Windows 7 less annoying, but also less secure?

Microsoft's efforts to make Windows 7 less annoying than Vista may also be making it less secure than its predecessor.

With Windows Vista, the operating system popped up a warning any time a major change was being made to the system, whether by the OS or by a third-party application. With Windows 7, users can choose how often to be notified, with the current default set to notify only when a third-party application is making a change.

Blogger Long Zheng, however, is drawing attention to an apparent shortcoming in that approach. Because changes to the user account control setting itself are being made within the OS--and not by a third party--malicious code could turn off such alerts entirely with the user getting little notice that such a change had been made. Zheng said he and fellow blogger Rafael Rivera have come up with a simple proof-of-concept code to show the vulnerability.

Microsoft is trying to thread a difficult needle here. The prompts issued by the User Account Control program, though annoying, help alert users to changes to their system. But if the prompts are so annoying that people turn off the setting--or stick with older operating systems--than things aren't secure either.

Zheng proposes, at a minimum, that Microsoft's default setting also warn users if a change is being made to UAC itself. That seems reasonable to me.

A Microsoft representative was not immediately available for comment.

[TheSmellyMoa]

No Windows installation can be secure. XP is the least annoying of all the current crop. But what really matters is the boot loader exclusivity that forces the world to have to buy raw iron or a Windows box. Fix that and you'll end up with more secure desktops overall inside of 10 years as people choose other OSes based on features like user-friendly security. Would Paul Allen shout at you if you wrote about the boot loader issue?

[eadeguzman]

Huh?

[Lerianis]

I think he is saying that there is a problem with the 'lock-in' that some OS's have that they will only work on certain hardware.

[tm_anon]

It's called Linux and yes, it works on the same hardware as Windows. It also works on Apple machines and it works on many other devices. It's also very easy to work with once installed and set up.

[gabeheim]

Umm, the only dirty thing MS does is not respect your MBR when you reinstall windows. (I don't know if vista and later fixes this or not, but..) Nothing else stops you from loading Linux or FreeBSD. In fact, if you don't plan to repartition your HD, you can install ubuntu from CD using wubi, which will install an ubuntu filesystem image on top of your ntfs filesystem. It even uses the windows ntloader to boot the linux kernel. It is surprisingly fast, windows XP lags on my wife's laptop (dated sempron 3200 with 2 gb ram and ati x200), while ubuntu on top of ntfs flies, even with compiz-fusion 3d effects (which are more advanced than anything vista or win 7 have).

Of course, the windows legacy has, by MS's design, made it hard to buy raw iron (hardware without OS) from a major hardware vendor. So, are you talking about the server market, where it has been easier to get raw iron? Also, a few more vendors are willing to sell machines with linux or without an os now.

Boot loader insecurity? Grub (used by most Linux distro's) does have a password and is a good bootloader, but if a user has physical access to a machine, whether linux, mac, or windows, they own it. If they don't, well, the machine will be well past the bootloader stage before it is available to the network.

[eadeguzman]

Here's my point... Boot loader has nothing to do with securing desktops (that is preventing online intrusion). It's off-topic. He even mentions Paul Allen who left Microsoft in the early 80s, was never part of the development of Windows (NT) code as we know now.

And his statement "No Windows installation can be secure" ... you can say that with any other OS's -- yes with OSX or Linux too (secure enough, yes, but totally secure, no).

The security of your OS is ultimately the user's responsibility. If you keep on launching those scripts from emails, etc... despite warnings, you're on your own.

[Ben2talk]

raw iron?
I bought a Vista HP computer, refused the EULA and got a refund, then installed XP and Ubuntu - XP for games, and Ubuntu for everything else. No security issues here m8. Just put your own boot loader in - no problem. Windows never played fair with anyone, so why play fair with Microsoft? Kick it out!

[iBuzz]

Perhaps he is referring to the archaic MBR disc partition format that Microsoft is still using in Windows. MBR allows for executable code right in the drive's partition map, a problem that can infect both Windows (including FAT and NTFS file systems) and Linux if you install Linux to a Microsoft formatted drive.

Because you can infect the hard drive's partition with a virus, it's harder to get rid of because you need to re-partition your drive and make sure you do it with a program that has not been compromised by that virus.

Mac and Linux formatted partitions do not allow executable code in the disc partition.

