It's BETA folks, expect these type of things. Once it goes RTM (Release to Manufacturing for those not in the business), if these are found, then hell yea, let's raise the roof.

Until that time, it's what a beta program is used for, to find things and fix them before everyone gets it installed.

Well..it's official..Everyone seems to like the new layout by a large margin. so Betanews hit the motherload.

As far as UAC, if you rely only on this for security then you are setting yourself up. without it but with a good AV, FW, and antispyware and common sense you're pretty safe.

It is easy to just turn off UAC and , to me, this idea of a slider doesn't make sense. either UAC is on or off. Others seemed to see it differently and I respect those opinions. I have found with Admin on login and UAC turned on, some programs are buggy on other logins (i.e. Spybot) but if people like it then use it.

Everyone have a nice day:)

The same is true with Vista UAC cause a good 70% of Vista users are power users and don't want that stupid thing popping up all the time bugging them when they want to do something. The only thing a UAC protect is the n00blette dip that is so stupid to believe MS that an Antivirus program is not needed in their system cause Vista is that good... Yea right... WHATEVER!

Personally I like the idea of the user being able to make adjustments as THEY see fit. I have tried windows 7 both in a production machine and in a virtual PC. I was VERY VERY please with both installations. Its what Vista should have been from the beginning. its much more stable and MUCH MUCH faster. The Graphics are not resource heavy at all even on lower end machines. AeroGlass features even worked in Virtual PC. And the over all feel of the OS was very good... The downside... The lack of CLASSIC environment options for the users not accustomed to the kinda of crappy Vista Controls. Common stuff like the Network properties or the Computer properties screens. They are there, but you really gotta kinda dig around for them now. Its a minor issue really, considering how they have improved the overall performance of the OS itself. I have to admit, I owned Vista and never really allowed it in production machines. Windows 7 is everything Vista SHOULD have been from the beginning. I'll be using it. Throw in WinFS or something better and it will be a hands down win for MS this time. No question...

"AeroGlass features even worked in Virtual PC."

How on earth did you do that?

This thing has received a lot of bad press in every blog you can think of (more than it should for a beta program). The sad thing bout it is that if and when MS fixes this on the RTM, no one is going to mention it (at least not as much as this), and people are going to stay with the belief that there is something wrong with W7. Talk about bad press...

MS needs to nip it in the bud.

This is not a flaw. It's "Stupid User Syndrome". They need to stop letting the press define these things and get some PR going.

well if they do something about it, write up something... submit somewhere :P

...along with another stupid and laughable post from you.

how "special"....

internetworld7, please answer these questions seriously. I'm not insulting you or anything, so please reply with answers, and not silly questions.

What *exactly* is it with your immature attitude on this site towards everything but Apple? Why do you constantly try to push your _opinions_ (not facts) on people?

>MS improve their rep with Windows 7. You complain and poke holes in everything you see.

>They find a bug in a BETA, you *try* to gloat and make everyone feel bad.

>Steve Jobs gets sick, you go into denial.

This cycle of foolishness goes on, and on, and on. It's boring for many on this site to have to read your silly rants or your often uninformed phrases every time we open an MS or Apple related article.

How old are you? Your posts remind me of the "my dad is bigger than your dad" arguments made by 5-year-olds.

OS X isn't as surely amazing as you say it is, once the novelty you get from aesthetics wears off (which it does, having used it for year) it's nothing special I've disabled dashboard, replaced spotlight, hidden Safari, and more, which already tells me that it's not AWESOME. I useD it a lot, but I definitely won't switch to it, as it doesn't have as many advantages over Windows as you like to pretend.

Please, just behave or grow up...It's not funny...

@ignorantbi*ch7: http://www.mac-sucks.com/ http://themacsucks.com/

There you go moron

@idiotworld7:

Nah, the truth is great. Just look at my post. 100% truth.

Yours sucked, however.

@ dale1v_

Best of luck to ya.

Because if it's not a Mac it's whack. Is that articulate enough for you?

hey many asked for this and now they have received (though nothing was wrong with UAC in vista) its either more security with minor annoyances or less security with none whatsoever

do what Microsoft says, set your slider according to stupidity

"set your slider according to stupidity"

Best comment ever.

