Why do idiots disable UAC & claim it's not a security function?

Discussion in 'other anti-malware software' started by STV0726, Feb 5, 2012.

Thread Status:
Not open for further replies.
  1. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Which is completely different. Sure, malware bypasses security software all the time. But security vendors will do everything they can do to fix it. Microsoft has been made aware of the insecure default setting during the beta tests of Windows 7. They decided not to fix it, because according to them it is "by design". Microsoft themselves designed UAC to be insecure on any level but the maximum level. So if you want to use UAC, better put it to maximum.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think it's by design because UAC isn't really meant to stop a malicious program from gaining administrative rights, it's meant to stop exploits in good programs from gaining administrative rights.
     
  3. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    That is like saying sudo provides "necessary, security technologies that relate to both integrity control and the least user access principle", which couldn't be further from the truth. Both are integrated part of the Windows kernel and have nothing to do with UAC. All those features will remain available even with UAC disabled.

    I never once made that argument. I didn't even mention any security software. Actually you are the first person who does.

    You won't deny that the majority of systems get owned using vulnerabilities in the same products. In fact those products have been used to infect machines for years now. If you stay away from those products or at least keep them up to date, you will be fine even without Protected Mode. On the other hand I would dare you to visit certain drive-by drop site with Windows 7 as an Administrator with UAC at default with outdated Acrobat, Flash and Java. Let's see how "Protected Mode" will keep your system clean (hint: it won't). That by the way is exactly why I mentioned before that those third party plugins are way juicier targets than a browser.

    Even a sandboxed keylogger is able to log keys within other sandboxed applications which could already be all that is necessary to steal your Facebook or email password.

    While it may prevent a system from being infected, it won't prevent malware running inside the sandbox it from stealing information.

    Yes, and it will be as insecure as the current one. As soon as you allow any component the user uses regularly to be on any kind of white list, you will end up in the same spot that Microsoft is right now. The user wants to interact with those white listed application like he would with any other application. So MIC isn't an options, since it would break Drag and Drop and all other kinds of UI goodness. In the end, you will always be capable to abuse a white listed application to do your dirty work. Microsoft did it right in Vista. They screwed up in 7 because they decided to do a more user friendly approach like you suggested.

    The majority of people don't use UAC in OTS mode. So while UAC does help when using actual standard users, it is far from the default use case.

    Again, I never said anything about buying anything. I said it is getting out of hand because I didn't want to talk about sandboxes to begin with. All I wanted to is give cause for serious concern in regards to combining any kind of automatic white listing with something like UAC. And since we both share those concerns I am asking myself why you are wasting your time even arguing with me :).

    Actually, at least in my opinion, I did the opposite by saying that people who want to use UAC (which clearly is the case if they run it in it's default settings now) should put it to maximum to get the full effect.

    I would post with a private account if Wilders would allow one person to have multiple accounts. Unfortunately that isn't the case. It should be obvious that I don't represent Emsisoft at all given the fact that this thread has nothing to do with anything we do. Of course there are always those people who try to defend their arguments by playing the "employee" card. Do you really want to be one of those people?

    Don't be. You have strong opinions. So do I. It happens :).
     
    Last edited: Feb 16, 2012
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Kees1958, if you read carefully what Fabian Wosar wrote, you'll see that he advised to disable UAC if you have it at default settings, because it's as good as not having it.

    That statement only has one meaning: FUD.

    Kees1958, what you're talking about is true, but the same doesn't mean that UAC is 100% useless at default settings. Saying that is spreading lies and FUD.

    So, let me openly ask you for a honest answer. Do you share the same opinion that Fabian Wosar? That if XYZ user has UAC configured with default settings, you'll be better off with it totally disabled, because it's the same thing? o_O

    I can't possibly believe you're saying that. I hope I'm misunderstanding you. ;)

    As I already said, I AGREE that if you're running as a stripped down administrator - I'm talking about users in general - with default UAC settings, UAC won't be able to intercept (not secure!) against certain modifications.

    But, that's by design. It's not a security flaw. It's not a vulnerability! It doesn't make UAC any less strong, because UAC doesn't have to be strong!

    UAC was the way Microsoft found to annoy users and force software developers to develop software that works the way the O.S now works, since Windows Vista, and stop being lazy software developers.

    Quite a few x86 applications make use of UAC virtualization. Do you know why? Lazy software developers. Microsoft should do the same they do for x64 processes - demand software developers to properly code their software.

