Windows 7 fake security

[SiriusB]

That's being unnecessarily pedantic. It is a kick ass security boundary. Far better than any AV product. And it will protect you from malware providing you don't blindly click Continue all the time. I've used UAC to lock down friends/family PC's with great success. Many years can go by without a single malware infection.

As I said, and Fire Wizard has also pointed out, it is a beneficial side-effect for UAC to block some malware. I am sure it has blocked many malware attempts over the years, but malware doesn't need to have administrative rights to wreak havoc. Plus when you click OK on something, you have absolutely no idea what happens next. The seemingly safe/trusted exe you have just given admin rights to can go ahead and use them to run something more sinister.

Though I do agree with you, it can be very successful. My parents have not had a single piece of malware since I gave them my laptop a year ago. My point was that groan was wrong in thinking UAC was there specifically to stop malware.

 

[NathanE]

I disagree. Malware does tend to need administrator level access to "wreak havoc". Without it, they are fairly tame and disinfection is far far easier. Sometimes simply logging off and on (or rebooting the PC) is enough to disinfect. Because without administrator access they find it much harder to inject themselves into "Auto Start" regions of the Registry and/or filesystem.

In order to get past this the malware would need to exploit a local privilege escalation vulnerability. Which yes these do exist now and then. But it's a moving target and usually only one that the very most specialist malware authors can be bothered to implement.

 

[Fire Wizard]

In order to get past this the malware would need to exploit a local privilege escalation vulnerability. Which yes these do exist now and then. But it's a moving target and usually only one that the very most specialist malware authors can be bothered to implement.

Those security vulnerabilities which you seem to be referring to need and do get patched. This is as opposed to malware being able to compromise an elevated process to gain administrator rights due to the opportunities which elevation presents, which was a design choice due to compatibility and usability reasons.

*Snip*

However, let’s be clear that no matter how difficult to pull off, the mere possibility of such a breach of a sandbox wall implies that ILs, in and of themselves, do not define security boundaries. What’s a security boundary? It’s a wall through which code and data can’t pass without the authorization of a security policy. User accounts running in separate sessions are separated by a Windows security boundary, for example. One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user. If for some reason it was possible to bypass security policy, it would mean that there was a security bug in Windows (or third-party code that allows it).

It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries. Microsoft has been communicating this but I want to make sure that the point is clearly heard. Further, as Jim Allchin pointed out in his blog post Security Features vs Convenience, Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use.

*Snip*

For instance, having your elevated AAM processes run in the same account as your other processes gives you the convenience of allowing your elevated processes access to your account’s code and data, but at the same time allows your non-elevated processes to modify that same code and data to potentially cause an elevated process to load arbitrary code.

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

*Snip*

PsExec, User Account Control and Security Boundaries

The last sentence sums up what UAC is truly about while addressing those ridiculous, sensationalist, "Oh my god, UAC is by-passable, thus making it completely useless" type articles perfectly.