Potential security issue

[hexaae]

Since the tool runs elevated with admin rights, clicking on the Validation tab links may lead to security issues because the opening browser will inherit and go on the net with the same privileges (disabling also Protected mode for example with IE...). The same happens when new versions are found and you're asked to update through a web link...

Please make sure the links are launched with current user privileges, not with the same inherited by GPU-z.

 

[Aquinus]

Since the tool runs elevated with admin rights, clicking on the Validation tab links may lead to security issues because the opening browser will inherit and go on the net with the same privileges (disabling also Protected mode for example with IE...). The same happens when new versions are found and you're asked to update through a web link...

Please make sure the links are launched with current user privileges, not with the same inherited by GPU-z.

I don't think you can do that. An application runs as only one users and when the application launches another one it will always be as the current user. I don't see many easy ways to get around this. It is only a security hole if you use that browser after it opens for other things, but I don't think what you asking is easily achievable.

I'm sure W1zz will comment on the matter.

 

[hexaae]

No.
You can test this yourself:
0. enable UAC if you don't have it enabled, and enable Protected mode in IE 9/10.
1. close all IE9/10 windows.
3. run GPU-z and go to the tab Validation
4. click on the link in blue 'here'. It will open a new IE instance and go to that URL.
5. on an empty page area right-click and choose "Properties":
Area: Protected mode disabled

It's a potential issue as no-one will notice you're running the web "unprotected" after visiting that link (and the web page may be hacked or something else...). I'm sure there's a way to force current user privileges for a launched application, not inherited by parent task, at least I hope so...

http://stackoverflow.com/questions/...-current-user-privilege-from-an-admin-process

 

[Aquinus]

No.
You can test this yourself:
0. enable UAC if you don't have it enabled, and enable Protected mode in IE 9/10.
1. close all IE9/10 windows.
3. run GPU-z and go to the tab Validation
4. click on the link in blue 'here'. It will open a new IE instance and go to that URL.
5. on an empty page area right-click and choose "Properties":
Area: Protected mode disabled

It's a potential issue as no-one will notice you're running the web "unprotected" after visiting that link (and the web page may be hacked or something else...). I'm sure there's a way to force current user privileges for a launched application, not inherited by parent task.

You clearly didn't read my post.

First of all, what you're asking very well might not be possible.

What's you're describe also (protected mode disabled under UAC admin,) is the default behavior for IE under the admin account. You can't change the settings because this is hard coded into IE. If IE starts was elevated privileges protected mode will be disabled and there is no way to enable it with elevated permissions since nothing is restricting it.

So if you can't start IE as another user and this is default behavior for MSIE, this isn't correctable so you can complain about how bad it is as much as you want, but you're complaining to the wrong people because this is all Microsoft and Windows that is doing that and GPU-Z only shows it because it is required to be run with elevated permissions.

My advice would be: If this really bothers you, then don't use IE, but no one here will be able to fix that for you since it's expected behavior of Windows (not even GPU-Z.)

Your link looks neat, but W1zz still has to implement it which may or may not work. It's a work around for the shortcomings of IE though and I'm not sure if it's worth the time versus just informing people. He'll make that call though, not me.

 

[hexaae]

You clearly didn't read my post.

First of all, what you're asking very well might not be possible.

What's you're describe also (protected mode disabled under UAC admin,) is the default behavior for IE under the admin account. You can't change the settings because this is hard coded into IE. If IE starts was elevated privileges protected mode will be disabled and there is no way to enable it with elevated permissions since nothing is restricting it.

So if you can't start IE as another user and this is default behavior for MSIE, this isn't correctable so you can complain about how bad it is as much as you want, but you're complaining to the wrong people because this is all Microsoft and Windows that is doing that and GPU-Z only shows it because it is required to be run with elevated permissions.

My advice would be: If this really bothers you, then don't use IE, but no one here will be able to fix that for you since it's expected behavior of Windows (not even GPU-Z.)

Your link looks neat, but W1zz still has to implement it which may or may not work. It's a work around for the shortcomings of IE though and I'm not sure if it's worth the time versus just informing people. He'll make that call though, not me.

What about a launcher task that runs with current-user privileges to start the GPU-z elevated child process, AND handle external links?

 

[RCoon]

People use IE other than for downloading a new browser?
Dont use IE?

 

[hexaae]

People use IE other than for downloading a new browser?
Dont use IE?

Please let's not start another boring flame VS IE... FFox for example does not even have a sandbox like IE and Chrome and has many cirtical vulnerabilities (as for all browsers): http://www.mozilla.org/security/known-vulnerabilities/firefox.html

I don't think it's a IE-only issue: all tasks and browsers launched within GPU-z will inherit its privileges resulting in a security potential risk on the web...
Other interesting links:
http://www.codeproject.com/Articles/90713/Run-an-application-under-current-logon-user-s-priv
http://support.microsoft.com/kb/2278183
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/bb625960.aspx

 

[W1zzard]

I'm sure there's a way to force current user privileges for a launched application, not inherited by parent task

couldn't find one.

the most promising solution seems to add a task to task scheduler that runs a program as currently logged in user, now. clearly not a solution

 

[Easy Rhino]

What about a launcher task that runs with current-user privileges to start the GPU-z elevated child process, AND handle external links?

good lord. this is a browser/OS security problem. w1z can't be asked to fix something that is Microsoft's problem. i would argue the best course of action is to use an alternative browser and make people aware of the inherent flaws in IE/Windows security design.

 

[Mindweaver]

If you are worried about your browsing habits after you have updated, then why not close the browser and re-open? Why click the link to open your browser to obtain the new update if you are worried? I would just become a active member at TPU and grab the new GPU-Z when btarunr posts it in the news section... Err wait I already do that.. Honestly you're worried about your browsing habits after GPU-Z launches your browser for the new update.. I don't see that as being a GPU-Z flaw.

 

[hexaae]

couldn't find one.

the most promising solution seems to add a task to task scheduler that runs a program as currently logged in user, now. clearly not a solution

Yes, it's something MS should add to the OS. The "potential problem" is obviously not limited to GPU-z only but to all programs with admin rights able to open a link. There should be an easy way to launch a task with a lower privilege level with Windows, and MS should provide a documented solution.

i would argue the best course of action is to use an alternative browser and make people aware of the inherent flaws in IE/Windows security design.

Happens the same with FFox and other browsers since they'll run with Admin privileges. It's not a IE specific flaw.

If you are worried about your browsing habits after you have updated, then why not close the browser and re-open? Why click the link to open your browser to obtain the new update if you are worried? I would just become a active member at TPU and grab the new GPU-Z when btarunr posts it in the news section... Err wait I already do that.. Honestly you're worried about your browsing habits after GPU-Z launches your browser for the new update.. I don't see that as being a GPU-Z flaw.

Of course I know how to avoid that with a workaround solution but many users won't notice this and will be exposed to more potential security risks once their browser will have the highest privileges.

Thank you for your replies...