"Very Severe Hole" In Vista UAC Design

Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

An even bigger hole...

[KingSkippus]

There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.

Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.

The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.

After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.

Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.

Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!

If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.

As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.

So what's new?

[jmac880n]

I believe that even RPM on linux runs the install scripts with admin access...

"balance" ease of use

[gvc]

Ease of use and compatibility with DOS/Windows is a major reason that Microsoft got us into this security mess. The default user in XP was an administrator with no login password. Non-priveleged accounts were practically useless, mainly because you couldn't install any software using them. Now Vista is touted as allowing non-priveleged accounts, but the price you pay is that any old installer is priveleged. What an advance!

While I'm at it, why does a printer (or other non-intrusive peripheral) driver have to have unfettered access to the life blood of the OS?

Re:So what's new?

[Anonymous Coward]

I believe that even RPM on linux runs the install scripts with admin access...

Yes, but you generally have to be logged in as root in order to install the RPM...

Further proof

[Anonymous Coward]

...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.

When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.

The one thing Apple did that Microsoft really ought to copy, they don't. Figures.

Swinging a Blunt Object

[CheeseburgerBrown]

I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.

"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."

This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.

Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)

You ought to watch those irrational beliefs . . .

[mmell]

Let's say rather that you need root authority to install rpm packages for use by all users.

rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.

By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).

RTFM.

In a nutshell:

[Recovering Hater]

Microsoft programmers *still* don't understand the basic principals behind user access controls or how to implement security. Nothing to see here, move along.

Oh, this is rich ...

[gstoddart]

Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use.

Microsoft has created a culture of choosing between security/good/whatever and 'ease of use'. Going all the way back to older versions of Windows in which there was no user permissions model.

Hearing that all frigging installers are going to want admin perms is a frigging joke. Part of the reason Windows is insecure is you can't do anything without being an admin. It's not like it even supports a model whereby you install the software into your own location. Every piece of software expects to be able to write registries, replace system DLLs, and generally crap into a few common folders.

I mean, well over a decade I could download any old UNIX software, untar it, set an environent variable, and just run the damned software. No root perms needed, just glorious, easy to run/trivial to uninstall software.

This means that people aren't going to install their animated cursors in a sandbox which only affects them. They'll do it as admin, and potentially bork the whole machine.

This just makes me laugh.

Cheers

Re:An even bigger hole...

[EXMSFT]

UAC is so amazingly, fundamentally flawed. Has been from the beginning. As you noted, it's susceptible to user numbness. It's also susceptible to the dancing pigs phenomenon, something mentioned by Microsoft's own Steve Riley (see http://www.microsoft.com/technet/community/columns /secmgmt/sm0405.mspx [microsoft.com], and search for the words "dancing pigs".

Mac has issued a salutation. Allow or deny? Comedy gold, and yet Apple hit the nail on the head.

My expectation is that at least 50% of Windows Vista consumers will turn UAC off entirely, and the remaining 50% will ignore it (psychologically disable it) to the point that it may as well be disabled - especially applies in the enterprise computing world where Joe won't be allowed to turn it off, but still wants to do whatever he wants. Meaning that in the default configuration of users as hobbled admins, every Vista user is then an admin. Just like they are in XP. Really validates 5 years of hard work on security.

Re:An even bigger hole...

[Khuffie]

You forget, this is a Microsoft product. What's acceptable in OS X and Linux is simply evil, crap, bad, ridiculous, horrendous (continue with adjectives) in Windows.

Re:Hole?

[Henry V .009]

I knew that reply was coming. Yes, the expert user can force synaptic into running without root privileges. However the new Ubuntu user who tries to start it up is simply going to hit a "enter your password" prompt at the get-go.

The expert Vista user can get around running installation programs as the Administrative user as well. It's the same issue.

Apple got it right

[ruiner13]

There are 2 ways to install software.

1. Drag application folder where ever you want it
2. If application does need to install a control panel, kext, or any other system file, then you can create an installer. When the installer tries to install the files that need the elevated permissions, it then tells you what it is trying to do and asks for an admin user/password

How is that hard to grasp at MS? Assuming everything needs admin permissions is just insane, and insisting it isn't a security hole and is a "design choice" is just fucking retarded.

Re:An even bigger hole...