Update: This is not a flaw. More info: http://www.neowin.net/ne...erability-is-not-a-flaw

A Microsoft spokesperson has provided Neowin with a response to the issue:

* This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
* Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
* UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
* The only way this could be changed without the user's knowledge is by malicious code already running on the box.
* In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)

It can be prevented by setting the slider to always notify

*updated

It's totally a flaw, that MS response is terrible.

You need the UAC setting prompt so you are alerted to the fact that your system has been compromised somehow.

Yes the user may have done something stupid to allow infection, but the UAC setting prompt would then protect them from further damage even before the malicious code check package was updated to find whatever was out there infecting systems.

You are correct. It is a flaw that MSFT allows UAC to be turned off.

"It is a flaw that MSFT allows UAC to be turned off."

No... THAT was the best comment ever.

This complain has already been reported to Microsoft via connect and was closed because it's by design.

**Rude comment for CrApple removed** :)

Have you got the virus too Shelly? Your bitterness makes me think my rig is redolent of the stench. been watching your posts on CNet and others, you are one sick puppy!

LOL man you've been monitoring me on cnet and others too LOL. I removed that rude comment. Gotta be aware from next time cause someone's spying on me :)

utterly terrible decision and I hope they're flooded with new reports for it.

simple solution for MS is to require entering an admin password to even enter UAC and its settings

...

If the UAC setting is already at "secure desktop disabled", what's the point? The script already has free reign.

Uh.Scott.. what's the big deal..um..you know like can't you just turn off..um..u know...that thingie in the ..um..what's the word..um..oh yeah...version.

And I now I bravely go, with UAC turned off in search of hot chicks faling it: ..um you know...oh, baby I like it when i get screwed in NY..um Yes Spitzer...

Have a nice day:) Oh look I think that's Scott in one background still? could it be?

Might wanna put down the hash pipe before you post. Whew.

And you obviously have no sense of humor especially when it comes to the Kennedys or a governor who had a penchant for high paid call girls. Get a life and don't take things so seriously especially on this site.

Have a nice day:) heck I even voted for you since you did reference a hash pipe

Hey, everyone. Let's put together $2 for Tool the Corporate w.h.o.r.e. and watch him switch sides. [smiles] No takers? How about a quarter instead?

first thing i disabled on windows 7. LOL.

...which makes you all the more vulnerable.

Definitely something to be proud of.

...

LOL.

Well, I dont visit porno sites all day and I don't pirate, so I really have nothing to worry about.

I have a few info sites I visit from time to time, like this one..

I don't even run anti-virus, and guess what Ive never had a virus, malware, or spyware...

"Ive never had a virus, malware, or spyware..."

"I don't even run anti-virus"

One has to wonder how you would even know. ;)

Not that hard to boot up a usb stick with scanners. I just dont run them because even on a quad core setup they bog things down, and its annoying.

BTW, just scanned, nothing at all..

@sjc00(-4)

*laughing*

You are so retarded. Do you even know what UAC is?

Sure...if they are changing settings, they'll ignore it and click yes without reading it.

Browsing a website? Not so much.

..and you trot out the corporate wh*** BS again. Utterly incapable of coming up with more than one insult a month? I am sure there are website out there that could help ya. Lord knows you can't do it alone.

"even on a quad core...bog things down"

Wow. Did you install all 33 of them at once??

I don't run an AV and I know that I am clean. You have to be a fool to get infested. I will open up my PC to you via VNC and let you look if you don't believe me. Offer only good for PC_Tool.

Hey, don't mind pc_"tool" he is running around insulting everyone on here... best to ignore him, run your system how you like it :)

I like to have it smooth as butter because AV software is a drag, if you ever do use one, try NOD32, its the best and light weight, install it all on my client and work computers.

Once a month I will install Avast Pro and do a scan just to be safe then I remove it. I have yet to find anything. I also keep an eye on my running processes as well as my commit charge to my RAM. I am sure that if anything should happen I would know. It takes less that 33 seconds for my PC to boot so I would also notice if it slowed down. (5 of those 33 are for my Express Gate)

@ CademiaX

*laughing*

Poor baby... I'm sowwy...

Bah, screw that. I'm not. If you knew me in the slightest, you'd know I am chuckling while I write damn near every comment I post here. If you want to go and take any of my comments as personal insults as opposed to sarcastic jibes, go for it. It's your ego, not mine.