    Regardless of UAC not being a security mechanism, it is directly related to Internet Explorer Protected Mode. I'm sure you're aware that Protected Mode is Internet Explorer's sandbox, or part it? Yes, you're aware. ;)

    So, do you agree with Fabian Wosar statement?

    For starters, as I've already mentioned and no one refuted it, UAC is not a security mechanism. It's both a way to force software developers to code properly and a compatibility mechanism for x86 applications not properly coded to work in Vista/7. This compatibility mechanism is called UAC Virtualization.

    UAC Virtualization doesn't work for x64 processes because Microsoft does mandate that software developers properly code them. Therefore, considering UAC Virtualization is for compatibility, it's not needed for x64.

    But, if you're running x86 applications that weren't coded to comply with the way Windows 7 works, and disable UAC, then they'll stop working properly.

    Also, if every home user - the majority runs at default settings! - were to disable UAC, because it's configured with default settings o_O, then they could no longer use a standard user account, because at the image of Windows XP, it would be a living hell.

    What would be solution? A full-blown administrator account? LOL Running web browsers will plugins, constantly targeted, with full permissions to the system?

    This little piece of advise by Fabian Wosar, a security software developer, is nothing but shameful, IMHO. I'd understand a comment like that from someone not fully understand all the complications that come with doing it.

    I don't understand that comment, coming from someone with knowledge. I seriously don't.


    @ Fabian Wosar

    You still insist to call something that isn't meant to be a security mechanism as being insecure. It's not insecure.

    Let's try to put this into perspective. You have Mamutu, which is a behavior blocker, and Online Armor HIPS component. They are security tools. If they're like the others, they will allow users to increase or decrease the level of protection. If users decrease it, then they will increase their insecurity. Your tools won't be as effective.

    You also allow that kind of control... by design. But, in your case it's all about security - yours are security tools. Their very own nature defines them as being security tools.

    UAC is not meant to do that. It never was. I've explained in my answer to Kees1958 what it's about. That's how Microsoft designed it.

    They only added a few alerts to help the user decide whether or not they should elevate something. Just a little help. Maybe this was their mistake, because it made a lot of people believe that UAC is a security tool.

    Heck, I think I've seen when Vista came out someone testing UAC against rootkits. It stopped all at the time, but that was beside the point, because even if it failed that's not its task. It's not a security tool.

    One of the reasons why UAC default settings are not that intrusive, is that people started to complain Vista's UAC model.

    So, Microsoft just gave the candy to those who asked for it. Now that you got the cavities, you complain? I wasn't the one complaining how UAC worked in Vista, which is why I have it up in maximum.

    Do note, I agree that default isn't as intrusive as maximum settings, but I do not agree with your advise to disable UAC entirely.

    It's all about intrusive vs non-intrusive. UAC was intrusive in Vista, it's not in 7. Microsoft gave people what they wanted.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You keep treating UAC as a security tool. Stop seeing it as such. Where did you get that idea about the exploits? Could you explain a bit more? :)
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Long posts >_> maybe I'll come back later.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Maybe if it's some file-access sandbox. You're an emsisoft dev - behavioral blocking = sandboxing. API call restrictions.

    I agree with Wosar that UAC is as good as useless unless at max. I'd probably go further and say it's as good as useless regardless. I had not realized that UAC was not directly tied to integrity levels.

    EDIT: I haven't seen him say "disable it" once. I've seen him say "put it on max" a few times though. IDK if you guys ar ejust misreading or if I am but you keep saying "He's advising people turn it off" when he's not.

    You can say "Oh, but protected mode" but Chrome does just fine without UAC. I don't know why MS relies on UAC for it to work but they shouldn't have to.

    As for the virtualization, it's nice, but it's a compatibility feature.

    So, with the knowledge that UAC has no ties to the integrity system, and being a Chrome user, I see no reason to leave it on default as opposed to off. I will leave it at maximum as Wosar has suggested.

    What does it matter?

    At UAC off they elevate silently.
    At UAC on default it's a simple matter to avoid UAC altogether.
    At UAC on max they elevate but only after the user allows it.

    UAC encourages developers to not take admin rights when tehy don't need them.
     
  8. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Please follow your own advise. At no point did I advise anyone to turn off UAC. In fact I advised the opposite. So please stop putting words in my mouth. I don't appreciate it and neither would you.

