• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Quick Vista "User Account Control" Question

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Originally posted by: stash
That (appears) to be how software firewalls like zone alarm and the like do it. Whenever a program gets updated, you get re-prompted to allow it access to the internet. (I assume it's a hash and not just a timestamp or something )
Click to expand...
Don't get me started on how much worthless security theater that is. In that case, the malware's job is even easier. Even if ZA is using a hash (I have no idea), it's useless, since the malware can bet the farm that a browser of some kind will be whitelisted.

Now I think in Vista, if a malicious process piggybacked on iexplore to get through the Sooper Sekure outbound filtering firewall, it wouldn't be able to do much to the machine, because that process is still running at the lowest integrity level. But it should still be able to send whatever it wants out through your firewall.
Click to expand...

Sorry, I wasn't really trying to comment on firewalls, other than the fact that the hash checking they might do doesn't really add any great inconvenience.

It is a good point, though, that certain whitelisted applications might contain vulnerabilities that would allow an unprivileged app to escalate privileges. I assume that would be the exception rather than the rule, though. I could see how IE could be used to transmit arbitrary information over the internet, but could spyware use random whitelisted apps to gain admin rights with any degree of certainty?
 
I could see how IE could be used to transmit arbitrary information over the internet, but could spyware uses random whitelisted apps to gain admin rights with any degree of certainty?
Click to expand...
Just so we're clear, transmitting arbitrary data to the internet wouldn't be restricted to IE. It would work with any browser that is whitelisted by a firewall.

I'm not sure what you mean by your last comment. The "UAC whitelist" is a list of apps that require admin rights, but won't prompt the user for creds/consent. So yes, a malicious app could potentially use or spoof one of those. If you're saying that the malicious process wouldn't know which apps were on the list, you can bet that it wouldn't take long to figure out which apps are most commonly put on whitelists.
 
Originally posted by: stash
I could see how IE could be used to transmit arbitrary information over the internet, but could spyware uses random whitelisted apps to gain admin rights with any degree of certainty?
Click to expand...
Just so we're clear, transmitting arbitrary data to the internet wouldn't be restricted to IE. It would work with any browser that is whitelisted by a firewall.
Click to expand...

Calm down, I'm not IE bashing. You mentioned iexplore and I ran with it, I'm sure many other common apps are just as vulnerable.

The "UAC whitelist" is a list of apps that require admin rights, but won't prompt the user for creds/consent. So yes, a malicious app could potentially use or spoof one of those.
Click to expand...

My point is that if you hashed the executable and used the full pathname, I don't see how a nefarious app could spoof it. And if the path is admin-protected, it wouldn't be able to overwrite the executable without a UAC prompt.

If you're saying that, on a reliable basis, an unprivileged piece of spyware could "piggyback" on a commonly whitelisted app to gain admin rights, then I'll have to take your word for it.


 
I could see how IE could be used to transmit arbitrary information over the internet, but could spyware uses random whitelisted apps to gain admin rights with any degree of certainty?
Click to expand...
I'm calm 🙂

My point is that if you hashed the executable and used the full pathname, I don't see how a nefarious app could spoof it. And if the path is admin-protected, it wouldn't be able to overwrite the executable without a UAC prompt.

If you're saying that, on a reliable basis, an unprivileged piece of spyware could "piggyback" on a commonly whitelisted app to gain admin rights, then I'll have to take your word for it.
Click to expand...
I see what you're saying now. I honestly don't know if hashing is a viable solution or not. Windows has had software restriction policies since at least XP, and that's the same idea. So who knows, maybe something like that will happen down the road. But I think the focus is going to be on making running as a standard user easy and normal on Windows. UAC in Vista has made running as a standard user much easier than it was on XP.
 
Fair enough. Don't get me wrong, I'm quite glad that's the path they're taking. I was only trying to comment on the viability of a whitelest, didn't mean to start a whole thing 😉
 
Originally posted by: stash
I see what you're saying now. I honestly don't know if hashing is a viable solution or not. Windows has had software restriction policies since at least XP, and that's the same idea. So who knows, maybe something like that will happen down the road. But I think the focus is going to be on making running as a standard user easy and normal on Windows. UAC in Vista has made running as a standard user much easier than it was on XP.
Click to expand...
It's plenty viable, Apple uses a similar system for its Keychain application where a program can be approved for access on a permanent basis, but Keychain will ask for reapproval if it detects the application has changed.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top