[Roadstar]

I couldn't agree more. My work computer is a XP/Vista dualboot, and the amount of confirmation prompts I'm facing when doing testing in Vista is beyond ridiculous. It's definitely not a good sign when you're about to do something trivial such as copying a file, and right before committing the operation you think "oh shit, here we go again" and prepare for a flood of confirmation prompts (one would think that a single prompt was sufficient, but that's not the case much too often). The idea behind UAC is great (although definitely not an MS idea originally), but the current implementation leaves me to wonder who on earth approved it for production and what is he/she getting paid for?

UAC vs SU ROOT

[ThinkFr33ly]

UAC only kicks in when I try to do something to a file or system resource that I don't have permission to access. Period. End of story.

In the unix world, if I want to modify a file that I don't own I must elevate my permissions using something like su root. And that's somehow *less* annoying than Vista's UAC prompt?

The only time I can see this being more annoying is when I'm doing lots of actions that require admin privs. Microsoft did their best to group operations in such a way that you only get one prompt. If I try and delete 20 files, all of which I don't have access to, I'll get 1 UAC prompt.

But sometimes they can't group these operations together, such as when I'm installing several applications when I'm first setting up my machine. In these scenarios, su root is superior in the sense that I su root once and that's it. With UAC, I'll get a prompt for each install.

But if you know you're going to be installing lots of applications and you don't want to be bothered with multiple UAC prompts, then just turn off UAC while you're doing those installations. Simple as that. And not harder that su root.

So what's the big deal? The vast majority of users don't install new applications every day. In fact, the vast majority of users don't do anything that requires admin privs on a daily basis. This is a non-issue.

I've been using Vista since late November. During the first few days of use I got a lot of UAC prompts, but I really didn't find them all that annoying. One extra click just wasn't a big deal. After getting my machine setup the way I wanted it, I rarely got any UAC prompts. Just doesn't happen all that often.

Since almost everybody who will run Vista will get it on a new machine with most of the software they will use pre-installed, this is even more of a non-issue.

But the biggest point is that the way that unix does it, with a session-based elevation, is no less time consuming (in fact, it's usually more time consuming), and it's FAR more dangerous for a "dumb" user because they will tend to just leave their session elevated.

Re:Troubling ...

[mandelbr0t]

I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.

Yes, it is a matter of responsibility. You (the person surfing the internet, loading the truck, drinking from the tubes, whatever) are responsible for your own privacy while online. Period. There's not a law in the world that will magically turn off all viruses, trojans and malware overnight. However, what will happen is that end-user products will improve to the point where it's a turnkey solution, and a simple verification of some basic settings will protect you from all but the highly organized and criminal bad guys.

The problem, as I see it, is that the large companies are not interested in your privacy. In fact, they're interested in invading it. They'll say that they just want to serve you better as a customer, but it's really long-term surveillance. If big business was interested in using the Internet as a vehicle for expansion rather than exploiting consumers, we'd see reliable and cheap wifi-enabled routers in every home with broadband. Windows viruses would be nothing more than an annoyance, maybe even a joke like in the good old days. And everyone would know how to protect themselves from them. They certainly wouldn't threaten to cause billions of dollars of unaccountable transactions.

The funny thing is that before big business discovered the Internet, there was a considerable community movement toward ensuring that everyone was able to implement basic security. After all, your machine is a potential security threat to me if you fail to secure it, much like a ski that doesn't have those little brakes on them could become a hazard to the entire hill when you wipe out.

Re:An even bigger hole...

[ucblockhead]

I'm a Windows developer. Last time I got a new machine, I counted the number of applications that I needed to install to completely set up my development environment. That number was over forty. You're telling me that I need to track changes to every one of those applications? Not easy on an OS that doesn't have anything like apt...one reason that while I write Windows code by day I run Linux at home.

There have also been a number of times in my career where I have had to use development software written by companies that either went out of business, or stopped supporting that software. What then?

What Apple understands and Microsoft does not is that it is not my job to make the OS work better. It is the OS's job to make my life easier.

Re:It's not the software.

[Paolo DF]

So, this is *exactly* like the latest "get a Mac" ad. Maybe even funnier!

Re:It's not the software.

[Rycross]

Its mostly because Windows has been so piss-poor with their default settings in the past, so trying to get a more secure-by-default setup is like pulling teeth. I remember once reading in a security book that integrating security into your application after the fact is several times harder than designing it that way by default. Windows is in the unenviable position of having to integrate security after the fact.

