I saw a post on Slashdot titled "Coding Around UAC's Security Limitations", which pointed towards this.

The whole angle of the post on Slashdot is trying to make it seem that UAC doesn't do anything and is worthless, the iReboot developers certainly have that angle too, in what I'm sure some would call a childish tirade.

iReboot is an application that sits in the tray, and allows you to select an OS you want to reboot into. It does this by changing the boot loader so the OS you selected is the default and then rebooting the machine.

To modify the boot loader, you obviously need administrative privileges, this is a system-wide change and wrongly altered can render the system unbootable.

On Windows XP the iReboot application required you to be logged in as an administrator, for obvious reasons (standard users not having the rights to change the boot loader).

On Windows Vista, iReboot would also require administrative privileges to work. With UAC, even users logged in as administrators have their applications run as standard users, which is why applications need to elevate to run as administrators.

The developer goes on to write:

But there was one flaw in iReboot that made all the hard work we put into making it as unobtrusive and minimalistic as possible almost meaningless: if you had UAC enabled, iReboot will not run automatically at startup, no matter what you do.

iReboot could run automatically at startup with UAC enabled, the developer doesn't seem to be aware that you can write an application to ask for elevation. His application didn't - and so it just fails. Like it should. Obviously automatically starting an application and asking for elevation isn't a very good experience, which is why it shouldn't be done this way either.

I'm sure you all know that the Windows NT line (and other modern operating systems) has had the concept of "services". It seems the developer had to do some "digging around" for solutions, come on, any Windows geek knows how services work, this guy actually had to do research?

Services are usually started automatically by the system, for example the time service which goes out to the internet and corrects the time on your system. Changing the time requires administrative privileges, and as such the time service runs with administrative privileges. The same can be said about the 50 or so other services that run on the system.

He goes on to say:

only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

This is also how it should be done on Windows XP, 2000 etc so that your application would work on standard user accounts, but it seems he doesn't care about standard users on Windows XP where he says "everyone runs as an Administrator", which isn't quite true. Others and myself have long tried to get people running as standard users on Windows XP, it is thanks to developers like this that kept people from running as standard users and greatly reduced the security of the world's computer base.

The developer then goes onto complain about how long all this took:

[G]etting this far wasn't easy. With Windows Vista, what should have been 100 lines of code maximum ended up being a dozen times longer, split across two different processes, and requiring way too much man-hours to write the most minimalist and to-the-point piece of software we've released to date.

Of course if the guy had bothered to look at the development guidelines and documentation that is almost a decade old now he would of seen this is how his application should of been written in the first place. Instead of him assuming he will have administrative rights forever, Microsoft have been hammering on about testing your applications as standard users for years and years before Windows Vista shipped, it isn't like they just pulled this out of the bag.

The developer then makes one final stab at UAC:

Perhaps most importantly though, is the fact that Windows Vista's newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security [his emphasis]. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.

Essentially claiming that UAC is worthless and can be coded around (by using services), which is false because in order for you to install that service in the first place you must elevate the installer, else it cannot create or modify the service.

Just today a new exploit was discovered in QuickTime (yes another one), with UAC enabled the exploit doesn't work. Because QuickTime isn't running as an administrator, but only as a standard user. Just another example of how UAC just gives the "impression" of security.

I came across a perfect example of the reality distortion field yesterday. I was so impressed I saved the comment for later use, I didn't think at the time to save the website it was posted on if anybody knows let me know and I'll add the URL (doesn't seem to be in Google's index yet). Anyway this was what was said:

John W - You might want to review your links before you post erroneous information. The Hack Contest had no winners on Day 1, it was only after the rules were fully relaxed did someone “break into a browser” on Vista and OSX. Gosh, when a hacker has full physical and password access to a Mac, they break in… wow, film at 11, how amazing!

This is in relation to the recent PWN to OWN contest, which I briefly wrote up about here.

He seems to be under the illusion that Windows Vista was also cracked on day two, along with OS X (which was cracked in 2 minutes). This is false.

Day one's rules were you could only remotely carry out an attack. No machines were compromised. On day two you could use user interaction on the machine, for example opening a specific website, or opening an e-mail attachment. At no point were the crackers given "full physical" access to the machine or passwords, the user on the machine could only open e-mails or web pages. Safari was compromised within 2 minutes. Windows Vista and Ubuntu both survived the day, in the end only compromised on day three with the help of 3rd party code, namely Adobe's Flash player.

Fact is, no Mac has ever been broken into from the outside, no viruses, no malware, etc. OSX is the most secure mainstream OS there is

False. I'd say it is the least secure mainstream operating system out there, all of Apple's software is plagued by security issues. Just last year a group of security researches exposed dozens of security issues in Mac OS, so many they were doing one a day for the whole month of the project.

and that’s just another reason why it’s so popular.