    I call it what Microsoft calls it:

    Feel free to Google around. You will find tons of quotes like the ones I just gave you where Microsoft employees clearly state their intentions for UAC. I am sure you will find plenty of quotes from Microsoft employees saying that it is not a security mechanism as well. In fact I am certain that you will find the same person stating both things in different situations at different times. The truth is, Microsoft tells you UAC is what ever is most convenient for them at that point of time.
     
    Last edited: Feb 16, 2012
  9. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Wow, it's Fabian slapping day? Let's all join in!
    Or perhaps it's better to take a step back, read his 'offending' post once more and see how aggravating and inflammatory it really is;

    Who can't read here that he advices to jack up the Win7 basic UAC level up to the former Vista level?
    I know some get the gist but a few have gone hell bent; Lame! Commercially driven FUD! He's a witch, light up the fire!
    Jeez, come on guys, you can read in to it whatever you want but is it really that hard to understand that the Win7 non-security feature UAC (OK, m00nbl00d?) is only really useful (as a security measure) at the old-school Vista level?
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    With all due respect, Fabian Wosar said the following...

    So, answer me: Is he saying to disable it or not? Yes or No?

    I have Windows 7. I run under a standard user account. I have UAC set to default. Oh, should I disable it? And, use a full-blow administrator account instead, so that I can make a proper use of applications, that otherwise won't be able to update, etc and switching between accounts every single they need to upgrade will be impossible from within a standard user account with UAC disabled?

    Also, let me repeat it once again: I agree that at default settings UAC isn't as useful as with maximum settings. I never said the contrary. I just refute saying that In fact, if you use Windows 7 with UAC set to default, you may as well just disable it..

    That is what Mr Fabian Wosar said. Can you seriously deny that he said that?

    Can you also, Fabian Wosar, deny that you said that? Now, if you're telling me that's not what you meant, then you should have edited that post of yours. Something you never did.

    So let me ask: Did you or did not say that if a user is using UAC at default settings, then he/she may as well disable it?

    With UAC disabled people lose Internet Explorer's Protected Mode, making Internet Explorer running with the same set of privileges the user has, either the full privileges of standard user account or administrator account.

    What good will come from that, if I'm an Internet Explorer user? Not to mention it will be as painful to work with Windows and apps, as it were with Windows XP, reason why many ran as administrators.

    So, Baserk, can you answer it? Didn't he say it? Allow me to quote him again:

    In fact, if you use Windows 7 with UAC set to default, you may as well just disable it.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    o_O UAC off? When have I ever talked about UAC off? o_O You have me lost.

    With UAC on... hmmm... avoid it? Avoid how? You can't make it black or white; there's a gray area. That gray area is called Protected Mode and UAC virtualization.

    If you seriously understood those two concepts, you wouldn't be saying what you're saying. Sorry, but until Fabian Wosar explained you, you had no idea that UAC and MIC are not tied.

    Are you saying that if I download something that it can avoid UAC when I execute it? Is that what you're trying to say? Or, if I use another browser other than IE or Google Chrome, an exploit may happen to that browser or one of it's plugins? There are a lot of scenarios... and to us, educated user won't matter, because we can fill those gaps, can't we?

    But, for the majority of users, who include many of relatives and friends, UAC at maximum is as useless as default, from an alert point of view and simply because if they want to elevate something they will; if they're tricked to elevate something, they will. How about that? I just proved that at maximum settings UAC can be as useless as default. So what? What does this prove? :doubt:

    The same way they would allow with Mamutu behavior blocker or Online Armor HIPS or another solution like any of these.

    What would this prove? Nothing, at all. Stop making of UAC the bug it isn't. lol
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I just suppose I'll have to quote you again? It's sounding like a broken record... but, sometimes people don't listen to the music at the first time. :rolleyes:

    This is what you previously replied to user STV0726:

    While more intuitive it will be completely useless for security the same way the current Windows 7 default settings UAC is useless for security now. In fact, if you use Windows 7 with UAC set to default, you may as well just disable it. While you are answering those nice little requests for legit applications, malware will just elevate itself by abusing the white list.

    Now, if you say you didn't...

    No need to Google. There's an interesting Microsoft article, by Mark Russinovich: -http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx

    I think you're also confusing Microsoft or its employees stating this or that. What they probably say, and as I agree, is that by reducing an administrator account privileges, you are effectively making users safer. You can also achieve to a great degree using a standard user account, yet it's not a security functionality.

