹoʍ ʇ,uop :ʎɹɟ
.oʍʇ ɐ ʍɐs ı ʇɥbnoɥʇ ı puɐ ...ǝɹǝɥʍʎɹǝʌǝ soɹǝz puɐ sǝuo .ɯɐǝɹp 1nɟʍɐ uɐ
ʇɐɥʍ 'ɥɥɥɐ :ɹǝpuǝq
http://Schestowitz.com | Open Prospects | PGP-Key: 0x74572E8E
Tasks: 116 total, 1 running, 113 sleeping, 0 stopped, 2 zombie
http://iuron.com - knowledge engine, not a search engine
|
|