Regardless, I think that a Windows version of sudo is a very good step. They just should have spent more time working on permissions so that it didn't trigger so much (assuming that what the posters' have said is accurate). The setup thing in TFA is kinda stupid, but installers almost always write to Program Files in Windows, and rarely have a per-user installation method like in Linux. A better solution would have been to try and encourage installers to have a per-user installation method.

Anyways, it may be that I'm just lucky that I haven't had a lot of problems with UAC. But I haven't had to go registry diving or modify any system directories in Vista yet, so theres that too.

Re:It's not the software.

[PitaBred]

Is it sad or scary when hyperbolic advertising isn't?

Re:It's not the software.

[andreyw]

No, more like.. yes... I trust to install this software, because if I don't... I won't get my paycheck since I can't do my job. Whats with teh paranoia?

Re:An even bigger hole...

[SteveXE]

Im with you. I get annoyed pretty quick when it comes to crap popping up on my screen but I've been running Vista since launch and it really doesnt bother me. Im kinda glad its asking if its ok to do some of these things. Its already prevented one program that was piggy backing on another app I downloaded from installing. I downloaded the program which I trusted from a source I trusted. Well guess what was hidden in the install that vista blocked from auto running? Spyware!

Everyone seems to be making a huge deal out of nothing and they alway get +5 moderation for doing so. If you dont like UAC then shut it off and move on, its not that hard...oh wait I forgot. Microsoft sucks no matter what they do!

People who complain about UAC don't understand UAC

[RzUpAnmsCwrds]

Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!

VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?

Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.

As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.

Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.

Re:It's not the software.

[be-fan]

The better solution is what OS X does: extend "sudo" to the GUI. The first time the app needs escalated privileges, prompt for the user's password. Then, cache those privileges for a reasonable amount of time and don't prompt. Unless the app in question is compromised in that interval, it doesn't matter.

The problem with UAC is that it fails to separate the two orthogonal issues of sanity-checking the user's behavior, and maintaining system security. Consider how "Program Files" is handled. Browsing into "Program Files" throws up a UAC alert. It shouldn't do that --- "Program Files" is readable to everyone. Writing to "Program Files" should throw up a UAC alert, but only the first time in the caching period. The question at that point isn't "Do you really want to modify this directory" (of course I do!), but rather "Do you want to give Explorer.exe permission to modify this directory". When you follow the first train of thought, you end up with prompting the user each time, because obviously each copy requires a separate sanity-check. If you follow the second train of thought, you see that the caching mechanism is just fine, since if Explorer.exe was authorized 30 seconds ago, it's unlikely it was compromised since then, and should retain that authorization.

Re:Dammit

[mandelbr0t]

UAC has no concept of the source of the execution command. What really needed to be added to Vista is a concept of the "source" of code execution. In the case of UAC there should be the notion of not only the code execution but of the source, such as a keyboard, mouse or other input device. These sources identify execution requests as coming from a HUMAN, and not some nasty zombie pc making virus

I'm sure that's the way things would be if it were possible. I don't think you understand computers at a low enough level to know why things don't work this way. All of this source checking gets done long before machine-code instructions ever hit the core (CPU), so all you need to do is somehow intercept the call to find out if the "code" was launched by a human, change "zombie" to "human" and now your killer swarm of zombies just turned into a mob of violent humans.

In reality, the hardware is optimized for speed. That is, the core will execute the instructions it receives without any sort of bounds checking. If an instruction fails, then an error code is stored and the next instruction is fetched and executed. It's only during boot time that a kernel has the opportunity to install code at particular vectors to prevent other code from sitting there. That's the PC architecture -- it was designed years ago and for good or bad, we're stuck with it (Ironically, many people make the same argument about Microsoft). That's why the kernel is so important: if it fails to protect a particular interrupt vector or other system integration point, then a userland program can elevate itself to kernel-level privileges and walk all over both the running OS and the data on your hard drives.

The only way to implement your idea (and many others like it) would be to have the hardware recognize this "code source" (or whatever magic bullet you have defined) and act accordingly.

