The media might be heralding Windows 7 as the Windows release which will erase all the bad Vista memories, but there’s still this nagging security flaw in Windows 7’s User Account Control which Microsoft refuses to fix, stating that it is not a security flaw at all. Well, Microsoft, if this is not a security flaw – then why does your security software block the tool that demonstrates the flaw?
I’m not going to detail the security flaw yet again, but the general gist is that it’s quite easy to bypass the default settings in Windows 7’s UAC by piggybacking on processes in the operating system that are on a magic auto-elevate list. This list allows Microsoft to not fix their own code to work with UAC, while still demanding from other developers that they do fix their code.
Microsoft tried to weasel its way out of this situation by consistently claiming that the security flaw was not actually a security flaw, but “by design”. Microsoft said that several other security barriers were in place to mitigate the flaw.
This does raise the question: why does Microsoft’s Security Essentials beta specifically block the proof-of-concept code from running? This code is made solely to demonstrate the flaw, and Microsoft went through all the trouble of properly detecting and naming it for the Security Essentials beta to detect it. The code is open source, and a simple recompile using the Visual C++ 10.0 toolkit using VS 2010 Beta allowed the code to run undetected once again.
If the security hole is actually not a security hole, then why does Microsoft specifically block the tool that is designed to exploit it? Not only is it a cheap way to make it seem as if the hole is plugged, it’s also an admission by Microsoft that we were right all along: yes, this is a security hole. Whether Microsoft wants to actually admit it or not.
Conclusive proof that like the giant fleshy beast blob in Akira, Microsoft have grown far too large to even have arses or elbows to discern from eachother. If they keep parroting “It’s not a bug, it’s a feature!”, like they have for as long as I can remember, people will eventually get fed up. Unless they’re idiots who can’t imagine life without Windows, as the past several years would indicate. There are legitimate reasons to keep using Windows, but most of those are circular reasons like “Game developers make most games for Windows so everyone uses Windows, so game developers make more games for Windows”
“…Unless they’re idiots who can’t imagine life without Windows..”
All to common Im afraid.
Meanwhile the security vendors will lap this up as pure gravy.
Except if they use their computers primarily to play games (you know, the geeks that have a couple of $100+ vid cards running in SLI or Crossfire), I don’t think it is very smart to call these users idiots for sticking to the platform where all of the games are.
When articles were posted touting the benefits of Safari/Chrome over Firefox, a lot of people said they wouldn’t switch because of extensions in Firefox that they had grown to love/rely on that other browsers just didn’t offer. This seems like a very simple thing that people can understand, yet people can’t seem to grasp this concept when you start talking about operating systems.
Edited 2009-08-03 23:44 UTC
Like I said, games are a legitimate reason to use Windows, but they’re a circular one. Games are the only reason anyone should use Windows, but in an ideal world we wouldn’t have to.
Idealism is a wonderful concept.
In an ideal world, we wouldn’t have people calling people idiots for using a particular tool.
I felt the same way yesterday, as I was getting strange looks while airing up my tire with a hack saw.
Edited 2009-08-04 17:30 UTC
Ooo, good one, I was going to say something like changing a wheel with a blow torch and a welder.
I got sick of all the BS associated with gaming on Windows a couple of years ago (update your drivers, update your OS, zero-day massive patches for the games, too many damn games that just don’t work, retarded copy-protection schemes). Since then, I haven’t bought a single game for Windows.
I’ve bought a few for my Mac, and I’ve bought a pile for the consoles and hand-helds I own. Shitty product quality and customer abuse on Windows drove me away.
Sure I’m just one guy, but I wonder how long the rest of you can be slapped around before you move on?
– chrish
I don’t think it is circular. It’s pretty straight forward, no decent linux games. (no chicken/egg) The games come first. It seems OSS can’t move past the Quake III looking games.
I have to tell you: you can live without those firefox extensions. Specifically: there’s an adblock extension for Safari as well for ages now.
Firefox is too bad of an example. It’s getting slower and slower with each new release, and when you start dumping heaps of extensions on it it just gets worse. Every other browser including Safari 3/4, Opera 9, even Google Chrome is way much faster than those IE6-7-8/Firefox bastards.
I prefer speed to features anyway (I guess at least some of you also do)
I’d love for you to back that statement up, Firefox has been getting faster with every release and uses less memory (and retains less) than any other main browser.
if you really believe that, why hasn’t firefox made any inroads in the mobile phone market? why has mozilla had to specifically try and make a mobile version of firefox because of memory usage? why do the other browsers operate really fast on ‘slow’ mobile phones?
wut? Seriously, what? The other browsers have had cut down “mobile” versions of themselves created. They do not offer all the functionality of their desktop counterparts. Not even Safari on the iPhone has ALL the features of the desktop version.
