Users' Admin Logins Make Most Windows Malware Worse

nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."

You mean...

[laughingcoyote]

Not running as a fully-privileged user reduces your security risk? Who knew!

This is not news. The question is why it hasn't been meaningfully addressed in Windows for such a long time.

Dupe

[Anonymous Coward]

The vulnerability is in Windows 7's UAC, not Vista's, so that part of the story is not only wrong but a dupe of the previous "UAC vulnerability" article. As for the rest of the story, it's just marketing copy for BeyondTrust Corp. Congratulations samzenpus, you've posted perhaps the first article that's wrong, dupe, blogspam, and slashvertisement all at the same time!

Windows "Run as Root" Culture is the Problem

[CodeBuster]

The history and culture of Windows is at least as responsible for the "run as root" problem as any shortcomings, and there were many over the years, in the OS itself and although Windows OSes has progressively improved security over the years there is only so much to be done, on any system, when users have been trained to run as root and click "yes" everytime. Of course, malicious programs like downadup and the infamous ClickYesToContinue ActiveX certificate debacle don't help matters.

Re:You mean...

[Urd.Yggdrasil]

It would be a hell of alot easier of software developers didn't require administrative privileges when they really don't need them. I tried to run in a "user" usergroup when I replaces win2k pro with win xp pro but nothing ran correctly. I tried using the "run as" menu and a program called sudo-win which would elevate my privs temporarily then reduce them again. Nothing would install correctly, nothing would run correctly. Even programs that don't use any administrator functions or zones wouldn't work correctly. Realistically, running in a non-admin account is a pain in the ass.

Re:You mean...

[EvolutionsPeak]

The question is why it hasn't been meaningfully addressed in Windows for such a long time.

This question has long been addressed as well. There are several reasons, but I'd say the primary one is that it breaks compatibility with too many applications. Since Windows has given administrative privileges by default for so long, programmers have assumed that the user will have them and do things that require those privileges, like write into the Program Files directory.

Vista took many steps to meaningfully address the issue.
UAC has been part of an attempt to rectify the problem by not allowing the administrative privileges to be used without user intervention.
It also acts as a form of "sudo" so that its possible to run as an unprivileged account. However, it is a giant pain because the aforementioned coding practices induce a million popups.

Re:Simple possible solution

[magamiako1]

That's what UAC is for. It's there, applications can take advantage of it. IE takes advantage of it. Even Chrome takes advantage of it.

Most software developers are freakin' lazy.

Installers shouldn't need root

[Animats]

What's really annoying is that too many programs still insist on "administrator" privileges for installation. Installation needs to be a far more contained process, with limited authority. Most applications don't really need the ability to manipulate elements of the system outside their own directory subtree and their own subtree of the Registry. Installation of "normal" applications (especially games) should be contained accordingly. Most applications are, in a security sense, "leaf nodes"; nothing else depends on them. But Microsoft doesn't make that distinction. (Nor do most Linux application installers, even though Linux/UNIX doesn't have the registry issues that Windows does.)

Re:You mean...

[LoadWB]

Seconded. When you have mainstream applications like Peachtree, QuickBooks, Timberline, and even some of Microsoft's own products, requiring administrator access to a workstation, limiting rights is difficult.

(Mind you, I speak from a purely XP-standpoint. We have had so many problems with Vista at sites which have tried to implement it that we do not use it. And others do not have the hardware to run Vista.)

IIRC, I have also run into issues with AutoCAD, some network scanner drivers, and the like.

Mostly, the ways around these requirements are convoluted or require in-house admin staff to handle minor requests which need immediate attention.

Re:Windows "Run as Root" Culture is the Problem

[symbolset]

The history and culture of Windows....

This is unfortunately correct, if not a bit vague. That's what happens I guess when the problems are too numerous to list.

although Windows OSes has progressively improved security over the years there is only so much to be done...

Until they've done what can be done, we're still entitled to gripe. Does it take thirty years to figure out end users don't log in with admin privileges? Because that's how long it's been best practice. Was it two decades ago "no open ports by default" became the standard shipping configuration of a real OS? Was it Wirth who said "sanitize your inputs" or does that wisdom predate even him?

Microsoft is doing fine. See? They've taken over the desktop market. They're making money like they own the mint. They must be doing it right. Let's leave the chef to his muttons.