Long story short, people are looking for a technological solution to a lack of education. Like it or not, there's a lot of people on the Internet now that need education. Vista's UAC seems to be along those lines, though extremely insulting and inflexible to an advanced user. It's like it was designed to "raise awareness" of "potentially unsafe operations" so that someone who was previously a clueless idiot can now see that many operations are potentially unsafe. Of course, the prompts don't explain WHY to this person, which eliminates UAC even as an education tool.

Re:It's not the software.

[ThinkFr33ly]

The better solution is what OS X does: extend "sudo" to the GUI. The first time the app needs escalated privileges, prompt for the user's password. Then, cache those privileges for a reasonable amount of time and don't prompt. Unless the app in question is compromised in that interval, it doesn't matter.

It's not a matter of the "app in question" being compromised. Vista doesn't elevate the entire user, it only elevates the application. For the entire length of execution of that application, the application will run elevated. For instance, Visual Studio.NET is an application that pretty much always needs to be run as admin. When I run the application as admin, it stays as admin. I get 1 UAC prompt, and for the entire lifetime of the process it is running as admin. No caching. No timeouts. No additional prompts.

If you cached the elevated credentials authorization for "X" minutes, or whatever, you would be giving a free pass to any malware that happened to be trying to do something bad. That's an incredibly bad solution. But I have to assume that's not what you're suggesting.

Browsing into "Program Files" throws up a UAC alert.

No, it doesn't. By default, all users on the system can read files in c:\Program Files.

Writing to "Program Files" should throw up a UAC alert, but only the first time in the caching period.

It does throw up a UAC, but I've already explained why the "caching period" is a bad idea. Now, what might be a good idea is running explorer.exe elevated when you need to perform lots of different file operations that require admin privs. And you can easily do that.

If you follow the second train of thought, you see that the caching mechanism is just fine, since if Explorer.exe was authorized 30 seconds ago, it's unlikely it was compromised since then, and should retain that authorization.

Ok, I think I see where the confusion is. Explorer is unique in the sense that when you authorize a file operation via UAC it doesn't elevate the entire explorer process. There are a bunch of reasons for this. You *can* elevate the entire explorer process if you want, which will achieve what you're looking to do.

That make sense?

Why have installer at all ?

[EMB Numbers]

1) So, all Vista installers run with admin. priv.
2) Installing a downloaded Tetris game allows the game installer to change virtually anything in the system.

Why does a game need an installer at all ? Why not just unzip the game into your user account/home directory or better yet drag the game icon to the place you want it ? Why do Windows applications all seem to need an installer ?

On OS X and NeXTstep before it, application icons are actually covers for directories containing all of the support files including executables need by the application. Furthermore, applications are not supposed to assume that they can write to their own directory. This is convenient for running applications from servers without installing on the local machine or for running directly off a CD-ROM. If an application needs to store user data or write configuration files, there are standard places to put the files. When needed, the individual application copies files to standard places using the user's permissions and not admin permissions.

The first time any application is run, the user is asked if it is OK. If some crap is downloaded and executed unintentionally, the user is given a chance to say WTF and stop it. Any time any application needs privileges beyond the user's default privileges, an admin passwd is required.

No installers (except in crap-ware and unusual circumstances and even then they require an admin password for upgraded privileges!
Remarkable little user irritation.

Why can't Microsoft copy this behavior ? It has been for sale since 1988.

OS X isnt perfect, but sometimes it is better.

Re:It's not the software.

[Gulthek]

It's not a bad idea, just a bad implementation. Which is weird, considering Windows is the last major operating system to add this feature.

It's a good start, but not for 2007. This stuff should have been in Windows 95.

Did not have to be true

[SuperKendall]

As for the article - installers pretty much have to elevate.

I would argue this notion is fundamentally wrong.

An installer should only have to elevate if it has to modify the system, or possibly existing applications in some way.

I don't have to elevate for all Linux installations for example if I am not going to install something in /bin, but instead install a local bin directory.

In OS X you can install an application just fine without elevation, unless again it requires system access - but most software is self-contained and has no need to add system files. Thus when an installer asks you for a password you have a better feel if whatever app your installing should really have that level of access.

In Vista you cannot have any installer do any setup things (like prepping directories or checking to upgrade a program) without running as admin. This is madness, because you are going to always be telling vista it's OK for even the most trivial installer to go ahead and elevate.

Re:It's not the software.

[pherthyl]

People bitch when it's so easy to get this stuff on a windows machine, Microsoft finally does something about it and people decide to bitch about that.