[timber2005]

A UAC prompt should be required to change the UAC setting at ANY setting, even off. That would fix the issue, and if anyone were to ever suspect it, Microsoft couldn't elevate it with a update as people suggested with Automatic Updates.

[tm_anon]

better idea. require a password to change the UAC setting. don't worry about the prompt, that's just annoyance.

[Penguinisto]

Not a bad idea - they already have the concept of change accounting - e.g. try to delete the contents of an event log sometime... every time you do, there's one new entry in it showing that you deleted the thing at x date and y time.

The underlying problem is still there - Miscrosoft tried to wedge in a UNIX-like warning system into an architecture that wasn't really built for it.

You see, Unix and Linux require sudo permissions for the user to put in anything that affects core system components, or writes to directories that have elevated permissions. Whenever you try to install something that could affect the whole system, it demands that you have the right to do so. This is why OSX and Linux will pop up a prompt demanding either the root password, or your password in order to execute sudo.

But here's the trick - most *nix binairies (programs) do not need elevated permissions to run. I can count on two hands the number of apps I installed in my old dual G5 that required me to type in my password - over the past five years. This is in spite of the fact that I have installed and uninstalled hundreds upon hundreds of applications on it.

OTOH, Windows wasn't built this way. Until Vista, there was no real separation of permissions in Windows. Microsoft is still feeling its way around - both in how it tweaks the defining line between user and system, and between the means to warn users about that difference.

The problem is, this 'feeling around' comes at a bad time for them. If this were 1989, okay... it would be understandable and harmless (though still a big annoyance nonetheless) - not to mention safer. They can't afford any screw-ups in 2009... it's become a rather dangerous place out there.

BTW - as for requiring passwords for anything? Err, If I drop something on your machine, I can have the thing run silently in the background until it builds a new account and puts it in the Administrators group)... then use that new password to get what I want. It might help, but not by much.

[tm_anon]

@Penguinisto

In order for your program to work, I'd have to install it. Otherwise, it doesn't work. If somehow you did get another account on my machine without having physical access to it, since I'd have to give your account those administrator privileges (which I wouldn't), your account couldn't do much more than run my IM programs or my browser. In order to get past all of that, you'd need to be able to get root privileges in order to give root privileges. See where I'm going with this?

I'm not saying it's impossible to do, I'm saying that, without physical access to my machine, it's a lot more difficult. Guess who's not getting physical access to my machine.

[Seaspray0]

@penguin. You have no clue on the inner workings of windows. You, who claims "any 13-year-old in Eastern Europe can write a script or rig a webpage to pop a Windows box..." but didn't even produce one. And now this new lie... "Until Vista, there was no real separation of permissions in Windows.".

WRONG. Since 2000, not only has the file structure had security permissions assigned, but the registry (which makes up the core configuration) also had permissions assigned. Every key can have it's own unique security. Dude, you don't know jack about windows.

[OFC_Rocco]

I have hacked into windows 7 using an underpowered laptop and old tools ,and a borrowed connection, your mileage may vary along with experience...

[Seaspray0]

That's nothing. McGyver, can do anything with a pocket knife, paperclip and a rubber band.

[i8246i]

And his mullet doubles as a flotation device!

[Good_Reverend_Gibbs]

Screenshots or it didn't happen. I've hacked the desktop background many times in Windows 7. I've even made it tiled. Don't ask me how to do it.

[QASIMARA]

Whaddya won' a medal er sumthin'? Jesus Christ! I'll take McGyver any day if ya feel the need to brag! Oh, yeah, I forgot... It's all ya have left after she left ya.

[cjb8465]

A simple way to fix spyware and not be annoying: just ask for permission if a program wants to run anything at startup, or load a browser helper object.

[Lerianis]

That won't work. If it does a 'delayed start' type thing.... it doesn't fall under 'startup' can still run.

UAC, as it was in Vista, is the best solution... without UAC having a whitelist of applications that can run on your machine without prompting. The fact is that is the best solution: a 'whitelist' of applications, that people whine about because their favorite 'small maker' program wouldn't be on the whitelist.

[tm_anon]

@Lerianis

UAC, as it was in Vista, is still broken. It's a click through, not a password. The click through is an easy automation, just ask anyone who programs bots on chat programs. The password is at least slightly more difficult.

[Dalkorian]

by Lerianis January 30, 2009 6:37 PM PST
UAC, as it was in Vista, is the best solution... without UAC having a whitelist of applications that can run on your machine without prompting.

