From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_0640_01C75461.4534AF30
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   This is entirely an app compat issue for legacy installers not =
anything that should be relevant as ISVs release new products.  There is =
a mechanism defined for any application to declare its elevation = behavior
and one specifically for installers that use Windows Installer. =
 See http://msdn2.microsoft.com/en-us/library/aa372468.aspx for Using =
Windows Installer with UAC.  See =
http://msdn2.microsoft.com/en-us/library/aa480150.aspx for info on =
developing applications.  The Certified for Windows Vista logo requires =
that all EXEs declare their execution level.  See =
http://download.microsoft.com/download/8/e/4/8e4c929d-679a-4238-8c21-2dcc=
8ed1f35c/Windows%20Vista%20Software%20Logo%20Spec%201.1.doc.

Rich

  "Rich Gauszka"  wrote in message =
news:45da0ce1$3{at}w3.nls.net...
  I don't read that in Russinovich's response as he does admit there is =
a=20
  problem and admit that Vista's administration escalation on the =
installer is=20
  intentional. Only time will tell if Vista's 'usability' makes for a =
happy=20
  hacker and Microsoft's design choice was poor .

  It does seem though that Microsoft's security concern these days is =
more=20
  with tightening the screws to wga rather than worry about mundane user =

  related security issues
  =
http://crunchgear.com/2007/02/19/microsofts-ballmer-blames-poor-vista-sal=
es-on-piracy/


  "Gary Britt"  wrote
in message=20
  news:45da06e5$1{at}w3.nls.net...
  > Its said to see Russinovich lend his credibility to the spin machine =
at=20
  > Microsoft.  Am I the only one who thinks this?  I'm sure he's =
getting paid=20
  > really well and any of us would have sold out just like him, but its =
still=20
  > sad nonetheless.
  >
  > Gary
  >
  > Rich Gauszka wrote:
  >> "I would like to be offered a choice whether to fully trust a given =

  >> installer executable [and run it as full administrator] or just =
allow it=20
  >> to add a folder in C:\Program Files and some keys under =
HKLM\Software and=20
  >> do nothing more."
  >>
  >> "I could do that under Windows XP, but apparently I can't under =
Vista,=20
  >> which is a bit disturbing."
  >>
  >>
  >> =
http://www.itnews.com.au/newsstory.aspx?CIaNID=3D46057&src=3Dsite-marq
  >>
  >> Rutkowska discovered that when Vista detects that the user is =
running an=20
  >> installation file it kicks into full admin mode.
  >>
  >> If a user wishes to install a new program they are presented with =
the=20
  >> option either to allow the installer complete system privileges or =
not to=20
  >> run the program at all.
  >>
  >> Rutkowska wrote on her Invisible Things blog: "That means that if =
you=20
  >> downloaded some freeware Tetris game, you will have to run its =
installer=20
  >> as administrator, giving it full access to all your file system and =

  >> registry, and allowing it to load kernel drivers! Why should a =
Tetris=20
  >> installer be allowed to load kernel drivers?
  >>
  >> "I would like to be offered a choice whether to fully trust a given =

  >> installer executable [and run it as full administrator] or just =
allow it=20
  >> to add a folder in C:\Program Files and some keys under =
HKLM\Software and=20
  >> do nothing more.
  >>
  >> "I could do that under Windows XP, but apparently I can't under =
Vista,=20
  >> which is a bit disturbing."
  >>
  >> A few days after her posting there was a lengthy and detailed =
response=20
  >> from Mark Russinovich, a Technical Fellow at Microsoft.
  >>
  >> Russinovich essentially admitted that, while the problem exists, it =
was a=20
  >> design choice that stemmed from the balance between security and=20
  >> usability.
  >>
  >> "Because elevations and integrity levels do not define a security=20
  >> boundary, potential avenues of attack, regardless of ease or scope, =
are=20
  >> not security bugs, " he said.
  >>
  >> In light of the huge security campaign surrounding Windows Vista in =
2006,=20
  >> Rutkowska said in a follow up posting that this explanation simply =
is not=20
  >> good enough and that Microsoft should attempt to solve the problem =
rather=20
  >> than try and dismiss the issue.=20


------=_NextPart_000_0640_01C75461.4534AF30
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   This is
entirely an app =
compat issue=20
for legacy installers not anything that should be relevant as ISVs = release new=20
products.  There is a mechanism defined for any application to =
declare its=20
elevation behavior and one specifically for installers that use Windows=20
Installer.  See http://ms" target="new">http://ms=">http://msdn2.microsoft.com/en-us/library/aa372468.aspx">http://ms=
dn2.microsoft.com/en-us/library/aa372468.aspx for=20
Using Windows Installer with UAC.  See http://ms" target="new">http://ms=">http://msdn2.microsoft.com/en-us/library/aa480150.aspx">http://ms=
dn2.microsoft.com/en-us/library/aa480150.aspx for=20
info on developing applications.  The Certified for Windows Vista = logo=20
requires that all EXEs declare their execution level.  See
http://download.microsoft.com/download/8/e/4/8e4c929d-679a-4238-8=
c21-2dcc8ed1f35c/Windows%20Vista%20Software%20Logo%20Spec%201.1.doc">http=
://download.microsoft.com/download/8/e/4/8e4c929d-679a-4238-8c21-2dcc8ed1=
f35c/Windows%20Vista%20Software%20Logo%20Spec%201.1.doc.=

