"Very Severe Hole" In Vista UAC Design 813
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
Executable installers.... (Score:4, Informative)
Re:So what's new? (Score:3, Informative)
If you install an RPM of unknown providence, you deserve what you get.
Otherwise, the packages are presumed to have been tested by the maintainers and to not destroy your system.
There is no such structure in Windows-land. You clearly do not understand how the system works if you think the two are comparable.
Re:So what's new? (Score:5, Informative)
Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.
It's not the software. (Score:5, Informative)
That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.
Re:An even bigger hole... (Score:3, Informative)
That's the same in Vista (Score:4, Informative)
Re:Another approach. (Score:3, Informative)
Just to be a pedant, I would like to mention that you can in fact do this on Windows. However, applications developers seem to be in love with the registry, despite the fact that it really offers them no benefits whatsoever. I mean, it's slower than just putting all that data in flat files...
I have lots of programs that work fine when I just copy them from one windows installation to another. Most of them are in my games folder, though.
Re:An even bigger hole... (Score:4, Informative)
UAC prompts are annoying and frequent when you first do a complete reinstall because you'll be installing applications and drivers that need elevated privileges. After that you should not encounter it in your day to day activities. I see a UAC prompt once a day and that's only because I use VMware. If I used Virtual PC I could avoid it completely.
MOST computer users buy their PCs from Dell, HP, etc and they are preloaded with drivers and some basic software. The regular user won't be seeing as many UAC prompts because they'll be installing only a few programs (music player, possible word processing, games).
Re:Another approach. (Score:3, Informative)
A user has had the ability to install stuff in her home directory on POSIX machines for oh... probably since POSIX machines have been around. This isn't a "Mac concept". At most Apple has polished the idea to make it easy for non-geeks. And don't forget that OS X a.k.a Darwin is a POSIX-like implementation.
Re:It's not the software. (Score:5, Informative)
For repeated, but seperate operations (like installing a lot of applications when you're setting up your machine), you can disable UAC. This is basically the same thing as su root if your account is an admin account. Once you're done, re-enable it. It's really not that hard.
The cause of your problems and the solution (Score:5, Informative)
NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.
Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.
Re:Another approach. (Score:5, Informative)
Re:An even bigger hole... (Score:5, Informative)
UAC prompt opens in separate logical desktop. Applications from main desktop can not send windows messages to it which means malware will be unable to click ok itself.
Re:An even bigger hole... (Score:1, Informative)
Re:Apple got it right (Score:5, Informative)
Re:Another approach. (Score:3, Informative)
A bit different... (Score:3, Informative)
Re:An even bigger hole... (Score:4, Informative)
Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program. If I wanted to install openoffice as my cousin vinnie, I could do so. Vista's all-or-nothing UAC is nothing more than an attempt to shift blame to the users, so that MS can claim to provide better security than ever before.
Re:Another approach. (Score:4, Informative)
Re:It's not the software. (Score:2, Informative)
The underlying problem here is exactly how much explorer.exe is tasked to do. It's the start button, the file explorer, and can be a launcher application. If explorer.exe is ever trusted, it is never unloaded from memory and is always running. You would have to spawn a new process for each instance, and have to trust each instance for that to begin to work, but we've just failed by having to reauthorize each instance.
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
That's just idiotic.
I couldn't believe it when I read it. And it is so incredibly easy to defeat, I just don't see the point. Any malicious code simply drops itself into the root of the drive before shoving itself into program files. Not that there is any particular gain to be had, except maybe replacing executables. Again, this is easily bypassed.
Re:An even bigger hole... (Score:4, Informative)
In theory UAC should behave like this as well. UAC is mostly a way of elevating priveledges, just like sudo, minus the password. Administrators on Windows actually run under lower priveledge accounts, and then elevate for specific tasks that require administrator priveledges.
See, the real problem is so many things in Windows requires Administrator by default. Even stuff that shouldn't. Thats the real problem here.
You can do this in Window's too. It has a "Run As" option, and ACLs that let you any arbitrary number of users or groups' access to the file.
Um, what does that have to do with anything? (Score:4, Informative)
I'm sorry, exactly where did I say that it was acceptable in OS X or Linux? Seriously, point it out, because I honestly don't remember saying anything like that.
