"Very Severe Hole" In Vista UAC Design 813
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
What? (Score:5, Interesting)
Re:So what's new? (Score:3, Interesting)
A regular user without admin rights can't run any program with admin privileges, ever. Of course said user can use runas (or their graphical counterpart), and give the program U:PW for administrative privileges.
Now, the default user Vista creates at install time is an administrator - but the default token said user gets is the same of a regular user. Now, if you want to run a setup program, Vista will elevate the privileges of such administrator accounts to the administrator level.
It's really quite similar to sudo, except that it doesn't prompt for passwords. But, if you want, you can do even that, through group policies.
Re:Another approach. (Score:3, Interesting)
Troubling ... (Score:5, Interesting)
That said, I personally very much liked the Vista user experience (I'm back to XP for now, but I had the beta and RC1). But after the first couple of days, I turned off UAC (and besides, I like to manage my security myself). It did nothing but ask me if I wanted to do what I was doing. Like another early poster here, I almost immediately reverted to clicking any damn OK button I saw. And God knows, I turned the sound off almost immediately. Moreover, I turned it off because it seemed like a talented Bad Guy would simply bury his Evil Code in something that seemed benign, and Joe User would just click through it. But all of that has been covered at great length in these hallowed halls already.
My point is still this: the bad guys are out there now. That's just reality. Telling people not to worry and to go back to sleep doesn't serve anyone anymore. I don't think power user knowledge is necessary for the average person, but frank awareness of basic online safety puts it in the hands of the individual user to some extent, and eases some of the strain for the OS designers/engineers. Because while MS has made some dumb and dangerous mistakes in the past, I still think of it this way: when you're designing any piece of software, you can't completely anticipate the security issues that will come up a year down the road, and you can't reduce how hard a user will work to circumvent your attempts to protect them, no matter how inobtrusive they may be.
I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.
Re:It's not the software. (Score:5, Interesting)
Start, typed in regedit enter.
Vista:Are you sure you want to run this program?
Me: Yes. I went OUT of my way, hit start, run and typed in the pogram name I wanted. Thanks for checking though. (click)
Edit the registry, close it. That was easy.
double clicked on setup. Stupid shield on my icon, what does that mean?
Vista: are you sure you want to run this? it's a program, you know.
Me: Oh that must be what the shield is for. Vista feels like it should protect me from software!
Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click)
Install......that was easy.
Oops, there's a problem. Well, let's grab the correct file from the build server and copy it over
Open my computer, go to program files
Vista: Are you sure you want to go there?
Me:Yes (click)
open up the application folder
drag a file from a network share to the application folder....
Vista: Are you sure you want to overwrite this file?
Me: Yes (click)
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Yes (click)
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
Me: (Pounds head) (click)
Drag to Desktop.
Drag from desktop to application folder.
Vista:
Are you sure you want to overwrite this file?
me: for the love of god yes
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Die.Die.Die.Die.
So that's where clippy went! (Score:5, Interesting)
This link allegedly tells you how to turn the questions off [microsoft.com], but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?
Re:Swinging a Blunt Object (Score:5, Interesting)
I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.
Take care
-mat
I agree with MS' choice. (Score:4, Interesting)
Any EXE with "setup" or "patch" in the name will be assumed to require elevation, because no programs to date have manifests which specify whether they need to be elevated or not; and so Windows has to guess. The filename is a perfectly good indicator, as most setups will need elevation (Program Files is not writable without elevation). Windows uses other factors too; it can detect Windows Installers, NSIS installers, and a couple of others regardless of the filename.
If you don't like this automatic detection you can turn it off via the Group Policy Editor. It's under the global Computer settings under Security Settings somewhere, with the rest of the UAC options. Remember you'll have to manually launch installers elevated now, although Windows does try to detect when installs fail and will offer to try elevation and XP compatibility mode automatically.
Myself, I actually made my computer less secure by turning off the secure desktop (the screen resolution change that happens every time a UAC prompt comes up). I don't want Windows yanking me away from whatever I'm doing because I got bored waiting for the UAC prompt to appear then all of a sudden it decides to finally show up and hog keyboard/mouse focus. Sometimes if your computer is busy the UAC prompt won't even appear for 5-10 seconds, and you're sitting at a useless but very secure desktop alone for that time. So I turned it off and now they appear on the normal desktop. Of course they could potentially be sent window messages now by any app; but I don't let just any app run on my computer. I was safe back when I used XP SP1 and I could turn UAC off if I wanted to and still be safe.