No, people aren't bitching about them doing something, they're bitching about them doing something WRONG. Linux and Mac's have a similar approach to this problem, but their solution (sudo) is not annoying, so it actually works. All Microsoft had to do was copy that solution to improve security, instead they came up with their own and made it obtrusive in the process.

I have yet to experience these supposed headaches with Vista yet, the only time that shield pops up is when I run a program that is potentially harmful to my computer

Although I also have not seen these prompts when copying text, I have seen them in plenty of places aside from installing programs. Places that make absolutely no sense, such as storing wireless settings. There is no reason that action should require admin privileges and thus a prompt.

How many story's were posted about programs looking like they came from an official place only to release a trojan? sure you get a program from download.com and figure it's safe but after installing a program it suddenly fucks up your PC, with Vista it will actually ask if you trust it let you know where it came from the works.

And how would that help? You download a program from somewhere, and double click to install it. Whether it is a trojan or not, Windows is going to ask you for permission. Since you downloaded it, you obviously think it is not a trojan, so you would press Ok on the permissions dialog. Turns out it is a trojan, and your system is compromised. A permission dialog does nothing to protect you here.

Re:It's not the software.

[Stamen]

What you aren't understanding is: it isn't the concept of asking for permission when you need to do something that requires administrator rights, that Microsoft got right, it's the way they implemented this feature that is so bad. Microsoft often gets the general ideas right, but the details are so wrong.

Higher up in the thread someone mentions what happens when you copy a file to a folder in Program Files. Because Program Files folders are protected you need elevated permissions to do that. The right thing to do is say that it requires elevated permissions, ask if you want to do it, then do it. But in some cases it asks you 3 times for one file (do you want to copy, do you want to elevate, do you want to overwrite, do you want to be admin, do you need help with writing your letter). Why can't they give you one box that says, "The file already exists and this copy requires administrator rights, do you want to allow this?", then when you say OK, you are done. Why, why, why can't they do this, are they short of money?

And Mac and Linux do exactly the same thing, they ask your permission to do admin tasks, except they got the details right so they don't irritate the user to death. A guarantee people are just going to shut off UAC because it's annoying, defeating the whole purpose.

Re:Swinging a Blunt Object

[AeroIllini]

I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.

You know, if any *nix software required the user to be root to run, we would string the developers up alongside the guy who thought Clippy would be a good idea.

Why should it be any different for third-party applications requiring Administrator privileges to run on Windows?

Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model. After all, a virus in *nix could conceivably blow away a user directory, but unless it's exploiting a buffer overflow or other coding error hole, it can't take down the system. The same is possible in Windows, but not available by default to your average Dell user.

Re:An even bigger hole...

[Rycross]

How is sudo in Unix a good security feature while UAC in Windows is a diaper? Its basically the same thing: a way to elevate priveledges for certain tasks.

Re:I agree with MS' choice.

[Max Littlemore]

Any EXE with "setup" or "patch" in the name will be assumed to require elevation, because no programs to date have manifests which specify whether they need to be elevated or not;

Ouch! I think this is MS making the same stupid design descisions again, and in this case it's the one where a 'special*' filename is treated in a 'special*' way.

I'm not talking 'special*' as in /boot is special - if I write an executable at /boot/banana/kill_all_humans, my system will ignore it, just as it will ignore C:\Kill~1.exe. I'm talking 'special*' as in a file with a particular name will be treated in a particular way, regardless of the contents. Think of all those old exploits where someone put an executable in an email with a jpg or other extension. This is the same brand of stupid all over again.

I'm not saying that correct naming isn't important, I'm just saying that the file contents are more important than its name. If someone offers me "chocolate" and hands me dried cat shit, I'm not going to eat it. I'll dispose of it and most likely take violent action against whoever told me it was chocolate. I expect my computer to behave the same way, apart from the violence bit of course.

They could have changed the executable format and provided a sandboxed legacy OS for older software as other posters have suggested. If there is no easy way of recognising different kinds of .exes, their contents and privileges required, it just highlights the problem MS is having in retrospectively fitting security to a broken model. The fact that they are still using 'special*' executable installers highlights that they haven't really thought these issues through. The fact that they are still using 'special*' filenames shows that they are adding to there existing legacy of 'special*' architecture.