Deal...or start trolling like sjc00(-4). I notice you've already taken up one of his lines. How original.

"Run your system how you like it"

Good advice for some, horrible advice for most... I find it best to always assume, in forums, that you're dealing with the type who would *not* do well "running it how they like it". Sadly, I am usually correct in that assumption.

@gawd21

A rare breed indeed. While one would think a bunch of "BetaNews" geeks could get by without them, I hope you can forgive my assumption that most users here aren't actually that capable.

As for AV...I vacillate between Avast! and Avira. Currently have none installed on Win7. (Even downloaded a few things via P2P...waiting to see how long it takes me to get "pwned"...as they say). Should be fun. (UAC is on it's highest setting)

lol cute

;) I try.

Go play chicken with a Texan Fuel Truck Driver.

There's that stereotypical,humble,holier than thou Mac modesty we all know and love. God bless you.

@JackKnife

Yeah, I honestly don't think I've ever seen a -8 mod before. Amusing that he'd be the first with that honor, isn't it?

do you run your "multiple anti-virus scanners" as apple asks you to do on your mac

@SlapShot: LOL.

-1 now...and you @ -18.

We love you, man!

*laughing*

amusing..

Must resist compelling temptation to buy book ... must resist ... must resist.

Eeeks ... how embarrassing ... its $1.99 via your link at barnsandnoble.

This is not that unigue or scary. I should also point out that one can do this in Linux & UNIX, with the proper tools, like Expect (expect.nist.gov) & TCL. You might even be able to this with MAC.

---------------
REM
REM http://www.microsoft.com..._wsh_hilv.mspx?mfr=true
REM Time Machine test automation template
REM State notepad, send key for "date"
REM
Set objShell = WScript.CreateObject("WScript.Shell")
objShell.Run "notepad.exe"
Do Until Success = True
Success = objShell.AppActivate("notepad")
Wscript.Sleep 1000
Loop
objShell.SendKeys "{F5}"

Except Linux (at least, the distros I've used) require you to enter your password to sudo, no matter if you're a user or administrator. UAC does not if your account is already Administrator.

This is not new - nor as drastic as you make it sound. The operating system is able to detect wether the keyboard innput via sendkeys is injected (i.e. from an applciation) or not (i.e. from a user). A little bit of effort on Microsoft's part, and any dialog or control can be made to only accept input from an actual user.

Mouse and keyboard automation have numerous legitimate uses - protecting certain features from injected input is a relatively easy solution to this problem.

http://msdn.microsoft.co...ry/ms644967(VS.85).aspx
(Check out teh LLKHF_INJECTED flag)

Thank you for plugging your own book. I wouldn't expect anything less from betanews. :)

Uhg. I have some apps that legitimately use SendInput to move the focus from one text field to another in my own app (don't use it to control other apps). I hope they don't mess with this API when they fix this...it'll mean big headaches for me and my users.

Sadly, this is likely to be one of those things where the fix either breaks compatibility with existing scripts, or reverts the OS to a much trolled state (UAC being "difficult" to "manage", and shipping with strict defaults).

So, they'll either get whining (warranted) about broken scripts and lost time, or trolling (unwarranted) about UAC being annoying.

From where I sit, they need to stick with Vista-style UAC and save compatibility. Lord knows the trolls will troll no matter what they do.

Why? As someone here said: Why not just make changing the UAC setting no matter what the current setting is always bring up a UAC dialogue when altering it.

Because that's not the problem.

As it stands, to get that dialog, in the default state, you will get a UAC prompt. It is only once you set it to the second from the bottom (I believe) that it disables the secure desktop. In other words, the first time, it must be done *intentionally*, and at that point, the damage is already done.

This is by design.

The problem is that once the user has done this, they open themselves up to being exploited in this fashion.

The only way MSFT can "solve" the problem is by disallowing any "simple, UI-based" change to UAC...or breaking scripts. Neither of which will please everyone, obviously.

Ah, you're not quite grasping it fully.
This exploit tries to lower the UAC settings itself (including if it's already at the lowest setting). As a warning that something is amiss to the person who has already lowered it themselves a UAC warning of a program trying to access the UAC command page should prevent further harm to the system. It would only be neccessary on this page. All other viruses/trojans are the users own fault if they have lowered UAC. Obviously, for someone who already has it on would be unaffected as long as they read the warning and deny it access.