Re:It's not the software. (Score:3, Interesting)
It's easy to say that UAC is a bad idea... but it's a lot harder to come up with a better solution.
So go ahead, give it a shot.
Re:It's not the software. (Score:5, Interesting)
Vista:Are you sure you want to run this program?
Of course! It's got +X set!
Vista: are you sure you want to run this? it's a program, you know.
Ditto.
Vista: This is from AMD. Do you trust AMD?
Redundant. If I didn't trust them, I wouldn't have set +X.
Vista: Are you sure you want to go there?
Since Program Files shouldn't be world writable, this should prompt you for the administrator password. This authoriation should then be cached for Explorer.exe.
Vista: Are you sure you want to overwrite this file?
I'll let this slide, because even 'cp' prompts for that.
Vista:A program wants to write to the Program Files folder. Is this ok?
Should've grabbed cached authorization for Explorer.exe. Unless Explorer.exe was compromised in the 30 seconds between this action and the previous one, no security is lost here.
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
That's just idiotic.
Are you sure you want to overwrite this file?
Again, I'd let it slide depending on preference.
Vista:A program wants to write to the Program Files folder. Is this ok?
Cached authorization again.
It's really not that hard. UNIX/sudo got this right god knows how long ago. Apple did the right thing and just copied the sudo mechanism wholesale. Microsoft should to.
Re:Further proof (Score:3, Interesting)
While I'm rambling incoherently, I'd like to point out something not-quite irrelevant. I am typing this from an Intel Mac. I have a few old games, one of which has a MacOS Classic version and a Windows 95 version. The Windows 95 version runs fine under Crossover (and will run under WINE once they get the OpenGL support on OS X fixed), while the Mac version doesn't run at all. I also have a few DOS programs that run fine under DOSBox on OS X, but don't work on XP (without DOSBox). What is the point I am trying to make? That backwards compatibility with Microsoft software is not something that Microsoft have a monopoly on. It's actually easier to run ten-year-old Microsoft software on a new Mac that it is to run ten-year-old Mac software on a new Mac, or even ten-year-old Microsoft software on a new Windows box in many cases.
Re:It's not the software. (Score:5, Interesting)
This is an annoyance for an end user but a major pain in the neck for software. I develop software that does not run elevated that accesses a remote file and the passes the file path into an out-of-process server that is running elevated. We either had to make the server no longer run elevated or prompt the user for credentials they already used to log into the machine (and which they don't think they need because they can get to the files just fine themselves) and then pass these credentials to the server with the path. Fortunately our architecture allowed us to have our server to not run elevated and get some other server to do the tasks that needed to be done elevated.
Vista is really a pain in the neck. What's funny about it is that I was at a Vista iterop event at Microsoft last November (yes I sometimes have to fraternize with the enemy) and every MS developer I worked with had to tell me how much they loved working on Vista and that they had been using Vista on their development machines for months. I asked them if they had disabled UAC and they said "no, why would you want to do that?" I then asked them if it wasn't annoying to be prompted all the time and they said "no." I can only assume that they must have been brainwashed.
Re:It's not the software. (Score:5, Interesting)
The sad thing is that I've seen Clippy like once or twice years ago, and that is what I thought this dialog reminded me of, but worse because from what I remember Clippy would start yelling at you when you did anything, and you could just tell him to go away, but now its worse because the operating system blocks and asks you to click a bozo box every time you do anything?
* smashes head on desk *
Let me be clear, I don't use MS software because it is not designed for a computer professional like myself. To be honest, I don't know who its designed for, or if its even designed at all.
The first time I heard Windows was having this UAC thing, I knew that it would suck as only Microsoft could make it suck. I knew it would annoy the hell out of the user so bad that it would do one of two things. 1) annoy them to the point that they just turn it off (I understand this is allowed in Vista) 2) annoy the user and they don't turn it off, they just bend over and take it, and the 1 out of a million clicks when your supposed to say No, you click Yes because that is what you ALWAYS HAVE TO DO TO GET ANYTHING DONE.
* smashes head on desk again *
Microsoft can't even rip off existing security models that work like the elevated priveledges in OS X. Microsoft embarasses me as a computer professional, and I don't even use their stuff, because people associate MS with computers.
Thanks for the grandparent post for sharing their experience, and thank you Apple, Linux, and Sun for making computers usable.
Oh, and I almost forgot.
Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges.
Isn't this the case where 99.9% of the time YOU WANT TO BE ASKED? Didn't Microsoft invent the term "driveby install"?
* smashes head on desk again *
25% means you are an idiot (Score:1, Interesting)
The parent is not in the 1%, the parent is in the >25%.
