1

Windows Vista, OS X and Linux (e.g. Ubuntu/Gnome) each ask for permission when certain operations are performed. I know when I've initiated such an action most of the time. Occasionally, I'm not expecting the dialog to pop up because I don't consider what I've requested to be needing permission. This makes me nervous.

How easy is it for some mal-ware to spoof such a dialog? I would say it's probably trivial.

What can be done to prevent getting caught by this?

EEAA
  • 109,363
  • 18
  • 175
  • 245
Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151

2 Answers2

1

The dialog can be spoofed (in the sense that an application can draw something on screen that looks the same as a UAC dialog), but what does it get you other than to desensitise the user to clicking on "OK" all the time? That's a concern, but as long as OSes think that "ask the user" is the correct answer to the question "should I allow this?", there's not a lot that you as a user can do to stop it.

womble
  • 96,255
  • 29
  • 175
  • 230
  • If it's displayed by mal-ware, it could gather passwords. – Dennis Williamson May 02 '09 at 05:01
  • @Dennis That's not so much an issue with Vista, as UAC does not ask for a password (unless the user is really unprivileged), but Ubuntu asks me for a password whenever it decides that I haven't been annoyed enough recently. – Grant May 02 '09 at 05:23
  • UAC doesn't ask for a password, it just says "Should X be allowed to do Y?". Yeah, Linux systems pop up password dialogs here and there, but if something can write to your X session it's already got access to your account, and can ptrace everything in sight until you type a password or whatever anyway. – womble May 02 '09 at 05:28
1

Maybe something similar to yahoo's sign-in seal could be created.

Basically set up a secret that an unprivileged program can't have access to/knowledge about, and let the system serve that up when it's asking for permission to give a program privileges.

xkcd150
  • 928
  • 1
  • 7
  • 11
  • I don't know why someone downvoted you. This is actually the kind of thing that I had in mind that should be done. My bank uses it, for example. – Dennis Williamson May 02 '09 at 05:03
  • who knows :) which bank is that? i've been looking for more places doing similar things, and have found fairly little written about it. which makes me sad, because when it comes to security i tend to think that more eyes and minds on the problem can only be good – xkcd150 May 02 '09 at 05:08