Vista - Data leakage among users

I installed Quicken on Vista, and ran it as one user, and then when I ran it
as another user at the same time, quicken complained that it was already
being run by another user. So Vista is leaking data among users,
specifically, that other users are running particular programs. This is a
security problem. A program running in one user account should have no way
to know whether that same program is being simultaneously run in another
user account.

More like Intuit folks don't know how to code securely.

The reality is that most Intuit software hasn't been rewritten since Win9x.

Roof Fiddler wrote:
> I installed Quicken on Vista, and ran it as one user, and then when I
> ran it as another user at the same time, quicken complained that it was
> already being run by another user. So Vista is leaking data among users,
> specifically, that other users are running particular programs. This is
> a security problem. A program running in one user account should have no
> way to know whether that same program is being simultaneously run in
> another user account.
>

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:%23nz9Fxe2GHA.4116@TK2MSFTNGP02.phx.gbl...
> More like Intuit folks don't know how to code securely.
Perhaps, but that's beside the point. The point is that if Quicken or any
other user program can (accidentally, intentionally, or even maliciously)
discover that another user is running that program, then it's a security
problem, which the operating system, not that user program, has the
exclusive responsibility for solving.

In a multiuser environment programs need to know if another user is already
using the program. This can be done securely through system messages. One
user can't access another user's memory but the system can pass messages
back and forth. There is some security risk in this but without doing this
data corruption would be rampant. This security risk in Vista is managed
much better than in XP.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca


Roof Fiddler wrote:
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
> <sbradcpa@pacbell.net> wrote in message
> news:%23nz9Fxe2GHA.4116@TK2MSFTNGP02.phx.gbl...
>> More like Intuit folks don't know how to code securely.
> Perhaps, but that's beside the point. The point is that if Quicken or
> any other user program can (accidentally, intentionally, or even
> maliciously) discover that another user is running that program, then
> it's a security problem, which the operating system, not that user
> program, has the exclusive responsibility for solving.

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:uK35hTf2GHA.4648@TK2MSFTNGP04.phx.gbl...
> In a multiuser environment programs need to know if another user is
> already using the program. This can be done securely through system
> messages. One user can't access another user's memory but the system can
> pass messages back and forth. There is some security risk in this but
> without doing this data corruption would be rampant.
Corruption of what data? If I run Quicken and another user runs Quicken,
we're only modifying data stored in our own home directories. Coordination
of the two Quicken processes in order to avoid data corruption would only be
necessary if the processes were sharing writeable data, which they're not.

No it's not besides the point.

Intuit does not code securely. Every piece of software should be
reviewed for secure coding.

I am not about to hold Microsoft responsible for Intuit's continued
stupidity.



Roof Fiddler wrote:
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:%23nz9Fxe2GHA.4116@TK2MSFTNGP02.phx.gbl...
>> More like Intuit folks don't know how to code securely.
> Perhaps, but that's beside the point. The point is that if Quicken or
> any other user program can (accidentally, intentionally, or even
> maliciously) discover that another user is running that program, then
> it's a security problem, which the operating system, not that user
> program, has the exclusive responsibility for solving.
>

In a multi user environment, each user should have his own separate files
under "Users" in Vista with his/her UserName. If the intention woz to have
some files common accessible to all users then the Users\All Users\ is the
folder to use either with \Application Data or \MyDocuments.

As a previous commenter mentioned, these are post WIN9X features and,
presumably Intuit has not updated its software to accomodate this way of
securing data in a multi user environment.

Complain to Intuit.

Vista is pointing the way to the future for more secure computers in multi
user environments.

Get with it.

Garry



"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:uK35hTf2GHA.4648@TK2MSFTNGP04.phx.gbl...
> In a multiuser environment programs need to know if another user is
> already using the program. This can be done securely through system
> messages. One user can't access another user's memory but the system can
> pass messages back and forth. There is some security risk in this but
> without doing this data corruption would be rampant. This security risk in
> Vista is managed much better than in XP.
>
> --
> Kerry
> MS-MVP Windows - Shell/User
> http://www.vistahelp.ca
>
>
> Roof Fiddler wrote:
>> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
>> <sbradcpa@pacbell.net> wrote in message
>> news:%23nz9Fxe2GHA.4116@TK2MSFTNGP02.phx.gbl...
>>> More like Intuit folks don't know how to code securely.
>> Perhaps, but that's beside the point. The point is that if Quicken or
>> any other user program can (accidentally, intentionally, or even
>> maliciously) discover that another user is running that program, then
>> it's a security problem, which the operating system, not that user
>> program, has the exclusive responsibility for solving.
>
>