What is with the FF hate? I’ll admit, for a bit it had memory leak issues out the wazoo, but I’ve not had any issues with that lately with FF3.5. And with the 3.5 update, it has gotten MUCH more responsive on my work computer which is just a Pentium III coppermine @ 1ghz with 1gb of pc133. We don’t have the budget to update staff computers (we get grants for public machines), so I’ll be stuck on this for awhile, and I’ll be using FF on this machine for the rest of its lifespan. I don’t much care for Opera and Chrome runs like absolute garbage on this tower.
Firefox 1.5 and Firefox 2 were slower and slower again, and used more memory than Firefox 1, due mainly to memory leaks and increasing functionality.
Firefox 3 and then Firefox 3.5 however are faster and faster again than Firefox 2, due to fixing memory leaks and attention to optimisation.
Firefox 3.5 (which for the first time includes a JIT compiler) is not as fast as Google Chrome, but it isn’t that far behind and it is way, way faster than any version of IE.
Whatever small advantage Google Chrome gains over Firefox 3.5 in terms of its slightly better speed it more than loses in terms of its considerable lack of extendibility.
Edited 2009-08-04 09:32 UTC
My windows boot install now exists on hardware only for gaming. I’d move my games to a different platform in a heartbeat and still have no issue paying for those titles if the game developers could get over the addiction to DirectX crack. As it stands now, I have Windows tuned for one or two games (it inevitably locks up after too much gaming, cause it’s such a high quality OS). For everything else and security, I have other platforms that my machine spends 90% of it’s time booted into.
But.. did you not see the circular argument at the end of the post you replied too:
“Game developers make most games for Windows so everyone uses Windows, so game developers make more games for Windows”
Your reply would be that very example previously given. Start asking your game developer of choice where the non-Windows install is.
I’m also against this security by obscurity, but even then it is better than nothing.
This is clearly a flaw in my book. But one of the strong point of windows and its biggest flaw rely on backward compatibility ( windows 7 and Vista removed some of the compatibility layers ).
This has been a very bad point for microsoft to bend to the user on this issue, UAC was annoying but by explicitly disabling it the user was aware of the trouble she/he was exposed to, and was a good compromise with working with broken software that relied on extra rights to work.
Maybe it’s time for microsoft to provide a (new) more secure/modern userspace (.Net is still not enough).
My idea for security is overhauling the permissions system to strictly enforce user and admin account distinctions. For backwards compatibility with programs that don’t like being in limited accounts, you could just set a program to compatibility mode, and Windows could give it a temporary virtual set of system files to trash. Kind of like sand boxing but with less isolation. For programs that need registry keys or whatever, Windows could store them in plain text files exclusive to that program, and import them into a virtual registry.
If done correctly, any viruses or malware would only trash the system files of the program that was exploited. Depending on the malware it might vanish when the virtual system files do, or it may live on in permanent settings, but only for that program. This, of course, only applies to security in the semi-sandbox, but outside of that, proper security and permissions should prevent other major flaws too.
Windows sec is a billion$ industry.
That is a symptom of the problem not a reason to support the status quo. More harm and insecurity has been imposed on the end user by Windows than any other platform yet. The IT support industry needs to become less parasitic and start providing real value for the customer. This job security through poor product quality is not acceptable.
Majority of the leaks and “security” issues with Windows is internal. Reminds me of the messenger app that came with XP but you still had to download MSN. It’s just a portal for spam/malware.
I’m sure a fewlines of code and that app wont get picked up by an AV.
Why I do not run Windows on any machines I own. Microsoft are not to be trusted, pure and simple, and they have no interest in making their os secure despite their lip service to the contrary.
I think the Company you’re describing here is Apple. Microsoft have made great strides into making their products more secure, but not always ‘enough’ for the more security concerned public. But you have to understand their position and the balance they have to keep between hardcore users like us, osnews readers and joe user.
I dispise Microsoft as much as anyone for various reasons. Words fail me on how impressive the Linux kernel is (quote from some guy at phoronix i think), but i don’t see any of the distro’s replacing windows as a desktop until they start leading instead of playing catchup. I firmly hope and believe Google will fill that position with ChromeOS. (I wanted BeOS to succeed so bad i bought several copies of it and all the software i could get for it, even though i did’nt use it).
…but i don’t see any of the distro’s replacing windows as a desktop until they start leading instead of playing catchup.
Ahem! Most distro’s aren’t playing catch up. They are already several years in the lead. Even with an aging Gnome or a slowly maturing KDE4.