Do you trade off usability for your pre-empted blame culture excuse? The answer lies at your own gate and in your answer lies your fate.
It's not that simple (Score:4, Interesting)
The problem is that security isn't simply relegated to actions affecting system files and program installations. If you've ever cleaned a Windows box that had been hit by some virus or malicious website (back when websites could affect IE bookmarks, etc.) you probably noticed a glut of shortcuts and bookmarks pointing to websites that the "attackers" wanted you to visit. This all takes place within the userspace yet it is undesirable behavior. Likewise, copy/pasting to-from the browser has been pointed out to be a security hole [slashdot.org] even though the actions take place entirely in the userspace. I'm not saying that the kernel shouldn't be protected, but that ignoring userspace interactions entirely is equally wrong.
It does not sound like MS has addressed the problem properly if UAC is instantly conditioning users to always click "ok", but to say that it should only be invoked when attempting "dangerous" operations belies the complexity of the issue. At the end of the day my kernel getting infected is not my primary concern - the integrity of my personal files is. Even if I had to purchase a brand new box with a new OS license off the shelf it's still easier/cheaper to do than trying to replace the accumulation of files I've created, downloaded, purchased, etc.
Re:Swinging a Blunt Object (Score:3, Interesting)
Sooner or later, if you offer a situation where the user needs to click okay for non-threat situations - you train them to click okay every time the message is presented. You are providing a pathway to encourage users to circumvent, not just allow it. Solves one problem by creating a new one.
Maybe this points out an underlying limitation (Score:3, Interesting)
Yes, this is a specific flaw in response to the problem, but why do we have the problem? Why is it that when you browse to a web page, you are endangering an accounting database you have on your machine?
What I am leading up to is this: there is too much coupling between computer applications via the personal computer operating system. It isn't just that MS put installers into God mode -- although that is bad.
Imagine you ran your computer as an X terminal or Citrix client, and you connected to applications running on remote servers. Installing or upgrading one piece of software could do very little to affect another. Now imagine a variation on this: what if we never created installers. What if we distrbuted software in virtual machines that you simply dragged onto your disk, and the operating system provided window management, clipboard integration, and file service? Furthermore the virtual machine would have no access to system files, anymore than a network client has access.
Your browser should at the very least run in some kind of a sandbox.
There was some possibility, a decade ago, of a change in the nature of applications. The OpenDoc idea was that the user experience would be document centric, and vendors would provide various capabilities users could employ on the documents. This was a beautiful idea: instead of builing lots of boiler plate capabilities, you as a developer would create only the bit you wanted to add to the software universe. OpenDoc never got past beta, and the OLE model, based on heavyweight applications, won. Well, if you're going to go that way, why not package each application with its own complete, but lightweight, runtime system? If you need to install an active X, why install it for every application on the system?
Re:An even bigger hole... (Score:3, Interesting)
Re:It's not the software. (Score:3, Interesting)
I'd also like to see multiple levels of caching, so that when you're asked for permission to perform one action or a string of actions, you can say one of Never, This time, This execution, This login session, or Always. But I admit that I'm dreaming here.
Re:It's not the software. (Score:5, Interesting)
Wow, I had never heard anyone said it so succinctly, but that's it, baby. I always felt an unrecognized sense of shame for the state of computers today, and I never quite realized why. This is it. Things should be *soooo* much further along today, if it weren't for the predatory monopolistic effects of MS. Throughout so much of the short PC history, there were rays of sunshine (Quarterdeck's multitasking DOS thing, many IP stacks, etc., etc), that were quashed by their monopoly. To see this happen, and realize their mediocracy, and not have done anything about it, definitely brings a sense of shame.
Comment removed (Score:3, Interesting)
Two issues confused? (Score:3, Interesting)
Mark Russinovich then revealed that a non-admin process could cause an admin process to run arbitrary code. That sounds like more of a real problem.
Re:Swinging a Blunt Object (Score:4, Interesting)
Presumably you mean "any *nix software which claimed to be some kind of ordinary user application".
You'd probably also want to ensure that the software itself was wiped from the face of the planet, since if the "developer" dosn't know about the setuid permission bit it's rather unlikely that they they know enough to write software which has any chance of being bug free...
Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model.
In theory XP's permissions system is more capable than that on unix type systems. Since every permission is an ACL (including deny options, thus you could say "Any user in accounts except for Anne and Bob can do this..) In practice it appears even Microsoft have problems securing Windows properly.
In Russinovich I Trust (Score:1, Interesting)
The perfect operating system will not be realized so long as imperfect users interface with it.