Headline needs to be changed. It's not a Vista flaw, it's an animated cursor flaw which affects multiple versions of Windows, not just Vista.

You are coming to a sad realization....

Cancel or Allow?

....................Allow (sigh)

I love that commercial. Most of the Mac ads are butt stupid but that one makes me smile.

Well if users were smart enough to keep UAC enabled, this flaw doesn't even affect them.

http://brandonlive.com/2...04/01/uac-to-the-rescue/

It's amazing how many people after disabling the OSes security features, think that the problems that arise are Microsoft's fault.

And if they didn't want crappy UAC, they still weren't affected because those who know how to turn UAC off also know not to install dodgy animated cursors.

It really is amazing isn't it?

MS: Here is a secure OS
Users: it's too secure, it's getting annoying, make it possible to disable this security feature
MS: You can turn off this security feature now
Users: I turned it off but now there is a possible vulnerability...your OS isn't as secure as it should be!

It's genious.

It's like how people constantly ignore anti-virus popups and dismiss them as annoying. Until they disable the anti-virus and then blame everyone else but themselves for getting a virus.

I'm a jaded ex-support agent!!!

Good point.

Metasploit has a write-up on exploiting Vista even through IE7 with Protected Mode, completely defeating even ASLR.

http://blog.metasploit.c...erability-on-vista.html

Edit: And actually, UAC-bypassing exploit code was posted late on Sunday.

If people knew what they were doing OS security wouldn't be the issue it is today. We're well aware of this, move on. Perhaps MS needs another way to secure the OS without interfering so much with the user experience? I don't think the 'Wow' was supposed to be: "Wow, how many freakin UAC popups am I going to get in 10 minutes?"

Perhaps MS needs another way to secure the OS without interfering so much with the user experience?

Ah yes, the man wants it all.

Sorry, you can't be able to download run viruses *and* be protected from them. Doesn't work that way.

You break the functionality of the OS, you get a broken OS.

Don't want UAC pop-ups? Install your apps the first day and be done with it. No more pop-ups. This will be the experience of most Vista users. The techs will likely disable it, but hey...we're techs, we can get away with it.

And that folks, is the definition of a fanboy: for him, Microsoft does no wrong, only users do. Ouch.

When I first used Linux, the box it was running on was directly connected to the net. My Linux installation was exploited, and I got a rootkit. Why? Lack of knowledge; not knowing I was running an out-of-date kernel, not setting up iptables properly, etc.

Lack of knowledge generally IS a high cause of problems, and other OSes aren't without their security problems from time to time. It is just less highlighted.

I'm making no defense case for Microsoft, but regardless of what 'problems' exist in an OS, and the security features to counter such, in the end what the user does is always the biggest problem.

I can ignore a warning from any security feature, but it might just turn out I'm trying to use a legitimate program which needs to make those changes, so they can never enforce things strictly

Exactly. The truth is really somewhere in between... it's not as secure as Microsoft is bragging, but it's not as insecure as the zealots are saying either.

I have to disagree here. UAC is a massive pain in the a** even if you get all your apps installed off the bat. No matter what you do on the computer, if you have to change a setting...UAC pop up. Linux and Macs both managed to have a user security model that is effective AND non-irritating. Vista got the effective part but F-ed up the the irritation. Hell they can't even get their own software to run right on Vistas security model. Visual Studio 2005 had serious problems until a hotfix was released nearly a month and a half after Vista, and even with the patch you need to run it in admin mode to get full functionality...which means, you guessed it...a UAC popup every time you launch the app.

Go away troll.

You've proven time and time again you cannot post anything relevant or informative unless you find it on someone else's blog.

On the flip-side, you've proven quite capable of trolling, flaming, and generally acting like a 3 year old.

Um...

Didn't Visual Studio 2005 come out *way* before Vista?

Thought so...

Most programs out today we're created for XP. XP did a lot of things wrong regarding security and what it would allow programs to do. Programs that will be released for Vista will not have a *lot* of these issues. They won't require admin privs, they won't attempt to write to windows or program files folders, and they won't force a UAC pop-up to run.

You need to realize that we just don't have those apps yet and that most XP apps aren't going to play well with Vista.

Yeah, it sucks. Until software catches up it's going to.

Of course, for most computer users who just use their computers for email, internet, and documents, this won't be an issue.