---------------------------------------------------------------

Why can't winblows apologists hear themselves? "It's the best, except ...", "It's the most _, but ..."; there is always that exception in their declarations. Winblows is the bomb, except when it BSOD's on you and ... uh, well, bombs.

Sigh.

Consider there might be a world outside Redmond. Consider this might have been looked into before. Maybe decades before. The "best solution" to this problem is already out there, it's just not going to be found in winblows. Ever. I'm thoroughly convinced M$ will never be able to understand security. Never. Look at the jokes they've used to try to lock up the x-box, look at winblows security history. They are incapable of getting it after 2 decades.

UAC is a joke of a hack, designed to annoy the users and once again shift all security issues onto their laps. If anything bad happens to your fista box, it's because you allowed it to happen when you clicked Continue on the 43rd popup. That one should have been "Cancel", despite the fact that you were trying to install a new program. You should have realized that most programs only prompt you 42 times. You know, it's the ultimate answer to the ultimate question of life, the universe and everything!

Q: "How many UAC prompts am I supposed to get when installing a program?"
A: 42!
:-)

Seriously though, tm_anon has a very valid point you apologists should consider. How long do you think it will take for someone to write a malicious program (delivered via trojan, virus or other vector) that scans the screen multiple times a second and clicks the "Continue" button on every UAC prompt that shows up?

Feeling more secure yet? How about this cute little tidbit:
https://forums.symantec.com/t5/Emerging/An-Example-of-Why-UAC-Prompts-in-Vista-Can-t-Always-Be-Trusted/ba-p/305919;jsessionid=EC766C58A129B38B2AE65A6AAE92445E#A43

The password isn't a perfect solution (a key logger can get around that), but it's better than a simple "click the OK button" mentality.

Question: have they improved the text in the UAC prompts in either version of winblows yet? From what I've heard most of the text was unreadable to anyone who wasn't a core developer in the OS (try asking your grandmother what "Run a legacy CPL elevated" means, I dare you!)

[xcal78]

I smell Dalkorian in this thread. Muahahhahaha!

[Hardcode]

CNET Commentary, still annoying but also ... still annoying.

[QASIMARA]

I know! Annoying in'it?

[walk2k]

Turn off UAC problem solved!

I know it's the first thing I did.

[dwkmi]

So you leave your car unlocked with the keys in it? Since it is SO annoying to have to unlock it and put the key in. You deserve every virus/spyware/malware you get.

[BigGuns149]

RTFA! The issue is that being able to reduce the UAC level in theory can be done by a third party program instead of the user. That would allow malicious programs to have admin rights without user permission, which is really bad.

BTW, the 1990s have called and they want all of you Windows 9X fanboys back. Those of us who actually understand admin rights are quite happy that the old single user versions of Windows are gone (Windows 9X) and those of you who don't get it need to get with the times.

[Dalkorian]

UAC is an answer to the security problems winblows has notoriously suffered. I'll never argue it's a good answer (I think it's a laughable hack), but it's an answer none-the-less.

Turning it off denies the answer. UAC is like a thin cotton bed sheet you have in a winter snow storm. You've tossed it aside and decided to go naked.

These other two are right, when your machine is pwned (likely already is, ever heard of a botnet?) you'll have no one but yourself to blame for it. That bullet in your foot is the result of pointing the gun at your foot and pulling the trigger. Those around you are not laughing with you, they're laughing at you.

[ZetaZeta_]

In order for a piece of malware to change the setting, malware would already have to be on your PC and have the ability to run. If it's gone that far, you have worse problems than it disabling UAC (which a nonzero number of people already do themselves).

[3rdalbum]

If malware is on your PC and is running, but it does not have administrator privileges, then you do not have "worse problems than it disabling UAC". If you reboot, the malware will not be able to load itself back in without your help. If it disables UAC, then it can put itself into a system-wide location and set things up so that Windows will automatically run the malware on startup.

This whole attitude of "If it gets on your PC, it's game over" is a convenient excuse to skimp on security.

[Dylan_Wisor]

First we whine about UAC being too much of a problem, now we whine that it's being toned down?
Tech geeks are a fickle bunch, huh?

[FanBoy200]

I think its just the Tech Reporters that are a Fickle Bunch.... They just keep on insisting on Complaining about something.....