I wouldn't define "popular" as 2% market share. Alone it would be funny, but when there are thousands of these trolls running around its just sad.

I can't say I'm honestly surprised judging on how crappy Apple's record is at patching vulnerabilities over the last few years. Windows Vista has consistently out performed all other major operating systems in this regard and Microsoft have spent a considerable sum on improving their development process in regard to security.

So anyway at the PWN to OWN contest held over the last three days crackers have been competing for a $10,000, and $5,000 prize. Their task was to crack a computer, there were three computers all running different operating systems. One running Mac OS X.5 (Leopard), one running Ubuntu 7.10 and one running Windows Vista SP1.

The first day was limited only to attacks over the network. All three machines survived.

The second day, the participants were allowed to open web pages, or e-mails. Mac OS X was compromised inside of two minutes.

Both Ubuntu and Windows Vista survived the day, and now the crackers can request that the judges allow "popular" 3rd party software onto the machines. As of this moment I believe both machines are still standing.

Both Linux and Windows have their fair share of crappy 3rd software, but I think Linux generally has more privilege escalation exploits, so we'll have to see how it goes.

So anyway, the next time some smug Apple fanboy comes up to you and goes on about security, politely remind them that they are full of it. And also consider reporting Apple to advertising regulators over their utterly misleading and down right false adverts.

The number of wireless networks around here is slowly growing, there was just one insecure network a couple of years ago. I just checked now, and I can find 6 other wireless networks, there's probably more during different times of the day.

The lower six networks shown here are all insecure. Three have no security what-so-ever, and the other three use WEP, which was part of the original 802.11 standard from back in the 90s and deprecated about 5 years ago as it can be broken in just a few minutes.

This isn't just about keeping people off your own network, this is about stopping people from receiving information you send back over the internet, when a machine is physically wired in, you'd have to be on a machine between you and the server to eavesdrop - on a wireless network however information you send out goes to everybody around you as well. A lot of non-financial information is still sent over the internet as plain text, use a lot of social networking sites? Your password gets broadcasted as plain text, if your network isn't secure anybody can get your password and username, the same goes for web forums, a lot of e-mail servers etc.

Make sure your wireless networks are set to use WPA or higher, pretty much all devices nowadays support WPA (the Nintendo DS is the only exception I can think of - I have no idea why Nintendo don't do something about this).

If there are legitimate reasons for why a network needs to be open, make sure you use HTTPS when available, even if the server doesn't have a certificate to prove its identity.

Manufacturers should also do their part and ensure WPA or WPA2 are the default options. All WEP does is provide a false sense of security, the fact it is deprecated and insecure should be made clear when the user is configuring the device.

So Microsoft held their biannual BlueHat security gathering last week, as they've been doing for a couple of years now, inviting outside security researchers to have a chit chat with Microsoft developers on security.  The press aren't invited to these (officially it's an internal Microsoft event), and so what details emerge is usually from the blogs of researchers who were involved.

Halvar Flake, from Sabre Security was invited to write up his thoughts on the BlueHat blog.  He makes a few good points, which I feel is generally the concenus out there after seeing Windows Vista out there for nearly a year.

Microsoft did do a good job at addressing the issues of previous Windows versions. Progress on all fronts has been achieved, and MS is probably better than any other closed-source software vendor when it comes to the the security of their products.

I've been saying this for a while now, this is Microsoft's security investment at work.

As a result, I think that most of the security researchers will move on to greener pastures for a while. Why try to chase a difficult overflow out of Vista when you have Acrobat Reader installed, some Antivirus software with shoddy file parsing, and the latest ITunes?

No surprise there judging on Adobe's and Apple's non-rapid release of patches for QuickTime, iTunes, Reader and the like, they're popular, and in the case of Reader rarely updated.  You won't find any of that software on my machines, not only due to their poor history record in addressing security, but for how bloated and buggy they are.

This is one of the key reasons I tell people NOT to disable UAC, nor to elevate programs which don't work as standard user - better to replace those programs with ones that work properly, Microsoft issued these guidelines in 2000, things shouldn't assume they have full rights to the box, nor should they be saving data all over the place, it's about time Microsoft forced the 3rd parties to clean up their act.

UAC ensures these programs are running as standard user, so if there is a vulnerability it seriously limits the damage that they can do.  Leave it on people.

Secretly, all attackers are hoping that Vista will be a failure, security spending will be scaled back and nobody will attempt to build a secure mainstream OS again.

No doubt at all they're going to be in for a harsh time for the next few years, with Windows Vista taking a majority share on the client, and Windows Server 2008 rolling out, they're going to have to save their pennies.

Jeff Jones has thrown up a report (available in PDF on his web page) on Windows Vista's 6 months security record and compared it to some competitors.

Like the 90 day results I posted up a while back, Windows Vista is still leading the field at this milestone too.