Windows is a barebones OS. You need to flesh it out before it even is remotely usable. When just installed, it has a browser, a filemanager, a mediaplayer, a few toy utilities like notepad and paint, some small games, some system tools and a handfull of basic drivers.
After the base install, you have to get better drivers. You have to install an office suite. A serious graphics program. A real burning program. Anti-malware and Anti-virus. A downloadmanager. Etc. Etc. If you play by the Windows rules and don’t “cheat” with FOSS, all those extra components cost money on top of the already bought Windows license.
It’s not only that Windows is a D.I.Y. lego platform, where you have to add every block yourself. The way in which you have to do that is cluncky. The installation of Windows has matured, but it is still poor in comparison to the Linux LiveCD install method. Software still isn’t centrally managed. The “find the software, doubleclick setup and click next, next, finish” routine is just annoying. Reboots have become less, but still not enough.
When I look at Linux, I really enjoy being able to install from LiveCD’s or USB thumb drives with ease. I love it that a base Linux install is fleshed out enough to have a working desktop environment with the basic stuff in place. Stuff like an office suite, a graphics program, a usable burning program, a lot of small games, all available drivers installed and ready.
Then there is a central application management program where just searching and clicking is enough to remove or install an application. You don’t have to draw your wallet, you don’t have to read through 5 or 8 screens, you don’t have worry about where to put the software. Just click apply and the application will be ready in a jiffy and you can just launch it from the menu.
The only thing that is keeping Linux back is inertia. Too many people lodged in their comfort zones. If you don’t know any better, the pain of maintaining a Windows installation seems normal. If you do know better, maintaining a Windows installation can be enough to make you cry blood.
There are lot’s of reasons why these things happen but you only see forwards and don’t stop to think..
Just by including their browser microsoft has problems if the EU imagine if they include browser, messenger,image editing software and office…everybody would complain.
Also lot’s of people complained that windows just came with bloat, now that windows comes empty for you to install only the things you want you complain?They can’t please everybody.
I think windows installation is getting even easier in each release, someday even a monkey will be able to install the OS.
In about drivers in linux you don’t have to install drivers?Does sound work correctly in linux?
About the instalation way, tell me for example in Debian, either you compile the software or you do always apt-get install myapp, you do it always the same way, what’s the problem with that? Do you think people need to understand how to install software in each new windows release?
Linux as a desktop computer is not better than windows IN MY OPINION. We could be chatting the reasons why all day.In fact i work with people who use linux but for image editing and software development they restart and boot into windows to use Visual Studio and photoshop, why dont they use vi and gimp?And they keep the day throughing at me that linux is better..see the situation?
I’m no linux hater in fact i think linux is good in lots of things but your arguments have flaws, you almost sound like a linux fan boy.
No heart fellings, just my 2 cents.
About the flaw i agree microsoft shouldnt do things this way, this sounds like “cheating” also the uac in vista wasnt anoying for me.People are getting to picky when it comes to windows…
If you know nothing at all about modern linux distributions, then why do you even try to comment on it?
Nothing you have posted is even remotely true of Linux.
Yes, audio works. Linux includes vastly more drivers than Windows does, and is considerably easier to install, both the OS itself and any applications. There is no need to boot to Windows even for the reasons you mention.
Hahaha. That made me laugh–not the part about Apple, which is all too true of late, but of MIcrosoft making their products secure. They have done the minimum and nothing more to give the impression of security. If they were really security conscious, they’d fix this auto-elevate bug for one, fix the permission system to strictly enforce limited/admin restrictions, and would not install as an administrator by default… and those are just three logical things they could and should do if they really want to be secure. But as another commenter pointed out, it’ll never happen given that Windows security software is a billion dollar industry already, and Microsoft wouldn’t cut off one of the biggest industries that keeps their crappy software afloat..
What I’m wondering about is: wasn’t Microsoft supposedly banned from using “internal” APIs to uneven the field and position their own software in an advantageous position as compared to software from 3rd parties?
I fail to see how this “magical autoelevate” list can’t be thought of as an exclusive, undocumented API that violates antitrust regulations. Thom says it himself: this list allows them not to fix their software and still make everyone else fix theirs.
Edited 2009-08-04 02:30 UTC
This only applies to components which ship in the box in Windows. By their very nature, most of them are allowed to use non-public APIs. You won’t see any Microsoft software that ships outside the box (e.g. Live, MSN, Office, or others) which behaves the same way.