[kj_dinesh]

Thats true, the very reason I came to read this article is the story heading, few months back the same bunch of people were whining about UAC. How lame of these websites to contradict themselves to create stories.

Firstly turning off UAC is not a big thing in VISTA, it is as simple as changing your wallpaper(Only you have to know where to look for).

[tm_anon]

I'm thinking the "Tech geeks" as you called them just want a UAC that isn't like an overbearing mother who wants you to prove you're wearing clean underwear through your mid-20's while still maintaining security.

Linux has a very good UAC model. From what I've read, OS X also has a very good UAC model. Is it too much to ask for Windows to follow suit?

[BigGuns149]

@ tm_anon : You make an excellent point. Linux and OS X have very good user authentication systems. The only caveat is that most people designing applications for these other operating systems don't automatically presume that they have admin rights like most Windows designers do. As time is passing you are seeing less and less applications requiring admin rights on Windows unless there is a real compelling need for it (eg. low level system utilities). For example, there is no reason that an HTML editor (eg. older copies of Dreamweaver) need admin rights, but until recently there were all sorts of absurd examples of applications that needed admin rights.

[massfat]

@tm_anon

Yes it is too much to ask. It's not the model, it's the people that make software for the Windows Platform. Too many of them create apps that don't work without various privileges, and because of this, it becomes difficult to isolate programs. Microsoft's issue is that it needs to start telling developers to make isolated programs, and then just ignore any developers that still want admin rights for their programs. The reason they're struggling now, is that if they suddenly change UAC drastically, a lot of software might stop working, and people will be angry.

Microsoft's own monopoly has led to them being the only OS maker that there that has this issue. The other OSes don't have many programs to begin with, so they can easily do whatever they want.

[tm_anon]

@massfat

Linux has hundreds of programs listed in the Ubuntu repositories alone. With the exception of the firewall I have installed, none of the them need admin rights. Going out into the broader world of Linux in general, there are thousands if not hundreds of thousands of programs available with only a very small amount of them needing admin rights and almost always having good reasons for those rights, which must be granted by the user every single time for that specific program.

When I asked if it was too much to ask, I thought it was fairly clear that was a rhetorical question. It's not too much to ask that Windows UAC be modeled after two very good examples of how it's done right. When implemented properly, UAC is more secure than a simple click through process while still keeping out of the way. Linux does this, OS X does this.

As for the developers, if they can't figure out how to design a program that works in such a way as to run without needing admin rights then those developers should be out of a job. With so many programs designed for both Linux and Mac OS, they have no excuse. It's a great way to weed out problem developers.

[xBeanie]

"until recently there were all sorts of absurd examples of applications that needed admin rights."

Yeah, the funniest one I found was Age of Empires. Pretty bad when you cant even play a game written by MS without admin rights. They never did release a patch for that as far as I know.

[Dalkorian]

by massfat January 31, 2009 2:18 PM PST
@tm_anon
Yes it is too much to ask. ... Microsoft's own monopoly has led to them being the only OS maker that there that has this issue. The other OSes don't have many programs to begin with, so they can easily do whatever they want.

----------------------------------------------------------------

Thanks Massfat. That was simply the most laughably idiotic thing I've read all year. I actually LOL'd (that's "Laughed Out Loud" for the slower folks).

[BenODen]

I would like to suggest that UAC is flawed not only for its frequency but also its lack of information. There is very little information given to the user when the UAC comes up. At the very least, either the complete path to the executable or registered application name which triggered the request should be displayed to the user in the UAC popup. That would allow the user to catch unknown programs trying to execute a privileged action. There also should be information about what action the process is trying to perform. That may be more difficult to do securly and clearly, depending on how privileged actions are requested, but as it is, everyone is left out in the cold about what will happen when allowing a privileged action. There sould also be a log of privileged actions performed which could be audited periodically.

Resolving these issues would go a long way to actually making UAC useful. As it is, no user has enough information to intelligently decide, so we just click YES when told to, assuming that it's OK.

Can someone tell me a story of where UAC kept their system safe?

[Lerianis]

I can.... all of a sudden, when I was web surfing, I got a UAC prompt for apparently no reason. I was thinking "What the hell?!", looking at the 'more information' in the UAC told me that a program was running from Windows\Temp needing system access.... I look... I'd gotten hit with malware. I immediately ran a virus-scan, it found the malware, and got rid of it.

[BenODen]

More information!? Is that new with SP1? I'm a bit behind, I guess..

