Comments on: Windows 7 Beta UAC “improvements” http://blog.kalmbach-software.de/2009/01/21/windows-7-uac-improvements/ Infos about Windows development and dotNET Framework Mon, 21 May 2012 08:11:32 +0000 http://wordpress.org/?v=2.3.3 By: Günter Prossliner http://blog.kalmbach-software.de/2009/01/21/windows-7-uac-improvements/#comment-163 Günter Prossliner Mon, 02 Feb 2009 15:39:12 +0000 http://blog.kalmbach-software.de/2009/01/21/windows-7-uac-improvements/#comment-163 I've also read (and contributed) the newsnet thread. It's really funny. Not only that it's very hard for tool vendors to tell their customers why the product XYZ still needs an UAC prompt. It's also about how this "only allow MS Stuff" is implemented behind the scenes. If there is only a filename / path checking this would basically disable all the protection that UAC provides. And I do not think that such an change would make it into the product. So there MUST be a kind of Authenticode Signature Checking anyway. So MS could provide a kind of Logo Program (as for x64 Drivers) which apps have to pass, until they recieve a Certificate from the MS CA. Apps which are signed by such a Certificate will be handled like MS internal binaries. LG, Günter Prossliner I’ve also read (and contributed) the newsnet thread.

It’s really funny. Not only that it’s very hard for tool vendors to tell their customers why the product XYZ still needs an UAC prompt.

It’s also about how this “only allow MS Stuff” is implemented behind the scenes. If there is only a filename / path checking this would basically disable all the protection that UAC provides. And I do not think that such an change would make it into the product. So there MUST be a kind of Authenticode Signature Checking anyway.

So MS could provide a kind of Logo Program (as for x64 Drivers) which apps have to pass, until they recieve a Certificate from the MS CA. Apps which are signed by such a Certificate will be handled like MS internal binaries.

LG, Günter Prossliner

]]> By: jkalmbach http://blog.kalmbach-software.de/2009/01/21/windows-7-uac-improvements/#comment-159 jkalmbach Wed, 21 Jan 2009 18:49:50 +0000 http://blog.kalmbach-software.de/2009/01/21/windows-7-uac-improvements/#comment-159 IMHO, it makes no sense... One solution would be to restrict the apps to "signed" apps, like the x64-drivers must be signed. Then MS can always identify the apps. Maybe the current implememntation is already on this base (but I don't know;have not looked at it too deeply). IMHO, it makes no sense…
One solution would be to restrict the apps to “signed” apps, like the x64-drivers must be signed. Then MS can always identify the apps. Maybe the current implememntation is already on this base (but I don’t know;have not looked at it too deeply).

]]> By: Koro http://blog.kalmbach-software.de/2009/01/21/windows-7-uac-improvements/#comment-158 Koro Wed, 21 Jan 2009 18:46:07 +0000 http://blog.kalmbach-software.de/2009/01/21/windows-7-uac-improvements/#comment-158 Actually, it makes sense. No other binaries than those shipped with Windows can really be trusted, because "Windows knows Windows" and it knows those binaries are really what they say they are. Adding a mechanism for other apps to be added to this list is just asking malware and every "I'm more important than the user's preferences" application to add themselves there, therefore completly defeating the point of UAC. Actually, it makes sense.

No other binaries than those shipped with Windows can really be trusted, because “Windows knows Windows” and it knows those binaries are really what they say they are.

Adding a mechanism for other apps to be added to this list is just asking malware and every “I’m more important than the user’s preferences” application to add themselves there, therefore completly defeating the point of UAC.

]]>