[thelist] Safari on Windows

Ken Schaefer Ken at adOpenStatic.com
Tue Jun 12 10:33:31 CDT 2007


Programs do not run as a low access level in Vista - by default.

If you are an administrator then you get a "split" security token when you
logon. You need to "elevate" your privileges (which gives you access to the
full set of rights that your token should have). To elevate your privileges
you need to click on the "allow" button.

If you are a non-Administrator then instead of a allow/cancel option, you are
instead prompted to enter administrative credentials (similar to su, or runas
in previous versions of Windows).

Now there is something call Mandatory Integrity Control (apologies for the
ridiculously long link):
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/18/Why-Vista_3F00_-M
andatory-Integrity-Control-_2800_MIC_2900_-_2800_Security_2C00_-Stability_2C0
0_-System-Integrity_2900_.aspx

or tinyurl:
http://tinyurl.com/3bkvhw

Internet Explorer runs in a lower that normal integrity level (assuming you
have UAC on). That provides an additional level of protection, since lower
integrity level processes can not change files that have a higher level
integrity specified in their SACL. This is why you get more than usual
prompts when using IE to perform privileged operations (e.g. save a file into
a restriction folder like %systemdrive%\windows)

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Jon Hughes
Sent: Wednesday, 13 June 2007 1:15 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Safari on Windows

Not on Vista(from what I understand, all programs run in a very low
access level in Vista - unless you disable the "cancel or allow" thing)

But in WinXP, yes.  Every program has the potential to run as the level
you are logged in as.

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Joel D Canfield
Sent: Tuesday, June 12, 2007 8:11 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Safari on Windows

> Seriously, though.  It could allow remote execution on your PC
> (essentially install any software it wants)

right; got it.

to continue my eddicashun, and hoping it's not too off-topic, if the
browser allows remote execution, is it acting as something other than
the anonymous web user? as in, I'm an administrator on my own WinXP box,
so it has godlike powers?

faaaaaaar too long away from networking to have a grip on this stuff
anymore

thanks again

joel
 



More information about the thelist mailing list