"less prompts" in linux doesn't mean is better... Linux is unsafer and obsolete than Vista.
On linux a malware is able to modify the users settings and some system wide settings and this is not good! On Windows Vista this is not possible because the user settings and critical system settings are all protected with UAC
On linux an elevated process is able to spawn infinite ELEVATED processes and this is bad for the security, because a flaw in linux or in linux's elevated program can spawn another process with elevated privileges! On linux a process is able to modify its privilege during the execution and this is bad for the security, because a flaw in that program can be easely used to change a process privilege with a simple modify in a flag.
On linux an user have to explicit call sudo command every time he/she have to execute an administrative task otherwise he/she gets an annoying Access Denied Error, instead in Windows Vista you have a very useful automatic UAC prompt when you execute an administrative task.
Windows Vista UAC has also the Secure Desktop which protects from UI spoofing. On linux a malicious program can easely spoof the UI in order to capture the password.
Windows Vista UAC is the best implementation because it's safer and user friendly than all other OS's.
I'm running "Visual Studio 2005 SP1 + Update for Vista" and it works fine in Standard user with UAC on (no UAC prompts when I run Visual Studio 2005).

"Um...

Didn't Visual Studio 2005 come out *way* before Vista?

Thought so...
"

Um...if anything that makes it worse. The visual studio team knew what was coming and didn't resolve the problem before Vista was released. That IMO is unacceptable, especially given that the company compels it's employees to run even the beta versions of it new OS's.

Additionally, the UAC pop ups are not relegated to other software, 3rd party or otherwise. They will annoy the crap out of you when you attempt to change your machines configuration or do anything "administratively" even when logged in as an administrator. THAT is not going to change by making Vista more Vista compliant.

I'm not going to bother getting into a "which implementation is less irritating" debate because it's pointless and subjective. However, as to your comment:

"I'm running "Visual Studio 2005 SP1 + Update for Vista" and it works fine in Standard user with UAC on (no UAC prompts when I run Visual Studio 2005)."

a) you just said you aren't running in administrator mode, therefore of course you don't get the prompts.
b) as i said, "full functionality" will not work without admin mode. Try using your profiling, or code analysis and watch them have problems. You may not run into these problems if you are only running standard or pro and thus don't have access to these tools but those of us running team suite have them.

"Um...if anything that makes it worse."

Huh...yea I guess, by your twisted logic, yea...it does, somehow make it worse.

"The visual studio team knew what was coming and didn't resolve the problem before Vista was released."

You apparently think MS is a small company where all the devs sit in one room and tell each other exactly what's going on.

It might shock you to know that, The Windows and the VS teams are actually completely seperate. Weird huh?

Not to mention that VS came out WAY before Vista...and MANY things have changed about Vista after the release of VS....although, that DOES make it worse somehow in your mind, so nevermind I guess...some people will reach at anything to say that MS sucks and they can run it better themselves.

You know what kills me...in linux I can't just type tcpdump, it gives me an error! I actually have to type sudo tcpdump, and then it asks me for my password AGAIN! How irritating!! So many extra keystrokes I have to enter! Oh wait Windows is doing a similar thing now...oh well.

PEOPLE DISABLE MS'S SECURITY FEATURES BECAUSE THEY ARE STAND OUT FOR BEING TERRIBLY ANNOYING. UAC IS A BIG DESIGN FLAW BY ITSELF AND YOU & I KNOW IT, AND EVERYONE ELSE FOR THAT MATTER.

Try not to be sooo good to MS and recognize their faults too.

DO MS'S SECURITY HAVE TO PROTECT US FROM A CURSOR? ISN'T THAT RIDICULOUS, TO BEGIN???

What...hey ****tard don't know what hair got up your a** but the rest of us are having a reasonable conversation so sit down, shut up and let the big people talk.

The visual studio team is a part of Microsoft, at Microsoft employees are required ... REQUIRED to eat their own dog food. That means that the devs on VS had been using Vista since beta genius. Got it? Yet in using Vista and knowing the problems it posed to VS they chose to do nothing to fix it until well after Vista's release. Hell they even had VS SP1 right around the time of Vista launch and didn't fix it then.

Next time, learn and know wtf your talking about before running your mouth off like an imbecile. Or better yet, sit down, shut up and learn.

and yet, if you login as root or open a root terminal you DONT get prompted for a password since you are already authenticated as root...go figure. **** off gnat.

