64% of MS Vulnerabilities Caused by Running with Admin Rights

[Rofl-Mic-Lofl]

Most of us here on [H] should know this already, but we need to spread the gospel of this and UAC to all of our friends and families so we don’t keep getting woken up early in the morning with tech support calls!

"Breaking it down per product, the figures become even more interesting. Microsoft reported 55 Office vulnerabilities in 2009, and all of them are mitigated by removing admin rights. Of the 33 Internet Explorer issues reported, 94% were thwarted by removing admin rights. For Internet Explorer 8, 100% would be. If we restrict the vulnerabilities to just Windows, we see that 53% can be mitigated by not running as admin."

 

[Sly]

Tell your father to stop surfing pron. That'll fix 99% of his infections.

 

[Reimu]

BeyondTrust does access control though. Their whitepaper seems to rather 'coincide' with their corporate interests, not that there's anything wrong with it...

 

[Astronomica]

Most of my tech support calls are people complaining that their pirated copy of windows doesn't work anymore.

 

[ir0nw0lf]

Tell your father to stop surfing pron. That'll fix 99% of his infections.

The virtual ones or the physical ones?

 

[niconx]

Just think of all those people who were complaining about UAC. Now I guess they know why it exists. Only took 4 years.

 

[Servian]

thing is there is a lot of problems caused by not having admin rights also. It's a no win situation.

 

[WBurchnall]

Tell your father to stop surfing pron. That'll fix 99% of his infections.

Your just going to wind up helping him burn dvds in that case or if he's really behind the times in Technology your just going to end up helping him unravell stuck tapes in his vcr.

 

[Rockjay420]

Tell your father to stop surfing pron. That'll fix 99% of his infections.

that never an easy conversation, because they will always deny it

 

[Project_Nightmare]

I can eliminate 90% of a system's vulnerabilities, it's called unhooking the internet. 100% if you never supply any power to the system.
The UAC does the same thing so thats why I disable it. And you cant do anything without admin rights.

 

[P4rD0nM3]

thing is there is a lot of problems caused by not having admin rights also. It's a no win situation.

What kind of problem?

 

[oROEchimaru]

yeah and if microsoft didn't have the vulnerabilities in the first place they wouldn't have these issues.

sorry with UAC on... you still get spyware/viruses and rootkits... the silent ones the average user will never know about.

 

[celeron300]

In other words, for us laymen, if I set up an administrators log in separately from my own it will make the OS safer. Is this the same for Windows 7?

 

[InorganicMatter]

What kind of problem?

Yes, I'm curious to know which word processor or internet browser your using that requires admin rights.

 

[Rofl-Mic-Lofl]

yeah and if microsoft didn't have the vulnerabilities in the first place they wouldn't have these issues.

sorry with UAC on... you still get spyware/viruses and rootkits... the silent ones the average user will never know about.

http://hardforum.com/showthread.php?t=1309404

I also remember reading another article around when 7 released in which there was a test and not a single rootkit was able to be installed on a UAC enabled system. Just remember that if you are trigger-happy and click every darn thing that pops up, UAC won't do jack for you.

 

[dochmbi]

UAC has caused way too many problems for me to keep it enabled, it has messed up savegames and configs and caused a lot of frustration.

 

[NukeULater]

UAC has caused way too many problems for me to keep it enabled, it has messed up savegames and configs and caused a lot of frustration.

Interesting, because I have it running on two windows 7 machines and one vista rig, and have never had a problem with any one your issues. It has saved my ass a couple times to.

 

[oROEchimaru]

For us in IT its more of an annoyance... i just turn it off to get more work done quicker without the prompts.

would i do that on my moms pc? fark no...

 

[hellokeith]

I cringe everytime I hear a gamer say "first thing I did was disable UAC, so I know that's not the problem". Ok genius, now that you know UAC is not the problem, are you going to re-enable it?

 

[bacon]

Interesting, because I have it running on two windows 7 machines and one vista rig, and have never had a problem with any one your issues. It has saved my ass a couple times to.

Mine too, never had an issue all the way back through vista to now. There isn't any reason to turn it off.

 

[niconx]

Interesting, because I have it running on two windows 7 machines and one vista rig, and have never had a problem with any one your issues. It has saved my ass a couple times to.

No probs here and I have run some old games both on Vista and 7 even the betas, no issues with UAC at all. I'm just glad Microsoft decided to turn it on by default.

 

[jandar]

Funny,

I have all users save for a few locked down as users on Windows XP. Even the few Domain Admins have a separate login for Admin level permissions.

200+ computers on my domain, other than a few driveby malwares that take 2 minutes to fix (worse case, rename old profile and create new one) I have yet to have a major issue.
The first thing I did when taking over this network was lock everything down.
Even apps that need higher perm levels (sloppy ass developers IMHO) I can easily fix with a registry or folder permission.

Admin rights needed? Nope, and that goes for 90% of all programs that I have seen.

 

[Devistater]

Wait, so you are saying that clueless average joe's are knowledgable enough and will know when to say NO when UAC pops up with a valid alert of something bad, when it pops up all the time even when you move an icon that they aren't conditioned to click yes to get it to stop bothering them?

yeah... sure...