[BenODen]

But, that's just how it's invisioned, I just wonder how many people are clicking yes too quickly...

[Dalkorian]

Sorry, I know you apologists are starting to hate me at this point, but it sounds like UAC informed you that you were already infected Lerianis. It didn't keep you safe, it just informed you that you had been violated. Same thing the virus scan did, only less directly. In fact it sounds like UAC failed you, unless you intentionally installed that malware to test UAC's responses to it. Otherwise how did the malware get there, isn't THAT was UAC is supposed to be preventing?

I run virus scans on my game console (my ex-pee partition) regularly, literally each time I let it connect to the internet. UAC hasn't made you any safer than I am, I get malware occasionally as well (despite how ridiculously paranoid I am with winblows). The virus scan that got rid of the malware, that has made you safer. The UAC that allowed the malware to be installed to begin with is an utter failure in the grossest sense.

Yet you'll continue apologizing for it. Simply amazing.

[bayaryaan]

Does Ina even use Vista? Her statement that Vista "popped up a warning any time a major change was being made to the system" completely ignores the fact that a warning also pops up when you are doing menial things..such as deleting a single photo. It's not just a pop up...my screen goes black while the warning loads. There's no way of turning this feature off. It's poorly designed security features like this that make me hate Vista. Microsoft, like all information security people I've met, assume that all end users are idiots. While I agree that many Americans are fat, lazy, retards (case in point: 2nd term for George W), all of us are not. I've had SO many problems with Vista, I don't need geeks at CNET proclaiming that nothing is wrong. Vista = Windows ME, just a lot worse.

[Lerianis]

Excuse me, but your system should not be doing that. I delete photo's on my system all the time, and UAC is NEVER triggered even by ACDSeePro 2.5.... you are lying, to be blunt. There is NO reason for your Windows Vista system to be doing that, if it is..... it is doing it for ANOTHER reason than just because you are deleting a picture.

[kj_dinesh]

You should be able to turnoff UAC very easily, Go to control panel --> Security Center --> select/deselect check box which says "use User Access Control" (Right now im not logged into VISTA based PC, so the prompt maynot be exact)

[BenODen]

I don't believe he is lying. I suspect he's run into one of the very annoying bugs in vista. The one where vista turns all your files read only. So yes, that would totally pop up UAC for every deletion. Might even keep updates to these files from happening...

here's the URL full of people who have run into this bug. There are workarounds, but they don't always work for all people. I've run into this bug, and thankfully, the workaround worked for me.

http://www.followsteph.com/2007/06/17/windows-vista-read-only/

[Kissmyne]

UAC is a great tool only with several mild annoyances.. particularly the black screen that occurs as UAC is triggered.. to disable...go to regedit(if you don't know what it is, find someone who does cause you can screw things up big time) then navigate with the little arrows on the side of the screen to this location.. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] once again if you don't get a navigation address dont try it. there is an entry called PromptOnSecureDesktop make sure its Value is 0. This will get rid of the lag effect with UAC.

Pertaining to a photo deletion triggering UAC. There would be two main reasons for this.. one being the photo was saved to a protected folder. If this is the case save your photos to the pictures folder provided by windows and your deletion woes should go away. The other possibility is you somehow made the default pictures folder a protected area.. this being unlikely I am going to omit that result at this time.. oops.. one more possibility.. if you haven't upgraded to Vista SP1 then it is likely this is occurring as well.

Have a nice day all.

Running Vista without UAC as put previously is like not using the door locks on your car cause of the inconvenience having to unlock it causes. Go back to XP in that instance.. though its vulnerabilties are far greater then VIsta with or without UAC. Windows XP- http://secunia.com/advisories/product/22/ Windows Vista- http://secunia.com/advisories/product/13223/

[BenODen]

The only redeeming thing about Windows Me is that it bought MS time to release the delayed Windows XP instead of rushing it to the market. It's not clear that Vista will lead to anything nearly as acceptable as Windows XP. Windows 7 sounds to me more like Windows Vista SP2, not a whole new OS. It seems like Microsoft thinks they can fool us into accepting vista SP2 by calling it Windows 7. I'm fairly sure that if they don't address the major concerns, it won't fare any better.

[Seaspray0]

Obviously you haven't tried it, so stop with the childish whinning. Windows 7 is what vista should have been.