Since you brought it up, though, yes, Linux could definitely use some work in this area. I also get tired of sudo password prompts for doing some basic system configuration and maintenance tasks, especially stuff that only applies to my account, not the OS as a whole. If you want me to jump on the bandwagon of having less stuff requiring admin access in Linux, count me in. I can't speak for OS X because I've never used it.
However, in defense of Linux, Vista is much worse. I've never had a prompt pop up in Linux that expressed concern because I was copying text from my browser to the clipboard. In Vista, I did. It may sound petty and silly, but it was the proverbial straw that broke the camel's back. The truth is, though, that I was constantly being prompted to do stuff that had nothing even remotely to do with system configuration or administration. Stupid stuff like renaming a file that was nowhere near a system directory. Stupid stuff like running a program that doesn't even come close to touching kernel code. Stupid stuff like... Well, you get the idea, I'm not going to sit here and list every stupid prompt I got.
So am I Microsoft-bashing? Yeah, I suppose I am. But it's not because I have an ax to grind with the company or because I think the alternative is perfect, it's because this particular product truly sucks ass. Yes, I know that there are zealots out there who would complain no matter how well Vista might have worked, but if you think I'm one of them or that's why I posted my message, you're barking up the wrong tree.
(Have you tried Vista yet?)
Re:It's not the software. (Score:1, Informative)
Re:Um, what does that have to do with anything? (Score:3, Informative)
Re:What? (Score:3, Informative)
Actually it is different....
In a Unix shell when you run rm on a file you don't have permissions to delete it fails. It doesn't offer to help you screw up.
Re:It's not the software. (Score:1, Informative)
Run MSCONFIG
Click TOOLS
Click DISABLE UAC
Execute
Reboot
Re:An even bigger hole... (Score:2, Informative)
it sucked in the pre-beta days, but the released bits behave just as you describe. Anyone who says otherwise is mongering the FUD.
Re:An even bigger hole... (Score:3, Informative)
Me too. Yet on unix (csh/tcsh) I always do:
alias rm 'ls \!* && echo -n "Remove (y/n)? " && if(y == $)
which, unlike "rm -i" prompts just once no matter how many files are being deleted.
I've run that way for over 15 years now (damn, I'm getting old) and never once deleted something by mistake.
Re:Apple got it right (Score:3, Informative)
Incorrect. The MSI installer service impersonates the privileges of the user that launched the msiexec.exe program that initiated the installation of the MSI package for the duration of the install.
Further, it is entirely possible to write an MSI package that can be run by a non-admin. Mostly, however, installers need to write to areas that make what's being installed available to some or all of the users of the system (e.g. \Program Files), and this quite properly requires admin rights.
Re:Apple got it right (Score:5, Informative)
Re:An even bigger hole... (Score:3, Informative)
Re:It's not the software. (Score:5, Informative)
Apple copied sudo's idea of "least required privileges" as the basis of its GUI security model, but I don't know if sudo was the first example of LRP. Maybe it was. But the GUI security model is definitely more complex than sudo, and apparently, it's a hell of a lot better than what Microsoft came up with for Vista. Using heuristics to identify which executables should get admin rights just seems like a horrendously stupid idea. Microsoft should've put its foot down on this one and forced developers of installer applications to properly request credentials. But they chose backwards-compatibility, as always, and now they're basically guessing who needs admin rights and who doesn't.
Re:It's not the software. (Score:4, Informative)
Apple didn't copy the sudo mechanism. They copied sudo itself, shipped it with the operating system, and used it from the GUI.
So changing /etc/sudoers can affect the GUI. This can be important, because the default behavior is to cache credentials for 5 minutes, which can leave your system exposed to the next thing that wants Administrator privs. Changing the cache timeout to 0 fixes that, nicely.
Can it be overridden using manifests? (Score:4, Informative)
From the NSIS (Nullsoft Scriptable Install System) documentation:
RequestExecutionLevel none|user|highest|admin
Specifies the requested execution level for Windows Vista. The value is embedded in the installer and uninstaller's XML manifest and tells Vista, and probably future versions of Windows, what privileges level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows Vista automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin have virtually the same effect.