    And, allow me to reiterate: I agree with you that UAC maximum settings are better than default settings, for people like us. People like my relatives? It makes really no difference. But, default settings are still better than disabled, and simply because there's a gray area in all this, as I've explained to Hungry Man: Protected Mode, UAC virtualization. There's another one, actually: convenience.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I still don't see this as him advising anyone to do anything. He's just pointing out how easily bypassable it is ie: it's as if it's not there at all.

    edit: And yes, I know, protected mode and virtualization.
     
  14. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Interesting thread!!:thumb:

    First of all:
    I find it very nice if people with real knowledge participate in discussions, thats some thing that even here on wilders is seldom those days.

    And if those people work for security companies - so what? As long as there is no hidden advertising and claiming for there own products to be the best all is ok. So for me it's unfair to bring in the company somebody works for if it has nothing to do with that topic. Fabian has made some real good points.

    When I concentrat on arguments I see a little misunderstanding...



    So why put this sentence totally out of context? Just look at the parts written before...

    From that point for me (!) it is clear that this statement is not against UAC at all, only against UAC (at default settings) as security feature. And you wrote yourself that UAC is not a security tool.

    Beside that - I don't read it as advice it is just a comparison.
     
  15. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    Correct, you are sounding like a broken record. Language is a beautiful thing. You can say something while meaning the exact opposite. It is called irony or sarcasm, depending who you ask. It's an interesting concept. To give you an example:

    Quiet market traders? Istanbul may as well just install vending machines
    http://www.guardian.co.uk/commentisfree/2012/feb/15/quiet-market-traders-istanbul?newsfeed=true

    Does the Guardian advise Istanbul to replace their street market traders with vendor machines? Hell no. They point out that their proposed legislation is a crazy idea trying to persuade Istanbul to do the exact opposite.

    I said that. The problem is not that I said that. The problem is that although multiple persons including myself spelled it out for you, you still insist that your interpretation is the only correct one. Clearly, since I wrote that sentence I have no idea what my intentions were. Apparently you must be a mind reader diving deep into my subconscious so you are able to see my subliminal motives that my conscious mind isn't aware of. (Attention: Italic text may contain sarcasm or irony!)

    Go have a read at Microsoft's UAC blog. Mind you, that unlike Mark, those are the people who actually build it. If they don't know what their intentions was, who does?

    Right about now you are sounding like the people who argue that MS SQL (or any other relational database for that matter) is not a relational database because it doesn't fulfill Codd's 12 criteria.

    So you honestly think that it doesn't matter if any silent remote execution exploit turns into a silent remote admin code execution exploit? Because that is the exact implication of Windows 7 UAC's default behavior.
     
    Last edited: Feb 17, 2012
  16. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Yes, he did write that. Within the context of the entire discussion here and within the context of previous posts.
    But if you start to quote selectively, you can go wild over almost everything. Example;
    Now I can go berserk; Really m00nbl00d? Really?? UAC at maximum is as useless as default? What a weird statement!
    See? It's easy to go wild over partial quotes if you willingly neglect the entire message.
    Let's just move on, no use flogging a dead horse to pieces.
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Let's try and clarify it for once and for all, then.

    Within the context of your reply:

    What do you mean with In fact, if you use Windows 7 with UAC set to default, you may as well just disable it.?

    By reading everything you have said, my understanding is that you're trying to give the idea that having UAC at default settings is useless, and it would be the same as not having it.

    And, if I were trying to look for more information and came across your statement, within that reply, that would exactly be my understanding - that you were trying to imply that by running UAC at default settings, it would be the same as not having it - it would make no difference.

    All I did was refute the idea that having UAC at default settings is useless, because it's not! UAC implies a lot more. It isn't black or white.

    I already explained why it isn't black or white, and I mentioned what's the gray area.

    Let's stop right there. ;) I never said that UAC default settings were better than maximum settings. I actually said that I AGREE with you, when you say that maximum settings are better than default.

    What I refuted is the idea that default settings are useless. They are not. And, precisely because of the gray area (Protected Mode, UAC Virtualization and convenience (=working in a limited user account)).

    But, coming from someone who says sandboxing shouldn't exist, because it makes software developers not patch their applications... When, in fact, sandboxing exists to help protect against bugs that will never be found by the good guys... OK, dude... have it your way.

    By the way, where's the evidence (=real facts) that show that Internet Explorer's Protected Mode has been broken multiple times already?

    Or, are you going to say you didn't say it either? lol You can PM me the data about it. I said I'd like to get a look at it, so that I can understand how Protected Mode was broken multiple times. I'd really like to understand if millions of users were in danger... :rolleyes:

    You brought it up; you should reveal the data that shows that information, that Protected Mode has been broken multiple times already.