[i8246i]

Not really, what vista SHOULD have been is XP 2.0

instead they made "HAY GUIS, LOOK AT US, WERE LIKE APPLE LOL!" and rushed it out the door without any concern for the everyday user

Windows 7 is a step up: it feels more stable and has generic device drivers from the get-go that allowed me to download driver updates wirelessly...but it also has serious issues with my computer habits: internet videos don't run in full screen properly, sound comes out of the main speakers even when I have headphones plugged in, Skype doesn't run properly

And then there's the horrid UI, the typical Microsoft "upgrades" of existing utilities and features (now renamed and relocated to somewhere that makes no sense whatsoever), and UAC is a horrid cop-out to real security

What happened to Group Policies, Event Logs, Spyware/Adware/Virus scanners and good old common sense (translation: never using IE)? Slapping a slider bar on the UAC isn't giving any "control" over this horrid service: it just lets you set the level of stupid interruptions you will encounter while attempting to use your pc.

Windows 7 is pretty, it runs ok, but it needs to break free of Vista altogether

[Dalkorian]

by BenODen January 30, 2009 5:55 PM PST
Windows 7 sounds to me more like Windows Vista SP2, not a whole new OS.

----------------------------------------------------------------------

by Seaspray0 February 2, 2009 3:43 PM PST
Obviously you haven't tried it, so stop with the childish whinning. Windows 7 is what vista should have been.

----------------------------------------------------------------------

Wow. Just wow. Color me floored. First argue, then agree. Must be the new way to blame the user when M$ software craps out.

Oh Ben, they're coming out with a SP2 for fista prior to w7. That means w7 will be fista SP3.
:-D

[toosday]

In order to appease some, Microsoft has taken a major security feature (that happens to be annoying) and watered it down too much. They must fix this before Windows 7 ships.

Granted, they are holding off on giving a release date for W7 and that's a good thing. We all expect it to come out before the holiday season since it's really good in beta, but I think they are wise to keep mum. They have to fix bugs like this!

[Lerianis]

They haven't really 'watered it down too much'. They just haven't done the sane thing, and made a whitelist of programs and their usual locations on the drive, in order to make UAC better.

[Seaspray0]

Whitelist won't work, Lerianis. That'd be like granting the OK to a porn site because it wasn't malicious today. What about tomorrow?

[Dalkorian]

I don't know Seaspray0, it sounds like the ultimate M$ answer to me. An answer that is proprietary (designed to be usable by no one else in any way, shape or form) and is guaranteed not to work without massive regular updates - and possibly not even with said updates. Something extremely complex, but ultimately easy to hack.

Cut it out apologists, it hurts to laugh this much.

Anyone who works this hard to apologize for a disaster like UAC must be a child rapist. Oh, sorry Lerianis.
;-/

[DustoMan]

You know. Changing UAC is a bad idea. People exaggerate how much UAC "nags" them. Just leave it on. It's a good thing.

[hunkyboi69]

I agree. Unless you are constantly messing with your system or are an incompetent tw@t, the minimal number of prompts you get does not justify disabling it.

Vista bashing has become the fashionable thing to do. The majority of people in this thread (and most other Vista or Win 7 threads) are just trying to be controversial because they don't have a clue about any version of Windows except crappy XP and they hate Vista and Win 7 because MS had the 'cheek' to make them BETTER, MORE SECURE, and CHANGE THINGS THAT NEED TO BE CHANGED.

Get over yourselves, open your eyes, learn the changes and get into the sodding 21st century.

And that goes for the reporting on here too.

[Dalkorian]

It's funny how winblows apologists think the poorly designed and easily fooled UAC in fista is the end-all-be-all of solutions. It's like they have no idea that other OS's exist and have more elegant, more functional and more secure solutions already.

Without walls and ceilings, you have no need for windows or gates.

[OFC_Rocco]

I turned off UAC within fifteen minutes of loading vista, and have never had a virus on here, spy ware yes, but that is caught and eaten by anti-spy ware as soon as it lands....

[BigGuns149]

That of course presumes that your anti-spyware applications have a signature for said spyware. If there is no signature for said piece of spyware there is a good chance that it will walk on by your anti-spyware application. I think you are being just a bit smug to think that your anti-spyware application(s) are infallible. Like with most things prevention is worth a pound of cure and by extension it is far better to avoid spyware than to wait for your anti-spyware app to discover that it exists.

