Products that aren't designed for Windows XP or Windows 2000

Anti-Windows Catalog

We practice what we preach at Pan-Am Internet Services

Search Products By:

The Simplest Vista Virus 3.0

Written by Gordon Fecyk, 6/30/2006

If Microsoft made cars, drivers would complain about the seat belts.

IN THE USER ACCOUNT CONTROL BLOG Microsoft developers and concerned users arguediscuss the UAC security prompts that come up every time a broken application tries something that requires administrator access.

I'm reminded of the early days of Sun Microsystems' Java, where Java 1.0 imposed tight security restrictions on "unsigned" applications and browser applets. Java 1.1 omitted some of this security after some user and developer furor.

One of the UAC Blog readers invented "The Simplest Vista Virus." Its design goes like this:

-blacken the screen
-ask user for Admin creditentials
now your virus has Admin privileges...what else could you want?

Basically, defeating Vista's improved security involves defeating User Account Control. Once you have admin, you have the computer. After Aaron Margosis responded that this wasn't possible, I took "version 2.0" and "version 2.1" a couple steps further:

-blacken the screen
-entice the user: "Here, dumb user. Here's some free smileys for you! Go on, type your admin password here. You know you want to."
now your virus has Admin privileges...what else could you want?

This last design of The Simplest Vista Virus comes from Yahoo! Messenger on MacOS X, which asks the MacOS user for the root password using its own dialog box instead of whatever program interface Apple provides for requiring root access. I guess Yahoo! wants the root password so it can install updates? I'm not sure, and neither is the MacOS X community:

I have seen Mac OS X installation programs - even for Internet programs like Yahoo Messenger - that don't even put up a standard dialog box when requesting the admin password. I know that these dialog boxes belong to some third party installer, and I have to trust that it will play nice with my admin password. Some programs even require that the computer be connected to the Internet during the install. You don't even get to see what you are installing before giving permission to install.

If Yahoo! can do this on MacOS X, what stops them from doing it on Vista?

All of what you'll read here is already happening. Could this be a computer security industry smear campaign?


AARON SAYS THAT'S NOT POSSIBLE on Vista because apps can't "impersonate another security context." Basically, an application can't launch another application or process using another user's username and password. And furthermore it isn't possible to "inject" input into a Vista security dialog box, because it either runs on the Winlogon desktop, or it runs on a different "integrity level" than other applications.

How, then, do we get our virus working?

With the objective of defeating User Account Control still clear, I present to the public, The Simplest Vista Virus 3.0.

  1. People are still the weakest link in any security system. I will exploit them first.

  2. I will demonstrate how the most popular applications for Windows don't work without multiple annoying security prompts. I will make sure these include games like Warcraft III and Final Fantasy Online, and applications like AutoCAD 2006 and Quickbooks 2005.

  3. I will accuse Microsoft of starting yet another monopolistic conspiracy by demonstrating only Microsoft applications work without annoying security promps.

  4. I will then send alerts to the mainstream IT press, who will write knee-jerk articles denouncing Vista's User Account Control.

  5. I will then make sure the story reaches Slashdot for further "processing" by additional knee-jerk writers.

  6. Then I'll make sure the story reaches the mainstream press and watch as the common reader expresses outrage.

  7. Then as a killing blow, I will point out other recent failed attempts by Microsoft to "control its customers."

  8. Then Microsoft will have no choice but to remove User Account Control from Vista.

  9. At last, I will then create a variant of Melissa and watch the world scream some more at Microsoft, even as anti-virus vendors fail to catch my Simplest Vista Virus.


PEOPLE ARE STILL THE WEAKEST LINK but I insist that is only the case because people still don't have a choice.

"Choose another system, then." No, thank-you. Security prompts are the norm on MacOS X, yet there's already a piece of malware that specifically targets that feature on MacOS. All because developers, and users, don't like security.

On one hand, Microsoft customers clamor for a more secure version of Microsoft products. On the other hand, customers complain that more security gets in the way. If Microsoft made cars, drivers would complain about the seat belts.

Related Links:

Editor Log On:
Sign up to get an editor account.

Username:

Password:

[Catalog Home]

Resources:

Links

Downloads

Product Roundups

What is the Anti-Windows Catalog?

Help for New Editors

Frequently Asked Questions

Recently Edited Categories:

Computers, Notebook

Media, Video

Game, Role Play

Scanner, ID Cards

Hospitality

Browse All Categories

Recent Commentaries:

The More Things Change, The More They Stay Secure

The devil you know, versus the Adobe you don't

Paying for things we get for free?

Jump! Jump! Jump! Jump! Or, Windows 8: Get Over It

Don't Fear the Start Screen

Browse All Commentaries

Pan-Am Home Page Valid HTML 4.01! All trademarks are property of their respective owners.