User Account Control (UAC) Adjustments for Windows 7
In
Windows 7 is everything Vista should have been, with one noteworthy
exception, Erick Voskuil, CTO for
BeyondTrust, warns that Windows 7 default configuration for
User Account Control (UAC) unnecessarily reduces the security of the operating
system and that one should change those default settings to secure a
system running Windows 7.
The default setting results in a reduction of prompts -- the prompts
continue, yet security is eviscerated. Though protecting administrative
credentials is clearly a secure measure, Microsoft is trying to have it
both ways – arguing that UAC is not a security boundary. The purpose
of UAC is to protect against malware. Even if it's not a “security
boundary” the message is about defending your PC against “hackers
and malicious software.” If it doesn't do that, what's the point of the
remaining prompts?
In my opinion the decision to configure users this way by default
violates Microsoft's “Secure by Default” principle, which says
that, “software should run with the least necessary privilege.”
Clearly, the operating system should support a standard user or administrator
with UAC fully enabled. The proof-of-concept code to exploit this shortcoming
has already been published.
Windows 7 is great stuff, just don't forget to go to the control panel
and turn security on.
References:
-
Windows 7 is everything Vista should have been, with one noteworthy
exception
By: Eric Voskuil, CTO, BeyondTrust
Date: November 4, 2009
SC Magazine For IT Security
Professionals
[/security/patches/windows]
permanent link
Microsoft Patches Released 2009-11-10
On Tuesday, November 10, 2009, Microsoft released six patches to address
fifteen vulnerabilities.
MS09-065 fixes three vulnerabilities in Windows kernel-mode drivers,
one of which is deemed "critical" by Microsoft. It does not impact
Vista or Server 2008 systems. But, on Windows 2000, XP, and Server 2003
systems, the bug can be exploited to allow remote code to be executed.
The bug can be exploited by someone creating a webpage using a maliciously
crated Embedded
OpenType
font. A victim need only view the webpage with
the embedded font. Proof-of-concept code has already been released to exploit
the bug through a "
drive-by attack."
Another of the patches issued by Microsoft on Tuesday,
MS09-067 addresses eight flaws in Microsoft Office that can lead
to remote code execution should a user open an Excel file that has been
crafted to exploit one of the flaws.
References:
-
Microsoft fixes 15 flaws with six patches
By:
Dan Kaplan
Date: November 10, 2009
SC Magazine for IT Security
Professionals
[/security/patches/windows]
permanent link
Microsoft Releasing Seven Patches This Month
Microsoft is releasing 7 patches for Windows this month. Some of the patches
plug remote code execution vulnerabilities. One is a critical patch for
Internet Explorer (IE) that address a vulnerability in versions of IE from
5.01 through 7. This patch applies to Windows 2000 SP4, XP SP2 and SP3, Windows
Server 2003 SP1 and SP2, Vista SP1, and all versions of Windows Server 2008.
Further information on the patches is available at
"
Microsoft To Issue 7 Patches This Month.
References:
-
Microsoft To Issue 7 Patches This Month
By Jabulani Leffall
June 5, 2008
Redmond | The Independent Voice of the
Microsoft IT Community
[/security/patches/windows]
permanent link
