A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.
I'm still amazed anyone can even use Windows with unprivileged users. Their permission system is so convoluted and never explained to the average user. And Windows is so complicated that there are probably still a thousand holes in it.
But it's also sort of a problem with the general timeshare computer model where it's the users who are distrusted instead of the software programs. They have to use user accounts to control permissions instead of specific permissions being given to a specific program as needed. I mean the installer has to run as admin, but should require a password, but doesn't because it's already running as admin. But the GUI shouldn't run as admin, but basically has to because it needs to do admin stuff. I dunno.
It's basically a single binary choice between "don't allow this program to do anything and it won't function" and "give this program root privileges to do literally anything to the computer including installing rootkits and viewing the memory of every process". Oh, and you have to grant those permissions for every single installer that wants to put a program on your computer. And you have to pay Microsoft a ton of money if you are a developer and want to let the user know they're installing your program specifically.
On their info page for UAC:
Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications.
HEURISTICALLY!! COMPUTERS SHOULDN'T USE HEURISTICS!!!
well it would be expensive and probably require an entirely new operating system with new software. But they could at least make user accounts make more sense or tell people how that stuff works. Also Windows 10 Home doesn't let you run a bunch of admin programs for viewing users and group so there's that (just tried to run Local Users and Groups, but nope, apparently viewing groups on your own computer is for "professionals" lmao).
Windows not being descended from a timesharing OS is part of the problem I think. Unix systems (on paper) have an edge there, but it's clear classic Unix permissions are insufficient too. Android and more so iOS are probably the best permissions model we currently have.
Yeah Android and iOS have capability-based-permissions, but they're obviously not as granular as they could be, and mobile OSs are obviously a lot more limited than others for regular software programs.
I'm still amazed anyone can even use Windows with unprivileged users. Their permission system is so convoluted and never explained to the average user. And Windows is so complicated that there are probably still a thousand holes in it.
But it's also sort of a problem with the general timeshare computer model where it's the users who are distrusted instead of the software programs. They have to use user accounts to control permissions instead of specific permissions being given to a specific program as needed. I mean the installer has to run as admin, but should require a password, but doesn't because it's already running as admin. But the GUI shouldn't run as admin, but basically has to because it needs to do admin stuff. I dunno.
deleted by creator
It's basically a single binary choice between "don't allow this program to do anything and it won't function" and "give this program root privileges to do literally anything to the computer including installing rootkits and viewing the memory of every process". Oh, and you have to grant those permissions for every single installer that wants to put a program on your computer. And you have to pay Microsoft a ton of money if you are a developer and want to let the user know they're installing your program specifically.
On their info page for UAC:
HEURISTICALLY!! COMPUTERS SHOULDN'T USE HEURISTICS!!!
deleted by creator
deleted by creator
That's the kind of thing that Microshart will never fix
well it would be expensive and probably require an entirely new operating system with new software. But they could at least make user accounts make more sense or tell people how that stuff works. Also Windows 10 Home doesn't let you run a bunch of admin programs for viewing users and group so there's that (just tried to run Local Users and Groups, but nope, apparently viewing groups on your own computer is for "professionals" lmao).
what a disaster
Windows not being descended from a timesharing OS is part of the problem I think. Unix systems (on paper) have an edge there, but it's clear classic Unix permissions are insufficient too. Android and more so iOS are probably the best permissions model we currently have.
Yeah Android and iOS have capability-based-permissions, but they're obviously not as granular as they could be, and mobile OSs are obviously a lot more limited than others for regular software programs.