Ah. So I take it you’ve gone through all of those yourself, every single line of code of all Microsoft’s external software, to back up your facts? I thought not. Evidence for your facts then, please? And no, working at Microsoft isn’t evidence in and of itself.
Regardless, even if it is just one internal component (doubtful) it’s still an open hole and Microsoft is indirectly admitting it. So why do they not fix their buggy software? Why does a calculator (a calculator of all things!) have the ability to auto-elevate and be a prime target for exploitation? You can gloss over this if you wish, just don’t expect the rest of us to be blinded.
Edited 2009-08-04 04:09 UTC
(Or, at least, suggesting it.) The burden of proof is on you.
Not at all. The OP stated a fact, and I asked the OP to prove it. That’s not a hard concept to grasp. If the OP will say with certainty that no Microsoft software outside of Windows uses this list, and says it so factually, it is up to that person and not me to prove it. I’m the one asking for proof of the fact as it was said. Simple, yes?
Think about this logically. There’s a list of binaries which can be elevated. And those binaries will only be elevated if they are signed with the Windows OS signing key (no binaries outside of Windows are allowed to be signed with such a key). Once the product ships, the list is not likely to change significantly. How could other Microsoft products worm their way into this, unless they are signed as being part of Windows?
The whole ‘internal APIs’ hullabaloo doesn’t make a whole lot of sense since it’s easy to find out exactly which APIs a particular piece of software relies on by just walking its modules’ import dependencies. If this were occuring, then people could easily determine it by just doing an import dump of all exes and dlls in an app. Microsoft internally uses automated tools that scan the built binaries of products to ensure that they use only public APIs, so it’s something people are serious about.
Can you verify this, aside from what Microsoft themselves say? I wish I didn’t have to ask, but given Microsoft’s behavior towards this flaw already as covered in this article it is obviously not a good idea to trust what comes out of their PR department concerning it. This list is hard-coded into Windows, as is the key signing restriction… are you 100% certain you know what this list is?
I took a look at the code in question. I can confirm first-hand that the files are verified to be signed with the Windows OS signing key and from a certain set of OS paths with a certain small set of EXE and DLL names. Calc.exe is NOT on this list, neither is notepad, or some of these other outlanishly common apps that people raise a hue and cry about.
People are not more afraid to do bank an other financial tasks on their windows install. I never ever do it, if I have to do it on a strange machine I boot with a liveUSB.
Then again on holiday my girlfriend uses without concern machines in internet cafe for this, laughing away my objections, maybe I’m the paranoid one.
I see a great many complaints on OSNews regarding how Microsoft and Apple handle their respective businesses. Be it security, or DRM, or monopolistic behavior, or whatever. There are also a great many solutions proposed, all of the ilk “Vendor X should change/fix problem Y and here’s how/why.”
I would simply like to say that absolute best thing we can do as consumers is to stop purchasing the offending products. I know that many of you would respond to this by stating that it’s not up to you and that you have no choice. You have to purchase a particular OS for a specific purpose (games, productivity apps, desktop publishing, etc…). This is BS. You have to motivate a manufacturer to make a change, usually by doing more than whining.
Corporations are motivated by *revenue*. It’s a very simple fact. As long as people are buying the products they’re selling, they can assume their products are “good enough”. If the revenue of their product(s) decline, they’re *forced* to ask themselves why. If the revenue of their product(s) hold(s) steady, or increases, then they’re inclined to believe they’re doing a lot right.
I understand it’s not as easy to affect a company’s revenue as it is to post complaints about their products, but it doesn’t change the simple facts of how they operate. As long as the products they release meet the needs of the *majority* of customers to whom they sell, they will continue to do well in the marketplace. If people stop buying their products, maybe they’ll steop back and ask why. Unfortunately, a vocal *minority* holds no such influence. It all seems very political, doesn’t it?
I guess my point here is that all your efforts would be better directed toward starting movements to diminish the sales of the products you dislike, if you feel as strongly about it as you seem to. Now, more than ever, people have choices regarding which operating system they use. It’s incumbent upon you to convince people that they need to make that “other” choice. Getting your whine off on OSNews forums is not going to accomplish anything.
Philip
I agree, and I have done exactly that. I haven’t bought, nor pirated, Windows in years. I don’t need it, and I don’t want it. The problem is getting the average consumers, the ones who don’t know and don’t much care about choice, to start making choices in numbers enough to matter. For the life of me, I’m not certain exactly how that could be done especially in the case of Windows, which comes with 99.999% of all PCs sold whether it’s wanted or not, and with most tied down to specific software packages rather than the functions they provide. To many of them, if it doesn’t run Microsoft Office it’s out of the question regardless of whether another wordprocessor or spreadsheet would meet their needs or not. They don’t think in terms of function, they think in terms of a brand name and equate that brand name product as the only one able to perform the functions they’re used to. How do we break that mentality?