 
Rich
 

  "Rich Gauszka" <gauszka{at}dontspamhotmail.commailto:gauszka{at}dontspamhotmail.com">gauszka{at}dontspamhotmail.com
A>>=20
  wrote in message news:45da0ce1$3{at}w3.nls.net...I=20
  don't read that in Russinovich's response as he does admit there is a=20
  problem and admit that Vista's administration escalation on the =
installer=20
  is intentional. Only time will tell if Vista's 'usability' makes =
for a=20
  happy hacker and Microsoft's design choice was poor
.It =
does seem=20
  though that Microsoft's security concern these days is more with=20
  tightening the screws to wga rather than worry about mundane user =
related=20
  security issueshttp://crunchgear.com/2007/02/19/microsofts-ballmer-blames-poor-v=
ista-sales-on-piracy/">http://crunchgear.com/2007/02/19/microsofts-ballme=
r-blames-poor-vista-sales-on-piracy/"Gary=20
  Britt" <GaryNOSPAMBritt{at}genera=">mailto:GaryNOSPAMBritt{at}generalcogster.com">GaryNOSPAMBritt{at}genera=
lcogster.com>=20
  wrote in message news:45da06e5$1{at}w3.nls.net...=
>=20
  Its said to see Russinovich lend his credibility to the spin machine =
at=20
  > Microsoft.  Am I the only one who thinks
this?  I'm =
sure=20
  he's getting paid > really well and any of us would have sold =
out just=20
  like him, but its still > sad
nonetheless.>>=20
  Gary>> Rich Gauszka
wrote:>> "I would like to =
be=20
  offered a choice whether to fully trust a given
>> installer =

  executable [and run it as full administrator] or just allow it =
>> to=20
  add a folder in C:\Program Files and some keys under HKLM\Software and =

  >> do nothing
more.">>>> "I
could do =
that under=20
  Windows XP, but apparently I can't under Vista,
>> which is =
a bit=20
 
disturbing.">>>>>>
http://www.itnews.com.au/newsstory.aspx?CIaNID=3D46057&src=3D=
site-marq">http://www.itnews.com.au/newsstory.aspx?CIaNID=3D46057&src=
=3Dsite-marq>>>>=20
  Rutkowska discovered that when Vista detects that the user is running =
an=20
  >> installation file it kicks into full admin=20
  mode.>>>> If a user
wishes to install a new =
program they=20
  are presented with the >> option either to allow the =
installer=20
  complete system privileges or not to >> run the
program at=20
  all.>>>> Rutkowska wrote
on her Invisible Things =
blog:=20
  "That means that if you >> downloaded some
freeware Tetris =
game, you=20
  will have to run its installer >> as
administrator, giving =
it full=20
  access to all your file system and >> registry,
and allowing =
it to=20
  load kernel drivers! Why should a Tetris >> installer be =
allowed to=20
  load kernel drivers?>>>>
"I would like to be =
offered a=20
  choice whether to fully trust a given >> installer =
executable [and=20
  run it as full administrator] or just allow it >>
to add a =
folder in=20
  C:\Program Files and some keys under HKLM\Software and
>> do =
nothing=20
  more.>>>> "I could
do that under Windows XP, but=20
  apparently I can't under Vista, >> which is a bit=20
  disturbing.">>>> A
few days after her posting =
there was a=20
  lengthy and detailed response >> from Mark Russinovich, a =
Technical=20
  Fellow at Microsoft.>>>>
Russinovich essentially =
admitted=20
  that, while the problem exists, it was a >> design choice =
that=20
  stemmed from the balance between security and >>=20
  usability.>>>>
"Because elevations and integrity =
levels do=20
  not define a security >> boundary, potential avenues of =
attack,=20
  regardless of ease or scope, are >> not security
bugs, " he=20
  said.>>>> In light of the
huge security campaign=20
  surrounding Windows Vista in 2006, >> Rutkowska said in a =
follow up=20
  posting that this explanation simply is not >>
good enough =
and that=20
  Microsoft should attempt to solve the problem rather
>> than =
try and=20
  dismiss the issue.


------=_NextPart_000_0640_01C75461.4534AF30--

--- BBBS/NT v4.01 Flag-5