For the record, I'm not an anti MS zealot. I own an xbox, I just don't let Windows near my home PC.

* In Canada, special means retarded.

Re:Swinging a Blunt Object

[Darundal]

But most programs require admin priveliges to run. While you can say that it is the fault of the application developers, and not Microsoft, devs are going to normally take the path of least resistance. Running it as an admin in Windows is the path of least resistance. In *nix, however, there is little difference for most apps between installing/running as Root and installing/running as a normal, limited user. It is merely bad design on the part of Microsoft that makes the difference, and encourages the bad behavior.

Re:It's not the software.

[PopeRatzo]

My few hours with Vista taught me something important about operating system design. That is, a good operating system should make you feel like you're in control of your computer. Like you're the one calling the shots and that the system will do exactly what you want it to do without fuss. Further, the experience of using a good OS should make you TRUST your computer and feel as if your computer TRUSTS you. You should not have to beg an OS to install an app or run an executable. Even if you do something that is possibly dangerous to security, the most it should do is ask "are you SURE?"

I don't want to wonder if my computer is tattling on me if I'm downloading an mp3 without DRM or watching a copy of a video that a colleague gave me. I don't want to think my computer is a rat or a punk. I don't want to think my computer will rebel if I run a perfectly legal program like Alcohol or rip.net or want to install the k-lite mega codec pack.

DirectX10? It's going to take more than DirectX10 for me to accept my computer as a spy in my home.

Re:It's not the software.

[spisska]

Actually, wireless settings are systemwide settings, and would probably require a prompt even in Linux.

Setting up any network settings on Linux requires sudo. It is an administrative task and so requires administrative priviledges. On most Linux systems you need to authenticate before you make any changes, and often before you can even view settings. This is right and proper behavior.

Where MS Windows Vista fails is in completely mucking up the whole concept of permissions. As an administrator, I don't want my users (or myself as a non-admin user) to even be aware of network settings, and certainly not be allowed to change them. If the network is failing, they need an adminitrator to sort it out. If the user has sudo priviledges and can fix it, that's great but they'll have to authenticate first. There is rarely a need to confirm changes because it is assumed that an administrator knows what they're changing.

MS Windows Vista lets you do whatever you want, then asks you if you're sure you want to do it, then asks if you're really sure you want to do it, then tells you that you can't do it.

The point is removing barriers between a user and his or her goal. Linux does this very elegantly. Apple does it elegantly and prettily. MS does it in a way that is as elegant as an elephant trying to turn around in an elevator, and as pretty as what the elephant leaves behind.

MS hasn't failed because they tried to implement some semblance of user permissions and security, they failed because they did it in such a way that defeats the security through wolf-crying, defeats the permissions by letting anyone elevate permissions easily, and annoys the user by making tasks more difficult, complicated and time consuming than they need to be.

Re:It's not the software.

[mrchaotica]

And the worst part is, if you tell them the truth -- "it does that because Microsoft sucks at making software" -- they don't believe you and think you've got some kind of unfounded grudge against Microsoft!

Re:It's not the software.

[mrchaotica]

Yep, and it just becomes even more fucked up when you realize that Windows has a fancier permission system than unix! Why did Microsoft even bother?

Re:It's not the software.

[iamstretchypanda]

Microsoft stole from Unix, then we get 800 comments about how microsoft is evil for doing it, yet no one will mention that Apple did the same thing cause they aren't the evil microsoft.

Or maybe we will have a story on here about how microsoft is dumb as hell for not implementing it sooner.

Re:Swinging a Blunt Object

[Fred_A]

Why should it be any different for third-party applications requiring Administrator privileges to run on Windows?

Because there's apparently an astounding number of Windows programmers out there that still have a model of the system in their little heads carried over from DOS 5 days. They didn't really get that multiuser thing or what those user privileges were. After all there's one machine per user so what's all this multiuser nonsense ?
Similar problems apparently exist with a number of networking apps.

Re:An even bigger hole...

[BrokenHalo]

...which brings me back to the grandparent post: you would think Microsoft would come up with a more useful dialogue box or just get rid of most of them altogether.

A few weeks ago my old Dad had one of those delightful messages on his machine: "An unrecoverable error has occurred, yada yada... [OK].

As he quite rightly pointed out, "No it isn't fucking OK. What am I supposed to do now?".