Local Administrator/Power User
Non support of Patching/UAC
Hall of Shame
What is this web site all about?
It's about the bad security practices that we put up
with from our Vendors.
ThreatCode.com
should not exist. If application coders (programmers) could learn to write
secure, stable, reliable, **sensible** code, then we could happily remove
this site. Unfortunately, because of the number of poorly coded
applications that are still available and in use today, ThreatCode.com has a
reason to exist.
ThreatCode.com
is a Hall of Shame for poor coders and their applications. It does not mean
that these applications themselves pose a direct threat to your network
and its data, but by using these applications you are opening your network
and its data up to vulnerabilities that should never exist.
Applications
that are suitable for the ThreatCode Hall of Shame include those that:
- require the
user to run with elevated privileges (Power User, Local Administrator, etc)
- use 16 bit code - it has been 9 years since Windows 95 and 32-bit
code was introduced
- need to have multiple inbound ports open
- have
multiple security bugs that have been reported, but remain unpatched (and
security patches must be free)
- require
"macro security" to be configured to run unsigned macros
- cannot
support NAT (in particular NAT-T) on the firewall without a "helper" or
gateway application installed
- call home
without informing the user very, very clearly of this early during the
installation process, allowing the user to either stop installing the
application or preferably opt out of this feature
- cause major
conflicts with other applications installed on the system
- install
"decryption code" that then breaks other software from working as it did
before
- transmit
sensitive data to external locations (such as websites) without securely
encrypting the traffic
- use DES (not
3DES, but single DES) encryption
- doesn't support XP sp2
- doesn't
support Data Execution Prevention features in XP sp2 or Windows 2003 sp1
- will
not support the customer on all current Security patches and instead relies
on certifying only through certain service packs, patches, etc.
- does
not properly implement or support User Account Control in Vista
Hear and watch more on "Is that Application Really Safe" given by Dr. Jesper
Johansson
Viewing area for Hall of Shame Honorees:
HALL OF SHAME HONOREES
for ADMIN RIGHTS
HALL OF SHAME FOR MISUSE OF
User Account Control
HALL OF SHAME HONOREES for
NON SUPPORTING OF PATCHES
HALL OF SHAME HONOREES FOR
PERMISSIONS AND ACL ISSUES
Download the
LUABuglight tool to determine how to 'reghack' your applications to a better
security position for your network
Nominations to the "Hall of Shame" can be entered
here
Why
even "Power User" isn't acceptable
Resources to help you run
your software a Restricted User
Need help getting Quickbooks
to run as nonadmin?
NEWS -- QUICKBOOKS 2007 now supports
non-administrator mode when used on Vista and in a network setting
read more about it
here!
Nominations on this site without links to official vendor links
have not been independently verified and are based on representations of
affected users.
Email Susan
That really annoying tag line that
she used to stick in her email all the time.....