Security concerns regarding Start Menu 8 2.1.0.0

[Flute]

Hi I recently installed the latest version of Start Menu 8, 2.1.0.0. There are several updater features and there doesn't seem to be a way to disable any of them. There are two LiveUpdate.exe files, AUpdate.exe, a downloader exe, and one more exe I can't remember right now. I disabled all those exes by replacing them with "do nothing" exes and so far the program has been functioning ok. Why don't you offer a way to disable updating? Once my computer is in a good state (which is very hard to do) I want to keep it that way, so I hate auto-updates on most software.

 

Anyway that aside part of the reason I felt uncomfortable with the updates is it looks like you are just checking via http for a new version of the software. Do you have any protection from a man-in-the-middle (MITM) attack?

 

Second issue, also security related:

 

In the program settings there is now an option to bypass UAC. I do not want that option or for anyone to be able to turn it on. For all I know some virus could just edit the preferences to your software, turn on the UAC bypass and all of the sudden UAC is defeated. I assume you have figured out a way to bypass UAC by having the program that's installed in services do something to start without it. That's a really bad idea, if someone can hack that it's going to be a problem.

 

Thanks as always for releasing your software for free and listening to my feedback. Besides the potential security issues it's a great program.

 

[Cicely]

Hi Flute,

 

Thanks for speaking out your concern.

For your first concern about "updater features", the update files only detect the updates when there is a new version available, and it will not download or install any software without users' permission.

For your second concern about "MITM attack", we have already taken measures to maximum prevent such attacks, and we plan to encrypt all communication deeply in next versions.

For your third concern about "UAC defeat", only the programs started from our program have the option to skip UAC. It will not disable the UAC of Windows system.

So please be assured to use Start Menu 8.

 

Have a great time.

 

[Flute]

So please be assured to use Start Menu 8.

 

Thank you for your reply. Say some malicious program can access the start menu, then they could bypass the UAC isn't that right? I just see that as a big problem even with your UAC setting disabled. Couldn't some malicious program could just modify the setting so that it's true then access the start menu and start a program bypassing UAC?

[fuzzler]

For your second concern about "MITM attack", we have already taken measures to maximum prevent such attacks, and we plan to encrypt all communication deeply in next versions.

 

Thanks for confirming that. Will be waiting for it then.

[Flute]

Say some malicious program can access the start menu, then they could bypass the UAC isn't that right? I just see that as a big problem even with your UAC setting disabled. Couldn't some malicious program could just modify the setting so that it's true then access the start menu and start a program bypassing UAC?

 

Well I still would like an answer to this question. I can't check this thread every day though and unfortunately there is something wrong with your notification system, see my thread linked to below. Anyway, if you have an answer to my question feel free to e-mail me using the e-mail associated with my account. Thanks

Notifications not coming daily - IObit.Com Forums

[Flute]

Is it possible to answer my question:

 

Say some malicious program can access the start menu, then they could bypass the UAC isn't that right? I just see that as a big problem even with your UAC setting disabled. Couldn't some malicious program could just modify the setting so that it's true then access the start menu and start a program bypassing UAC?