    I suppose you're going to find an Instanbul-like analogy, to excuse you? lol

    By the way, it's post #108.

    Actually, the best protection is patching and sandboxing. You can't find every possible bug. As a software developer you're aware of that, aren't you? Yes, you are. ;)

    Better would be no bugs, at all. That won't happen. Not anytime soon. So yes, sandboxing is very much needed.

    @ Baserk

    Sorry for once again quoting selectively. lol
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You could always just not write your programs in C++ lol but that's too much to ask for most developers... and most security-conscious languages either die or are a joke (looking at Java/Ada here.)

    @Moon,

    The grey area you're referring to is protected mode (something Chrome apparently does without UAC) and the virtualization (something meant for compatibility, not security.)

    Basically, if you have UAC at default the result is that malware will elevate without triggering it, it's a simple matter to avoid. This is the same behavior as having it off. Therefor you should turn it on max.

    All you lose is protected mode (MS's own fault it's tied to UAC) and virtualization.

    But, again, no one's suggesting you turn it off. Everyone's suggesting you turn it up.

    edit: He posted a paper about IE's protected mode being broken and it broke in pwn2own the other year.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, Microsoft tied IE's Protected Mode to UAC. And? And, virtualization? You're forgetting that many x86 applications weren't built exactly for Windows 7, or the software developers are just lazy. The point is that by turning off UAC - if one were to believe it would be useless to have it at default settings -, then you'll lose compatibility with such applications.

    I mentioned that I use a standard user account and UAC set to default. What Fabian Wosar mentions does not apply to me or anyone else working this way.

    So, what he says about UAC is only true for those running as protected administrators. But, to be honest Hungry Man, do you truly believe that the Joes and Janes out there would really be protected with maximum settings? They wouldn't, even if they are with maximum settings. lol If they want to run something, they will; they also will be tricked into elevating something. The same deal about behavior blockers and HIPS.

    I didn't say he suggested it. I said he said that by having default, you may as well disabled.

    I just refuted that. It seems a few got angry at it. lol

    What? That? Those are the multiple times? So, that's the data that backs this The best protection from exploits is not to build a sandbox around them? lol

    I thought it was something truly serious. :oops:

    -edit-

    Yes, I'd like to see Microsoft treat UAC differently for the sake of users. But, wouldn't make any difference? Do you honestly believe it? Those who want to increase UAC level of alerts can do it so. Microsoft didn't take it away; it's still there. But, Microsoft can't exactly please everyone. So, I'd applaud if Fabian Wosar writes an article about it at Emsisoft blog. Who knows more people will see it when searching for more info about UAC? ;)
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By the way, even if I were running as a protected administrator, with UAC at default settings, I'd still have AppLocker and other stuff. As I said, we educated users can fill the gaps.

    For most other people, won't really matter. If it isn't an exploit, it will be social engineering, which either according to Google/Microsoft (don't recall which one), is what is prevailing most.

    If it isn't social engineering, it will be pirated software... There are many variants. You need to have them under consideration.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Of course this is how I feel.

    In terms of compatibility yes there may be some differences due to lacking virtualization when turning it off.

    In terms of security default is basically as useless as having it turned off. You know that I'd go further to say that it's just as useless on max, but that's really a separate issue.

    MS is the one who says that social engineering makes up the vast majority of infections. Google says it's the exact opposite. Chances are it's a combination ie: you get tricked into clicking a link that takes you to an exploit page or some such thing - that's just my opinion though so before anyone goes nuts asking for proof, just that little disclaimer.

    But, yeah, I've already said I disagree that sandboxes aren't useful. I've said multiple times that access control is at the heart of security.
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,343
    But isn't MS more right here? Doesn't social engineering con victims into bring the Trojan Horse in?
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I haven't read the Google paper but I read MS's. They don't really cover what a situation like the one I'm talking about falls under. So I really don't know.

    I've seen so many exploits and so many socially engineered malware samples it's hard to say.

    Obviously MS was trying to say smartscreen is important and Google was trying to say sandboxing is important.
     
  24. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    838
    Location:
    Germany
    The gist is: If you want to use UAC (which I assume you want to if you have it on default now) put it to maximum to get the full effect.

    You are correct. That is your misunderstanding. Everyone else who participated seems to get it right.