Um...if anything that makes it worse. The visual studio team knew what was coming and didn't resolve the problem before Vista was released.

Okay... So you wanted them to add more bloat to make sure all of their programs were compatible?

How about they provide 100% backwards compatible solution as a means to run the programs as they were meant to be run? They do. It's called XP. :)


Additionally, the UAC pop ups are not relegated to other software, 3rd party or otherwise. They will annoy the crap out of you when you attempt to change your machines configuration or do anything "administratively" even when logged in as an administrator.

How then, would you propose to stop other programs from changing system settings without you being warned?

Yes, I agree it's a pain in the ass. For us. The tech guys and enthusiasts who change our settings and configurations and install software pretty much all the time.

I hate to break it to ya, but we're the minority. We may drive advancements in hardware, but we're the *last* people they're thinking about when they code "for dummies".

It's all about ease of use and protection for idiots. They know we can disable it if we don't like it, and they believe we can take responsibility if such actions compromise our systems.

...apparently they were wrong about that last part.

So your main complaint is that there is no real *root* in windows, right?

*shrug*

From a security standpoint, that's a good thing. I;m guessing that's how MS sees it as well.

Sure, it makes some things more difficult for us tech and enthusiast types. But then again, we don't make up the majority of that market.

*shakes head*

When will you people learn that what affects us as techs and admins does *not* affect, or affects differently, the *vast* majority of users?

When will you realize that the majority of users out there may see one or two pop-ups a *month* once Vista Certified apps start gaining ground?

When will you realize THAT TYPING IN ALL CAPS IS REALLY FRIGGING ANNOYING AND MAKES YOU LOOK LIKE A FREAKING LUNATIC???

What? No my main complaint is that idiots like Niro get the ability to post on threads, but I suppose thats a different story. Niro was contending that linux is exactly the same when he tries to run a root command, he's wrong. My post has nothing to do with what I want in Vista...not quite sure where you got that idea from.

"Okay... So you wanted them to add more bloat to make sure all of their programs were compatible?"

No I didn't say that at all, where do you get this stuff from? I want them to fix their applications so that they run properly on the software they are selling us. Considering the company's main focus is the OS one would think they would make sure their top products worked properly with their latest and greatest and if not...fix it before tossing the latest and greatest out there. Visual Studio is quite certainly one of their most important products. If I had to guess, I'd say it's right after Office yet they didn't make sure the product worked properly with their latest OS release and fix it when they had the chance, that's just shameful.

"How about they provide 100% backwards compatible solution as a means to run the programs as they were meant to be run? They do. It's called XP. :)"

What does that have to do with the price of tea in china? How about they fix the latest version of their major applications so that they work properly with their latest OS? Do you see a more recent version of VS anywhere? If so, do tell because the rest of the development community must have missed it.
EDIT: I might add that without visual studio, what do you suggest developers write their windows software in? Notepad? There are other environments out there to be sure but lets face it, most windows software is written in VS and to move from VS to another solution type is a major investment of time and money that should not be required. Not when MS's stated goal is to drive developers to it's platform. Thankfully the patch to VS fixed the most egregious problems but the fact that I need to run my dev environment in admin mode to get full functionality is something that should have been fixed long before.

"How then, would you propose to stop other programs from changing system settings without you being warned?"

By requiring administration privileges to make those changes in the first place and not bugging an authenticated admin every 10 seconds. If they don't feel they can trust that the admin is really the admin then they should be fixing their user authentication not making my job more irritating. If I do something stupid thats my problem. I'm logged in as an admin and screwing with my system, if I **** it up I have no one to blame but myself.

"It's all about ease of use and protection for idiots. They know we can disable it if we don't like it, and they believe we can take responsibility if such actions compromise our systems.

...apparently they were wrong about that last part."

And I agree that people need to take responsibility if they screw up their system themselves. But I should not need to disable UAC in the first place, UAC is a global setting not user specific, if I shut it off I shut it off for everyone. I WANT my non-admin users to be restricted, but an admin is an admin..not a "sorta-admin".

Caps lock is cruise control for cool.

"at Microsoft employees are required ... REQUIRED to eat their own dog food"

I know someone who works there...he's never eaten dog food in his life though.

"That means that the devs on VS had been using Vista since beta genius. Got it?"

So...nothing has changed in Vista in over 2 years...yea I get it now! That was the release date...nevermind actual development which was even longer ago! It's not like the VS team is working on a 2007 project or anything...adding compatibility to 2005 so you don't have to hit a few extra keystrokes in Vista MUST be higher priority.