[navy_coolguy]

For me, Windows vista was a lot better. when ever i had a problem with a program, i would go to processes in task manager and en the process tree. But in windows 7, even if i did that it would still no end. I dont think anything is more annoying than this. I would sometimes get struck at the login screen or just after login. 99% of some 20 or 30 shutdowns, I directly shut my laptop off.

[eltoro2827]

oh god, here we go again...ina,,,,maybe you should try writing code...maybe we can all talk crap about you.

[er3s]

I think what would be better is to use UAC only when application want to change the system, and provide no choice on the user. It's rather irritating you need to consent to things like turning off your network connection, changing the time, etc. The user should be allowed to do those things without being "god" on the system. I don't think UAC is a bad thing, I think the way Windows is designed lends itself to UAC popping up because it has no choice.

[ballmerisanape]

How about you make an OS that doesn't act like a condom with holes in it... Microsoft? There's an idea!

[Seaspray0]

How about you read this before you make an @$$ out of yourself again...

"The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years"

Source: http://news.cnet.com/8301-1009_3-10154662-83.html

[seven7dust]

why can't MS copy UAC from OSX and Linux
they've managed to copy just about everything else
why not where it counts the most ???

[Dalkorian]

What else can M$ do to prove that they have no idea what the word "security" even means?

[MSSlayer]

The Unix permission system is less intrusive and more secure.

Why MS doesn't use that is a mystery.

All the annoyances of Vista exist for one reason: an excuse for MS to place the security blame on its customers.

[BigGuns149]

I've repeatedly said the same thing. I think that there would have still been criticism even had they copied the unix model verbatim because there are far too many applications that require admin rights and a *lot* of people in the Windows world who don't understand why you shouldn't always be logged in as root/admin, but I think it would have been a good case where copying how someone else did it would have been wise.

[Wei_Zhu]

I have heard this statement that Linux or OSX have better permission model many times, but I haven't never read anyone making real explanation to back it up. As far as I know, that is not the case at all. In fact, I'd argue that Linux's permission model is less secure. On Linux, if you are running as root, you can run anything you want with any problem, no questions asked. If you are not running as root, then you get basically the same experience as Windows 7. I am less familiar with OSX, but in my limited experience OSX seems to behave about the same way as Windows 7 in permission model. If you think I am wrong, please supply me with specific examples.

[random truth]

Wei_Zhu,
Alright hold on this is complicated but ill explain the unix model of security...
So lets say their are two users... will call them user_1 and user_2. So on a proper unix system this is what happens...
User_1 opens an application. All parts needed for the application are in the application itself or a respective library folder considering the os. The application has access to User_1 home folder, the public folder, and other folders/files it has permission to see (This is for plugins, etc). However the rest of the files are either read only, or hidden from User_1 and anything that carries that permission level. A program running under User_1 can not access files of User_2, system files, other application files, hardware, and other processes, the start-up folder, or change permissions of files he does not have permissions to. If a program or user trys to access something with out the proper permission it give an error stating you do not have the proper permissions. To access these items, the user of application has to get its permissions elevated to User_1 root. In this case the user has to enter his/her username and password. When an app running from User_1 is in root operation it can not access the home folder of User_2 as it gets an access denied because those files require User_2 verification. To add to the mix on a Unix os their is far more users than the two main ones. On a Mac OSX system here would be the different users by default...

User_1
User_2
Root
Nobody (core system communication with the efi not managed through the os (runs usb communication to the processor in mac osx))
_securityagent
_spotlight
_windowmanager
_Mdnresponder
Daemon
Root
System

[tm_anon]

@Wei_Zhu

random truth gave a very good explanation of the permission model. Notice that he mentioned username and password? That's one of those things I haven't heard mentioned at all with Windows 7 or Windows Vista.

[Wei_Zhu]

@random truth and tm_anon,

The behaviors you described on Unix works the same way on Windows. Windows have had the level of permission control that ?random truth? described since Windows NT 3.5, before Linux existed. As for ?prompting of username and password?, I?d say that Windows 7 works more securely than Linux. On Windows 7, if a non-admin user runs a program that requires admin access, then the user will be prompted to enter user name/password of an admin level user. That is the same behavior as Linux. If an admin user runs a program that requires admin, the user will still at least be prompted, but won?t need to enter password. On Linux, there won?t be any prompt for a admin user, I believe. One could argue that Windows has stronger security policy on this aspect.