virus affecting WMF files

this thread on cgtalk has quite some people worried

especially for windows en explorer users out there

just thought I’ll let you guys know


The most important consideration for Windows users is … don’t run as Administrator. Also, don’t run without a password.

Which is precisely, believe it or not, what Windows does do by default, for millions of users.

When a program … whatever the source … wants to do such a thing as the WMF-exploit is said to be doing, the system’s response should be “no, you do not have the authority to do this.” “You do not have the authority to install or to modify that registry-key.” “You do not have write-permission to that folder.” And, “there is no means by which you can get it.”

On Windows, Linux, and OS/X you can block a great many problems like these by following a “principle of least privilege” throughout the system. Even if you, personally, have the right to do “whatever you like” with what is, after all, your system … you should not routinely be using the system from an account which can do such a thing. Your standard login account should be, strictly, “an ordinary Joe.”

Except that under XP this system has been screwed up to the point that there are only two pre-defined settings: Admin or “Peon” (don’t know what its called, but you can’t do anything with that setting.) Under Win2K, at least you had a somewhat logical heirarchy of user levels, each with its own customizable set of priviledges. If a user was unable to perform a task at their present level, you could at least “promote” them to a pre-defined level that would allow what they needed, or tweak the one they were on. Now, its like all or nothing.

I tried to set up “common user” accounts for my kids, so they wouldn’t screw things up on the family PC, but they couldn’t even run a kindergarten game from the CD drive! I had no idea how to allow them to access the CD, and didn’t have the time to figure it out - so, you guessed it, they use one of their parent’s login accounts. Totally worthless system. And I consider myself a pretty experienced Windblows user… I can’t imagine how M$ expected the average Joe to handle this situation.

BTW, I know these same settings are in there somewhere in XP, but now they’re cryptified to the extent of being inaccessible to all but three-time MCSE grads.

Yes, unfortunately windows is all but unusable without your user being admin.

It’s not as bad on XP Pro and 2K, but many programs aren’t written to handle it properly.

Whereas, the vast majority of Nix and OSX (mac side) are. Some aren’t. It pisses me off to no end when an OSX installer fails becasue of access denied or somesuch without prompting me to escalate priveleges.

Yeah, I don’t like that either because if the installer comes from an untrustworthy source, it could easily do some damage.

So, what I do is open the installer using show package contents and copy the pax.gz file out to my drive. You just double click to decompress it and see what needs to go where and you can do it manually. A lot of the time, you need to input your password because you are installing files to a protected location. If you don’t want to have to input the password, just unprotect the location.

One of the main examples are device drivers. In any system, these operate at the lowest level so they go in the system folder (though there is an extensions folder in /Library but developers don’t use it for some reason) so inputting the password is necesary. I often find developers build installers wrongly - a lot of them make you restart your machine when it really isn’t necessary. I’m glad more and more people are making the drag and drop apps though.

You can also use a program called pacifist to help you install packages more safely.