Hey...I'm not saying they shouldn't fix this "problem"...but focusing on this one tiny little thing about hitting an extra keystroke or two when starting VS 2005 in Vista and saying MS is incompetent because of it is a bit ridiculous...but I guess it's to be expected of most Betanews posters.

"Next time, learn and know wtf your talking about before running your mouth off like an imbecile. Or better yet, sit down, shut up and learn."

I love when people get this pissed off by reading some posts...life must be pretty tough for you eh? :)

"I know someone who works there...he's never eaten dog food in his life though."

Your a freakin idiot.

"So...nothing has changed in Vista in over 2 years..."

Tons changed, and you don't think the VS team was aware of it? You contended they couldn't possibly know in a company that size, your wrong. MS employees are required to use the latest OS from beta onwards. Go ahead, ask your "friend" or any nearby MS consultant. Unless there is a compelling reason not to (such as a client requirement) nearly all MS employees use the beta OS to help iron out problems.

"It's not like the VS team is working on a 2007 project or anything...adding compatibility to 2005 so you don't have to hit a few extra keystrokes in Vista MUST be higher priority."

How about getting it working period. Did I say it was only the UAC problem? No I didn't genius but freaks like you only read what you want to see and skip everything else. No instead we had to wait for a patch nearly 2 months after Vistas release just to iron out the major bugs and we now are finally only left with the UAC issue.

"but focusing on this one tiny little thing about hitting an extra keystroke or two when starting VS 2005 in Vista and saying MS is incompetent because of it is a bit ridiculous...but I guess it's to be expected of most Betanews posters."

You mean a poster like you, throwing his nose into a discussion without bothering to actually read what is being said and being completely wrong in your assumptions...yea I guess it is to be expected from morons like you.

"I love when people get this pissed off by reading some posts...life must be pretty tough for you eh? :)"

Yes..just like you got all pissed off and began insulting me for no freakin reason when you didn't have a clue what you were talking about, way to go genius.

Old OS old product.

New OS, new product.

Simple as that. The fix for VS 2005 is the *next* version of VS.

By requiring administration privileges to make those changes in the first place and not bugging an authenticated admin every 10 seconds

Lmao...then everyone runs as admin and we have the *same* problem we had with XP. Not quite a rosy solution there.

I'm logged in as an admin and screwing with my system, if I **** it up I have no one to blame but myself.

I'm glad you can take responsibility for your actions. It seems you are not the majority based on this flaw alone. They disabled UAC. They were comprised because of it, and they are blaming, not themselves, but Microsoft.

I WANT my non-admin users to be restricted, but an admin is an admin..not a "sorta-admin".

You disagree with their decision to get rid of the "root" user. That's fine. Again, they didn't do it for you, they did it because they knew that if they left an account on there that was unrestricted, *everyone* would use it and all their security would be for nothing.

...
because you keep saying you want unrestricted access? Like "root" in linux"...and ebcause that access doesn't exist in Vista?

That's where I got that idea.

You do read your own posts, right?

lmao...

old product...um yea. You do realize VS isn't even 2 years old right? I doubt people would be so condescending and understanding with MS if it were Office 2003 that didn't work with Vista...but hey too bad for them, there's Office 2007 right?

So what do you propose developers do in the meantime while we wait for VS200x? Do nothing? Not support Vista? Where would all your Vista happy apps be then that fix all these irritations? You know, the ones you mention above that make all these problems go away. They wouldn't exist because the developers couldn't write and test them. No, waiting for the next VS is not the solution, the solution was and is to fix VS to work with Vista. My contention is that they should have done so long before Vista was ever released. Instead they had to patch it well after the fact and it still doesn't work 100% correctly.

As for the rest, we will have to agree to disagree. There are ways to mitigate people creating admin accounts unnecessarily but MS refuses to do so. For example, during setup XP asks you for an admin password and an initial account, making 2 Administrator accounts on the system. Simply NOT creating the very first user account as an administrator would do wonders. These simple Joe users you keep referring to are also not the type to know or bother finding out how to add new administrators to their system. So they would have their default limited account for normal use and in need an administrator password that they could give to Captain FixIt down the street. IF they start poking and prodding to figure out how to add an admin account, too bad for them if they **** up their computer.