Looks similar to the 90 day report, Windows Vista having just half the number of vulnerabilities as the supposedly "secure" Mac OS, somebody should really do them for false advertising.

In a sort of follow up to my previous post about Windows Vista being the most secure operating system.

Jeff Jones has totalled up the number of vulnerabilities that have been discovered in the first 90 days of the Windows Vista launch (end of November), and compared it to Windows XP, Mac OS X.4, Ubuntu 6.06 LTS, Red Hat Linux Enterprise 4 Workstation and Novell SuSE Linux Enterprise Desktop 10.

Here's the figures:

Windows Vista: 5.
Windows XP: 18.
Mac OS X.4: 27.
Ubuntu Linux: 100.
SuSe Linux:111.
Red Hat Linux: 201.

That's one fifth as many security related problems as Mac OS X.4. Take note Apple, you don't want to find yourselves in hot water over trying to mislead people, again, do you?

I got some feedback left on my other post on this topic.

Not taking into consideratio that the vulnerabilities for the windows are alot more common

Come on, are you serious?

That's because Windows is a lot more common (90+% of the market). Now let's follow this through, if you replace Windows with its 5 security issues, do you get more or less potential security issues when replacing it with Red Hat and its 201 issues? You get more, much more.

Let's assume that 90% is 400 million machines. Which means with Windows in the first 90 days of launch there's 2 billion potential holes in the worlds computers. With Red Hat's 90 days that figure goes up to 80.4 billion potential holes in the worlds computers. With Mac OS it's 10.8 billion! Come on get real. We're talking about how secure the operating system is, not how much software there is for it, which obviously will follow the OS with the largest market share.

Microsoft have made huge improvements over the last few years on security and that is undeniable, and they'll continue to make even more improvements in the future. By the time the next version of Windows ships people saying Windows is massively insecure will sound as dumb as all the people who are saying Windows is hugely unstable today, after 5 years of Windows being solely based on NT.

According to Symantec it is. In their 11th internet security report, part of which tracked vulnerabilities and fix times for operating systems in the last half of 2006 they found the following:

Microsoft's Windows came in first place with 39 vulnerabilities discovered and Microsoft took on average 22 days to fix them.

Red Hat Linux came in second place with 208 vulnerabilities and an average fix time of 58 days.

Apple's Mac OS X ranked 3rd place with 43 vulnerabilities and an average fix time of 66 days.

Hewlett Packard's HP-UX had 98 vulnerabilities and took them 101 days to release a fix.

Sun's Solaris came in last place with 63 vulnerabilities with a fix time of 122 days.

Looks pretty much the same as the first half of the year. Microsoft's security investment is paying off. 2006 was a solid year for Microsoft on the security front. With how 2007 has started its going to get even better.

Bill Gates has been taking some flak lately in the Apple circles for some comments he made on the state of security in Mac OS. He was being interviewed for Newsweek:

In many of the Vista reviews, even the positive ones, people note that some Vista features are already in the Mac operating system.

Bill Gates: You can go through and look at who showed any of these things first, if you care about the facts. If you just want to say, "Steve Jobs invented the world, and then the rest of us came along," that's fine. If you're interested, [Vista development chief] Jim Allchin will be glad to educate you feature by feature what the truth is. I mean, it's fascinating, maybe we shouldn't have showed so publicly the stuff we were doing, because we knew how long the new security base was going to take us to get done. Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine. So, yes, it took us longer, and they had what we were doing, user interface-wise. Let's be realistic, who came up with [the] file, edit, view, help [menu bar]? Do you want to go back to the original Mac and think about where those interface concepts came from?

OK so Bill Gates is basically saying because Microsoft invested so much in security for Windows Vista, Apple was able to copy interface features that Microsoft already developed and release them first, and as a result of that more vulnerabilities are being discovered on Mac OS than Windows.

At first I didn't buy the every single day thing and assumed he was exaggerating by quite a large degree. But after doing a bit of research I stumbled into this. They list a new vulnerability discovered on Mac OS every day, in many cases with code ready to exploit it. So Bill Gates wasn't far off the mark at all in his comments. Let's just quote a few examples:

1st of January:

A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution.

3rd of January:

A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution.

5th of January:

A vulnerability in the handling of BOM files by DiskManagement/diskutil allows to set rogue permissions on the filesystem. This can be used to execute arbitrary code and escalate privileges.

The list just goes on and on, a new one for every day of the month. Microsoft has made the investment in security, and it shows with fewer and fewer exploits being discovered. The media which you can imagine would love to throw out something about security on the Vista launch had to resort to using speech recognition, apparently the fact it responds to voice commands is a "hole" because it can be used to delete documents by issuing a delete command. Right, that's the best you've got?

I'm confident in saying that Windows Vista in its first year will have fewer security vulnerabilities than any other client release of Windows of the past and doing even better than their best server release, Windows Server 2003 wouldn't surprise me at all.