I hope that's a little clearer.

I understand completely. Let me explain...No, that would take too long. Let me sum-up:

The only way the script can lower UAC *now* is if it's already been lowered to the point Secure Desktop has been disabled. (The headline is misleading...as usual, this does not compromise UAC, this compromises systems where Secure Desktop has already been disabled)

As I understand it, the script cannot gain access to the secure desktop, thus it cannot, in any way shape or form, lower UAC unless such has already been done by the user.

What you are suggesting is that even at that point, why not still have it activate when the UAC dialog is activated. My answer is why would the script need to activate it at all at that point? It can already do whatever it wants. A simple registry check on UAC status will tell teh script all it needs to know.

Meh. I take your point. Either way I don't particularly care that much.

They added the Secure Desktop to Vista BECAUSE of the use of SendInput. I don't think they're going to change THAT this late in the game.

Changed, You can now have UAC without Secure Desktop, a wholly useless and pointless setting.

absolutely, and all they'd have to do to make that happen is change the security certificate for the UAC settings application.

It truly is a very old trick ... long before 1993. Back in the pre-PC days (1980?), we would write self-modifying programs in interpreted BASIC on a Commodore PET. These programs would position a series of text lines on the screen that would alter the code of the program. Then we would use ANSI commands to position the cursor above these lines, stuff the keyboard buffer with a bunch of "ENTER" commands and exit the program. The OS would take control back from the exited program and execute the "keystrokes" we pushed into the buffer. These keystrokes would result in modifying the code of the program, with the last line being to resume running the program at a certain line number in the BASIC code. As middle school kids, we thought it was a neat trick. What a surprise that Microsoft hasn't figured this out in 30 years of security programming!

Wouldn't requiring an admin's username/password before making changes to UAC or any Control Panel/Admin setting (a la several *nix incarnations) basically nullify this issue? Honestly, if this sort of methodology works for pretty much every other OS out there why doesn't MS just go this route? It's not that complicated, nor is it all that intrusive or annoying. I know several casual computer users who don't find this method anything to complain about in OS X.

VB has been around for 18 years? Dear God, I'm old..but not as old as this hack, it seems. I agree that an admin login makes perfect sense and, like abstinence, works every time its tried. Microsoft needs to get with the late 20th century on security, but so do the developers. Seriously, why does every freaking program need admin privileges to install? Work together, guys, its not that hard.

UAC can be configured via group policy to require an administrative password to be entered always. By default it only requires it if you're a Limited User, but not if you're an Administrator.

But it would not nullify this issue because the script simply turns UAC off if it is in the default configuration, without needing a confirmation UAC dialog.

The only current workaround to keep this script from working is to set UAC to prompt on any changes... which is the Vista default that caused all the outcry against UAC.

*laughing*

As I understand it the default UAC setting is 'Secure desktop" mode (The screen dims, any input is locked except via the keyboard/mouse).

So...not huge.

Still; I have said in the past and I will say it again: Allowing UAC to be "dumbed down" through the use of a simple interface tool is a Bad Idea™, and a pretty stupid one at that, being as how they had it *right* in Vista.

Actually with the default UAC settings, UAC can be turned off without needing to go through the UAC dialog. That's the "huge" deal. :)

i agree

Really? I've got it installed on 4 systems... build 7000. Seemed to me the the default was at the "second" option from the top, which should still force a "Secure Desktop" prompt.

Here's a question. Every time they market a new OS, they call it the Most Secure Windows Ever. This was true obviously with Vista. But if they do not Change Win7, doesn't this mean that Vista is more secure than 7, and thus, Win7 couldn't be marketed as the most secure Windows ever, since Vista is more secure (as of now)

At Vista's time of release it's possible and even probable that it was more insecure than Win7 will be at release.

Think of all the security flaws fixed that were present in Vista to start with.

It's arbitrary to say "most secure ever" anyway. There's no real way to prove it.

indeed scary, I hope that they'll fix this before win 7 hits RTM.

It called windows, built to grant access
it is the essential reason why problems like this will continue
the PC, Windows concept is increasingly impossible to secure
soon no one will be using Windows PC's, for the simple reason of security

embedded that fruit company's version or Open Source solutions are much tighter code
even them, then hackers will find a way in