 

[srangara]

Wait, so you are saying that clueless average joe's are knowledgable enough and will know when to say NO when UAC pops up with a valid alert of something bad, when it pops up all the time even when you move an icon that they aren't conditioned to click yes to get it to stop bothering them?

yeah... sure...

What are "Average Joes" doing that would trigger UAC? Moving icons? Don't think so.

They're either messing about with stuff that they shouldn't (and that makes them vulnerable) or they are using applications that don't work properly with Vista/Win7 (and that make them vulnerable).

 

[Azhar]

UAC has caused way too many problems for me to keep it enabled, it has messed up savegames and configs and caused a lot of frustration.

For those rare programs that doesn't play nice with UAC, right-click the program icon and select "run as administrator".

You shouldn't sacrifice your entire computer because of the ineptitude of one or two developers.

 

[Kelby]

I think of the UAC as my little slave. I tell the computer to do something, and it asks me for permission to do it.

 

[Kelby]

I think of the UAC as my little slave. I tell the computer to do something, and it asks me for permission to do it.

Or as my deaf grandma. I ask it to do something and it looks at me glassy eyed and says, "What?"

 

[TheResidentEvil]

i turn it off. i dont care for it. it asks me too much crap. Im smart enough to not have any problems and if i do, i just format. I dont keep personal items on my desktop pc.

 

[phide]

I'm a big fan of UAC and any similar system that allows for usable limited user accounts. In the past, Windows user accounts were almost entirely useless.

 

[Cerulean]

I live on admin rights and yet I get zero infections, zero spyware, zero malware, zero zero zero. Please enlighten me.

 

[bigdogchris]

Thankfully most software now days runs under a limited user account. Still, some has to be installed as the user, or it won't run with Limited user rights. Kinda annoying that you can't install as an Administrator.

 

[Azhar]

I live on admin rights and yet I get zero infections, zero spyware, zero malware, zero zero zero. Please enlighten me.

Luck != Smart

 

[phide]

I live on admin rights and yet I get zero infections, zero spyware, zero malware, zero zero zero. Please enlighten me.

You're careful. That's why.

 

[niconx]

I live on admin rights and yet I get zero infections, zero spyware, zero malware, zero zero zero. Please enlighten me.

Well you are also not browsing questionable websites with old browsers and old versions of Flash and reader with WinXP SP2 lol That's what many people do. You can't trust those types of users to protect themselves, hence the need for UAC in newer OS's. UAC is a great way to mitigate threats. IMHO they should make the warning more scary though. Like when you install an extension or theme in Chrome it tells you that it has access to all your private data. Eventually the UAC prompt will become common knowledge, even for laymen. Those people will have to get a virus and loose important data for the concept to sink in their brains, but it will still reach them. The problem is it will take years before that happens, but it's still better than no UAC and still great for intelligent users who hate antivirus software like me.

 

[Dan_D]

This is true. Once you remove administrator rights from the users most things tend to operate pretty smoothly. However in an office environment there is a HUGE problem with removal of admin rights. While Microsoft applications generally work fine this way, most third party software does not adhere to Microsoft's guide lines on the matter. As a result you'll find numerous applications that won't run properly without the user having administrative rights. You can get around most of these issues by adjusting registry and file permissions, but it takes extensive testing and several steps to pull it off. Again with some of the work arounds, you are still compromising security, just not to the same degree.

 

[niconx]

Some of those administrator requirements can be removed if you simply use symbolic links. I think people forget Vista/7 support them now. It's a nice way to keep your Appdata folder mobile. So you can go from computer to computer without any type of network activity required.

 

[SonicTron]

64% of MS vulnerabilities are caused by running with admin rights?

I was thinking it should be more like, 64% of vulnerabilities are exploitable when admin rights are active.

 

[oROEchimaru]

the reason i find uac ineffective:
every copy/paste from the network resolves in uac prompt. deleting/opening legit files=uac prompt.

so mom comes on... oh virus! allow/accept because they allow/accept all the annoying popups.

hence uac is a gamble. is the o/s secure without uac? it better damn be or why are we paying for it... other than a slicker interface. if its not more secure with uac off than winxp then windows 7 is a failure from a security standpoint since they could of easily with a patch enabled a uac-type interface for windowsxp as many 3rd party tools already offer (spybot).

 

[maademperor]

Tell your father to stop surfing pron. That'll fix 99% of his infections.

I tried that...didnt seem to sink in. only option I can see remaining is to tell my mom

(incidentally, I did tell my brothers wife that was why thier computer was so jacked up)

 

[Azhar]

the reason i find uac ineffective:
every copy/paste from the network resolves in uac prompt. deleting/opening legit files=uac prompt.

so mom comes on... oh virus! allow/accept because they allow/accept all the annoying popups.

hence uac is a gamble. is the o/s secure without uac? it better damn be or why are we paying for it... other than a slicker interface. if its not more secure with uac off than winxp then windows 7 is a failure from a security standpoint since they could of easily with a patch enabled a uac-type interface for windowsxp as many 3rd party tools already offer (spybot).

Put your network computer's IP address in your trusted zone and you won't get prompted.