I’m not sure if your question was rhetorical, but in case it wasn’t I offer the following: Only time will have any measurable effect. The average age of technologically savvy computer user decreases continually. I contribute a great deal of the (small) migration which has occurred from Windows to other OSs to this fact. One would expect this trend to occur over time. A time will come, whether it’s 5, 10, or 15 years down the road, when OS vendors are going to be held more accountable by their users for perceived flaws in their products. The incumbants will find it difficult to offer the status quo in this brave new world, because it simply won’t be accepted. For the time being though, the masses are largely computer illiterate and only know that they need to have Microsoft Windows on the computers they buy.
It is also the responsibility of other operating system manufacturers/codes/designers to play some catch-up. I hope that noone disagrees that Microsoft Windows and Apple OS X provide a more complete, consistent, and satisfying user experience with their products, at least for the “average” user. Honestly, I think, at least philosophically, the various BSD variants are farther along than Linux in this regard. The key distinguishing factor being a *lack* of variety with these OSs. Linux, while a great example of how a community can come together to produce a serviceable open source operating system, is too fractured among various distributors whose goals, while individually may be noble, are counter to the fostering of Linux as a true operating system alternative. Don’t get me wrong. I understand that Linux has gained on Windows in “market share” year after year, at least in the server market. But for it to be adopted as a true desktop operating system for the masses it is going to have to be unified in some way. Someone converting their 60 year old grandmother on a one-off basis is not going to cut it. Having 100+ Linux distributions to choose from does not lower its barrier to entry, it raises it. Choice is a good thing. Too much choice can be a very bad thing. The average person does not have to think too much about which Windows version they’re going to buy, or which Apple OS X version they’re going to buy. With them it’s generally just a question of “getting the latest version” (I understand there are at least 6 “editions” of Windows Vista, but they’re all from MS).
I also believe that Linux *must* land on a particular desktop environment. Again, this is a choice an average user should not have to make. Most distributions have a default choice for this, and I appreciate that. But the experience between a distribution which uses Gnome and one which uses KDE (or twm or Xfce or Enlightenment or Fluxbox or etc…) is too inconsistent. A Windows user can use almost any Windows OS computer without too much difficulty. Can the same be said for a “Linux” user? If they’re a RedHat/Fedora user and they’re looking at another RedHat/Fedora system, the answer is obviously yes. But if that same user were to try to use a xUbuntu system, what would their experience be? Or Suse? Or Slackware or…
My point is that we can blame Microsoft and Apple for only so much of our dissatisfaction. There have to be *reasonable* alternatives, for the common user. Right now, frankly, none exists.
Philip
Well, my question I guess was half rhetorical but also genuine. In either case, I think we need to get away from thinking of Linux as an operating system. It’s not. Ubuntu, Fedora, SuSE… these are the operating systems–compatible at the source level but otherwise significantly different from one another, as Mac OS X is to FreeBSD for example. Nevertheless, I agree on the whole standardization issue, something I’ve been saying for years. But we can say it until we’re blue in the face, it isn’t going to happen. The greatest strength of open source is also its greatest barrier to adoption by the masses.
I do disagree though that Windows provides a more complete user experience, but perhaps that’s just a result of what I want my user experience to be. Windows is not an ideal experience for me, not one little bit. OS X, now… that’s a consistent and complete user experience, and GNOME is getting much closer… finally. OS X just feels like a complete system, whereas Windows and to a lesser extend GNOME feel like a bunch of components slapped together.
Wow, this thread has gone way out of topic. My fault.
Not only could a user of one Linux distribution easily use another, but so to can Windows users fairly easily use a Linux distribution.
Where is the problem?
Linux distributions have panels, task bars, system trays, “start” menus, desktop applications, office suites, media players, folders, files, disks, USB devices, WIMP GUIs, LANs, browsers, dialog boxes, clicks, double-clicks, drag and drop, etc, etc, etc.
Just about the only things missing on Linux are: viruses, virus checkers, malware, spyware, subscriptions of any kind, EULAs, the registry, warez, shareware, trialware, registry cleaners, registration keys, CD keys, closed format lock-ins, dozens of different updaters, BSOD, WGA and DRM.
…
Users generally don’t miss these much, at all.
If those “features” were the only things missing in GNU/Linux, it would enjoy a greater market share and it would be the OS on my main personal desktop computer.
Even with all its flaws, Windows is good enough for most people, as the OS doesn’t matter as much as the applications/games.