It's recommended, at least by Microsoft, that every application will be marked with the required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.
More information about this topic can be found at MSDN. Keywords include "UAC", "requested execution level", "vista manifest" and "vista security".
So it seems that there is an option, "user", which might cause NSIS to run in non-admin (depending on whether Vista's auto-handling is overriding), and that other installers might also be able to run non-admin.Re:It's not the software. (Score:5, Informative)
Whatever. For starters, Apple didn't just steal from Unix, they build their OS on top of Unix. And you can't read any article on OSX around here without a dozen posts pointing that out, so the "no one will mention" part is just crap. Of course Apple never hid the fact that they were "stealing" Unix by building their OS on top of BSD. The whole point being to start with a solid OS with all these great Unixy concepts built in and add their Apply interface on top. Whereas when Microsoft steals these features after another five years, they'll act like they were struck by inspiration out of the blue and done something that nobody's done before, like they have with every other idea they've stolen. So the "did the same thing" part is crap too.
It may be fun and easy to take a poke at the "/. doublestandard", but it only reveals that you don't understand that it isn't a double standard at all. Microsoft has a bad rep for a reason among those who have been paying attention, and hey, maybe you don't know or understand why but don't think Apple would get a pass if they truly did the same things Microsoft does.
Next up: Why viewing Halliburton in a harsher light than Bob's General Contracting is also not an unfair double standard.
Re:An even bigger hole... (Score:5, Informative)
You mean like modifying files that you don't have ownership of?
UAC does not, and has never, prompted users when they move files that they have permissions to. It does, however, prompt when you move files that are in the common desktop or in the common start menu folders.
Clearly, you don't understand anything about how Windows works. Windows has had access control lists practically everywhere in the OS since Windows NT.
Oh, and the ACLs in Windows are far, far more "fine-grained" than the usable-but-primitive permission bits in Linux.
Re:It's not the software. (Score:3, Informative)
Actually, wireless settings are systemwide settings, and would probably require a prompt even in Linux.
Re:It's not the software. (Score:4, Informative)
However, I suspect the GP is talking out of his arse. The file was from another PC, in another workgroup, drag-and-dropped straight into the Program Files directory. I even tried it in the Windows folder, and it was fine.
Re:An even bigger hole... (Score:3, Informative)
alias rm 'ls \!* && echo -n "Remove (y/n)? " && if(y == $<)
Re:Another approach. (Score:3, Informative)
Re:It's not the software. (Score:3, Informative)
there's a link for people who prefer not to download an 18.8mb codec.
Re:It's not the software. (Score:3, Informative)
Re:It's not the software. (Score:2, Informative)
Forget your computer, worry about those logs your ISP is keeping.
Re:An even bigger hole... (Score:5, Informative)
Re:An even bigger hole... (Score:4, Informative)
Uh, Linux has supported POSIX Access Control Lists and Extended Attributes for quite a while now.
Heck, it dates from the days when ext2 was the king of filesystems, and that's a long way back. (Granted, at least on ext3, you have to specifically turn them on in mount options or with tune2fs, but on XFS, JFS and (to my knowledge) Reiser3 and 4, they're supported out of box.)
And when people say POSIX, they mean "real *nixes have had these features for, like, centuries". =)
What you're saying next? "Active Directory is so much more better authentication system than /etc/passwd, which is also a security risk that exposes encrypted passwords to users"? =)
Re:An even bigger hole... (Score:2, Informative)
1. Use RunAs to fire off a new explorer.exe process running in admin mode. Then do as much work as you want, as long as the process is started from that window, its all in admin mode. It's basically almost like firing up a term-serv window into your own machine. MakeMeAdmin is the same thing, but adds the elevated priv tokens to your regular profile for that one process (rather than starting a process in a different user profile).
2. Use RunAs to fire off a new cmd.exe shell running in admin mode. Then do as much work as you want as admin.
Now granted, UAC is sort of a weird hybrid thing, where you run as admin but cant do admin stuff without answering the prompt. But just turn UAC off, work as a non-admin (like a sane person), and use RunAs when you need it.