Do YOU read what I've been writing? You seem to be having some trouble following individual threads. I'm trying to have a reasonable conversation with you but your sarcasm and condescending attitude are beginning to make that very difficult.

Beta genius? Is this a new stage of beta testing? :D

I'm not being condescending at all.

..and yes, I tend to combine threads. It is a bit easier than posting replies to one person in 6 different threads, besides, we're all discussing the same general topic here, are we not?

As for the sarcasm, well... Guilty as charged. ;)

It simply seems to be that you're biggest concerns are the annoyance factor of UAC and Microsoft's alleged mis-handling of backwards compatibility (mostly caused by such things as UAC).

My point is simply that while UAC may annoy the hell out of those who constantly fiddle with their computers, it will *rarely* affect the majority of users. Even less once apps written specifically for Vista gain some market.

Secondly, as to Microsoft fixing VS, I'm sure they will. I'm sorry you feel they should have done it prior to Vista's release. It just makes more sense to me (and apparently MS) to go ahead and work on a new version of it than fixing one that's likely to be replaced soon...with said newer version.

If they went back and re-wrote every MS app they made for XP to be compatible with Vista/UAC before releasing Vista, we'd have neither the new apps, nor Vista. While that may be acceptable to you, those that don't use VS, or who can deal with some aggravation during the transition, disagree.

So what do you propose developers do in the meantime while we wait for VS200x? Do nothing? Not support Vista? Where would all your Vista happy apps be then that fix all these irritations?

Are you trying to tell me that programs written with VS 2005 in XP won't run in Vista? Can't be coded to be 100% compatible with Vista?

You're kidding, right? Sure, it's a PITA. But it's possible.

Secondly, it's not *impossible* to use VS 2005 in Vista. It works, just not as well, or with as much ease as it does in XP.

These simple Joe users you keep referring to are also not the type to know or bother finding out how to add new administrators to their system. So they would have their default limited account for normal use and in need an administrator password that they could give to Captain FixIt down the street. IF they start poking and prodding to figure out how to add an admin account, too bad for them if they **** up their computer.

They made a trade-off. You're right, it's not perfect...yet. Too many of these 'Joe's' are used to being able to do certain things, and stripping them 100% of that ability (without having to call Cap'n FixIT) would likely be too much to handle for them.

I think this is MS's way of easing them into it. I would not be the least bit surprised to see SP1 or the next version of Windows do away with the default admin login entirely.

"You're kidding, right? Sure, it's a PITA. But it's possible."

I'll grant you it is possible, but PITA doesn't begin to describe the process of figuring out what went wrong when your debugger is on a different machine.

"Secondly, it's not *impossible* to use VS 2005 in Vista. It works, just not as well, or with as much ease as it does in XP."

No it isn't impossible...now. When it (Vista) came out much was broken. Even now, post VS patch, some of the best tools that help developers write good code as opposed to crap don't work right/well. So you end up with flawed results and more bugs then normal...that translates into b****y customers telling you your software sucks because its broken all the time. I'm sorry I just don't see it as unreasonable that the latest version of MS's development environment should work properly with their latest OS right when the OS gets released. There isn't a newer version of VS, there isn't even a published time table that anyone can bank on. Yet the developer community is at the heart and soul of MS's dominance. MS developers, develop apps to run on windows. The more apps that run on windows the less people want to switch platforms. MS figured that out a long time ago and thus MSDN was born and MS has been catering to developers ever since, but IMO they dropped the ball with Vistas release.

...and my final word on the subject. I also do not find in unreasonable that the software I paid MS $10,000 for should work with their latest OS without issue when no newer release exists or is even close to being done. Sorry but thats just good customer service, released products always take priority over development end of story. If VS was 10 years old and no longer "supported" then the argument that MS shouldn't need to ensure it works would hold validity, but it isn't 10 years old and it is still supported.

/soapbox

/dusts hands

Why can't they do this with all their critical flaws? I understand that they test the hell out of these hotfixes before they are released, but if they can do it with one, why can't they do it with all of them?

..they are under tremendous pressure because of Vista's bad press and numerous bugs. They do not want anymore bad press than it has already got.

They used to do that but all the IT guys with 1000's of machines companied too much. Now they keep them all together to make it easier on those guys.

Microsoft,

Just as eEye if you can use their fix. :)

Hahahahahahahhaha!

It doesn't correct the underlying problem. I'm assuming Microsoft's fix will.