[cap-talk] Windows Vista: security by admonition

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Sun Jun 4 23:33:31 EDT 2006

Toby Murray wrote:
> Hi cap-talk,
> Don't know if anyone's still following this one, but a new post on 
> Vista's User Account Control is a little illuminating, if only for the 
> insight it gives into the mindset of the guys who are working on this 
> thing. It appears to me that they've decided that the internal structure 
> of Windows makes some problems difficult to solve (such as being able to 
> infer the amount of authority to attach to UI events) and that 
> therefore, these problems have to be shifted back to the user to solve. 
> Hence, these UAC dialogs.
> http://blogs.msdn.com/uac/archive/2006/06/01/613098.aspx

My response, just picking up on one specific issue from that post:

# Stop using accessibility as an excuse for insecure design
# Sunday, June 04, 2006 11:19 PM by David Hopwood
# It's pretty silly to keep using accessibility as an excuse for not fixing
# the vulnerabilities due to malware sending keystrokes, reading the screen
# contents, etc.
# The vast majority of apps are not accessibility tools. So allowing all
# apps to send keystrokes, and continually bothering the user just in case
# a piece of malware did this, is a clear failure to observe least
# privilege/authority.
# Instead, the apps that actually need to be able to send keystrokes, read
# the screen, etc. (accessibility tools, macro players, automated GUI testing
# tools, and screen grabbers) should be marked, so that only they can do
# those things.

[Providing these programs with a capability would be better than marking, but
I don't expect Windows to become a capability system.]

David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list