    Sure, if you don't understand sarcasm/irony when you see it and completely ignore everything else I said, that could be the case. That's the danger of sarcasm/irony.

    Oh, so you say you don't like it if people selectively quote what you say, completely putting what you said out of context the same way that you did in my case for the last replies? What a shocker! How does a spoonful of your own medicine taste? You don't like it, right? So don't do it to anyone else.

    You make it sound like it was the insane delusions of a febrile nut job. The reality is that Adobe already delays fixing vulnerabilities for up to 3 months for products that use their sandbox and their sole reason for that is the fact that the product allows using a sandbox.

    Microsoft was in a very similar spot as Adobe is now. Remember the early Windows XP days? New remote code execution exploits popped up literally every few months. Blaster, Code Red, Sasser went rampant. It got to the point where an unpatched Windows XP wouldn't survive the first minute being directly connected to the internet. What did Microsoft do? They didn't build sandboxes around every single component of their system. They improved their development processes by introducing the Security Development Lifecycle and the results are undeniable. I would take approaches like those that will address the problem by the root over a sandbox any day, especially when the sandbox is then used as an excuse not to fix bugs in a timely manner like Adobe does.

    That being said, after you switched your own development process to use security aware development patterns, after you changed your quality assurance processes to not only test whether or not your software works but to test whether or not your software breaks as well, after you built a strong security response team that is not only capable to verify new vulnerabilities but fixing them without introducing new bugs in a timely manner and after you made sure you are using the mitigation systems offered by the platform your software runs on (ASLR, DEP), adding additional mitigation techniques like sandboxing can be beneficial. As soon as sandboxing is used as an excuse not to implement anything of the above, it will be detrimental to the overall security of your product.

    I already did.
     
    Last edited: Feb 18, 2012
  25. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    @Fabian: Thank you for your reply in which you addressed my concerns; I appreciate it. While I do not agree with everything you say, I admit I may have assumed a bit about your posting at first; (I guess that is why they say the "ass-u-me" thing about assuming). :oops:

    Now, let me clarify my view on sandboxing and other whitelist based prevention measures, which I consider by far my favorite approaches/methods to security:

    The drawback to whitelisting and sandboxing (whether that be at the application level or true virtualization) is that it offers no protection from social engineering of any type. However, in general, users who utilize whitelist based prevention measures tend to be at least of intermediate (hopefully) proficiency with computers to counterbalance that shortcoming.

    As for Fabian's comments on incorporating sandboxes (or Windows Integrity Levels) into certain applications; while that is a great idea and something more (all, I wish) software developers should do, it is NOT an excuse for slow patching. Software should always be rapidly kept up-to-date and vulnerabilities should be addressed as soon as they are discovered. I can agree with his comments in that respect, but I maintain my position that sandboxing/other means of true whitelisting are the absolute BEST protection from malware, sans social engineering.

    Therefore, the best way to be protected from malware (you could even say 99.99%) is rigorous user education combined with whitelisting. Unfortunately, this is not always a realistic goal/approach, which is why blacklist-based prevention measures are so widely used. The problem with blacklisting is that it is vulnerable to the same thing other software is--the need for constant updating to "keep up" with the bad guys.

    Any security setup that which involves running full-time as an administrator without Admin Approval Mode, and relying solely on a blacklist-based prevention measure (including Emsisoft Anti-Malware, as good as it is), would be a security setup I deem inappropriate for anyone. I'm not saying that this is what Fabian was suggesting as he has reiterated again and again that that was not his intent; I am just setting the record straight on that which hopefully we all can agree. :thumb:

    As for turning off UAC, I will always argue people should never do that. The most they should do in terms of alteration is configure it to be silent. I am not going to make the arguments again of what you lose when you turn it fully off as we know that by now, but an additional benefit of leaving it on even if on silent is that nothing runs by default as an admin. Things can elevate automatically, but they don't unnecessarily, stupidly get admin privileges automatically. That just makes sense to me. Why would you fully turn something off when you could get rid of the annoying part but leave some of the back-end benefits on? That's common sense and a no-brainer! :thumb:

    Lastly, I am going to try really hard not to sound like a hypocrite here, because I am guilty of the same crime all the time; I get strangely, extremely passionate about abstract things like computer security...

    I am going to ask that we try not to make this a personal argument about what he said or she said. I am not taking either side but as the thread creator I really would be disappointed if a moderator had to come in here and close the thread because of that, especially since this thread has gone so much deeper than I thought it would. You guys are brilliant! :thumb:

    Thanks!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.