New Adware Scheme Takes Advantage of IE Vulnerabilities

I hope Wendy read Paul's comments today: "Also, based on feedback from several readers, I'm going to reinstall XP on my main desktop PC, take it off the domain, and try to live with a non-Administrator account on a nonmanaged box. I've been told by a number of people that this process is a lot less painful than it used to be, and I've frankly not tried it in a while, so I'll give it a shot."


When installing software that was unwisely designed to require elevated permissions to run:

Sign on with a local administrator account to change the account you use regularly from a User to an Administrator via Control Panel - Users and Passwords.
Log on to your regular account that now has Administrator privileges.
Run a (free) program such as InstallWatch or InstallRite
http://www.epsilonsquared.com/ to record the changes made to the registry during the istallation.
Install the desired software.
Use regedt32's Security menu - Permissions to give your regular account Full Control to the desired program's registry branches.
You may need to use Windows Explorer to likewise give Full Control to the program's folders.
Set the account back to User via Control Panel - Users and Passwords.

For surfing, you may want to install the latest version of Mozilla Firefox http://mozilla.org/ and set it as the default browser. Only use IE for the sites that were unwisely designed to work only in IE.

Also, give a much needed security zone fix to IE with the free Qwik-Fix utility from PivX Solutions http://www.pivx.com/qwikfix/index.html

Without calling anyone dead right or dead wrong, Wendy, it ultimately comes down to what things you need to do when you are logged into Windows. The average user does not need to do administrative stuff very often on their system; thus, they should be using a restricted account. Even as a developer, I use a limited account for all my day to day work. I always keep a command prompt window open, which I started with RunAs, using my administrative account. To install setup files or do other things as an admin, I just enter it from this command prompt. Rarely do I actually ever log into Windows using the admin account.

I will say that Paul has a valid point: It is true that many applications are ignorant of rights. This is an unfortunate consequence of the long, wide-spread use of Windows 9x, in which everyone is always an administrator. The concept of different user types and privileges has been around since NT 3.1; it is now up to ISVs to create applications that work properly in these secure environments.

Rather than always run as Admin to appease these applications, run as a limited user and then run only these specific apps as Admin. I mean, if you have an app that needs to connect to the internet, do you disable your entire firewall or do you just open the specific ports to the specific application?

Regarding XP Home Edition's "crippled" limited user account: It is what I use to do all my web surfing, email, and even all of my programming. It doesn't provide the granularity in user permission like XP Pro, because the average home user doesn't need this.

Microsoft has done a lot to encourage developers to focus on "least privilege" when writing their apps, so that they work in limited accounts. Unfortunately though, Microsoft has not been educating home users to use limited accounts for their non-admin activities.

Windows also needs to be like OS X by allowing a limited user to seamlessly switch to the admin account (via password) on demand when accessing an admin feature. Currently, Windows does prompt when you run a program named "Setup.exe", "Install.exe", etc., but it needs to go further.

The NT security model provides a lot of protection when you use a limited account. You don't see Unix/Linux users doing all their work (including web browsing) as root. Yes, it may take some getting used to, but limited accounts really do protect you.

I've been surfing with the 'Internet zone' set to High+ for years. When I feel that I must view a site at a lower setting I put it in my Trusted sites. However, my Trusted zone is not the default level, rather it's set at Medium+. I just got tired of all the c**p that scripting and ActiveX enables .. so I surf without it. Scripting is a great thing but only in the hands of responsible people.

WWW.OPERA.COM no exploits no activex junk no popups why bother with ie????????

There will be no truly secure system ever, and efforts in that direction are mostly waste of time, Sisyphus' effort. If you rely in the protection of your home only on perfect locks and doors, while there's no police in your town, you will be robbed anyways. Microsoft is on the right track taking it to the law enforcement. Same should be done about all that incredible flow of fraud that comes as spam.