A Worthless Article

[rsmith-mac]

Lame blogs aside, The Fucking Article [computerworld.com] is damn near worthless. Highlights include:

• The study was done by BeyondTrust Corp. who is looking to push their Privilege Manager software, which shockingly is permissions-management software. Right off the bat we have a dubious study due to the conflict of interest and the sponsor.
• The article makes no distinction among what OSs were used in the study. Was it Vista? XP? Server 2003?
• The article also makes no distinction on if UAC was used, if Vista was used at all. Of course why would a company trying to sell security software want to tell people that just enabling UAC and/or setting your users as standard users would fix the problem?
• The only quote is from the director of marketing.

In conclusion: Running everything with admin privileges is bad, which is why Microsoft fixed this 2 years ago with UAC. It's a lame PR piece about an equally lame study from a company that wants to sell you stuff to do things that MS did years ago. If you are here reading Slashdot, there's nothing here you didn't already know.

Re:You mean...

[Spit]

Realistically, running in a non-admin account is a pain in the ass. ...in Windows.

Halt

[bazald]

What you suggest is either impossible, extremely undesirable, or both, assuming that by "they" you mean Microsoft.

For them to prevent certain classes of applications from running, without special knowledge, would require a kind of analysis similar in nature to solving the halting problem - a problem well known to be unsolvable.

Then the course of action is to require applications requiring root privileges to be signed by Microsoft, essentially making Windows a closed platform for developers. Furthermore, any applications they sign would have to be bullet-proof, getting back to the halting problem.

Re:You mean...

[Z00L00K]

Running a non-admin account works fine if you only run the office package, but as soon as you plan to do something slightly advanced you end up with failed permissions and other types of obnoxious behavior - which is hard to figure out because Windows won't tell you because you don't need to know.

Re:Halt

[bazald]

Microsoft would have to create a flag so that programmers can set it to tell the system that it is a security related program and thus should be allowed to execute under the admin account.

The problem with your implementation suggestion is that software developers who don't respect good security practices as it is will not respect such an API. If it is easier to set a flag asserting that the program is "security related" than to follow good software development practices, that is what they will do.

Re:Halt

[Flwyd]

So why wouldn't the virus authors set the security-related flag?

More importantly, I hope admins are allowed to run Command Prompt and web browsers. And if you can run those, I don't see how you're going to gain much security. And if you don't let admins download from the web and run DOS scripts, I don't know how you plan to accomplish much as a system admin.

Study flawed

[benjymouse]

Problem is that they assume that when the security bulletin says that successful exploitation will allow the attacker to run as the current user, this does not mean that the attacker will be able to run as admin, even though the user is an admin.

Indeed (with UAC on) IE7 runs in protected mode which is a "sandbox" where the users' security tokens have very limited rights, thus intrinsically protecting the OS.

The Vista protected mode effectively runs the process as a limited user, even though it preserves the users identity.

Even if the attacker can somehow trick the browser or user into downloading a malicious file and start it, it will still need elevation (yes, the cancel/allow thingy) to assert admin privileges.

So, another way to spin this would be "Vista UAC protects against exploitation of 92% of vulnerabilities".

Microsoft...

[Greyfox]

Ignoring 30 years of accumulated UNIX wisdom... for 30 years.

I swear those guys are like that guy who just installed Linux, runs it as root all the time because he "knows what (he's) doing" and enables telnet and hands out logins to all his friends. Except that guy learns after the first or second time his system gets rooted that maybe he should stop being such a goddamn jackass and run his system the right way from now on. Microsoft never got past the jackass phase. They keep implementing half-assed fixes because they think they can do it better. You'd think 30 years of failure would convince them otherwise...

Re:Microsoft Legacy is Microsoft's biggest problem

[gmack]

Microsoft's biggest market advantage is the amount of legacy software that supports their platform.

Rewriting an app to be cross platform is not much more work than rewriting for a single OS so if they force application makers to do a complete rewrite they risk having them rewrite using cross platform libraries.

Re:Microsoft Legacy is Microsoft's biggest problem

[Tatsh]

I am sure this is not news to anyone whether you love or hate Microsoft. The fact is the coding practices commonly followed under DOS and then under Windows have been rather poor. The reasons for it are many, but largely because of a thirst for performance. But in order to keep people hooked on Windows, they have to keep supporting the mistakes of others as well as their own. This is what they call "backward compatibility."

But there is a way out of it and for some reason they seem unwilling to do it. Write a new OS, virtualize old Windows for "legacy support" and eventually all the software vendors will port their code to work with the new Microsoft OS natively just as they did with Mac OS X. I can't imagine why Microsoft is unwilling to do that... got any suggestions anyone?

I have been suggesting this for years. Enterprise (Microsoft's most important customer base), in general, does NOT want it. Seemingly they want the 'good ole' x86 to live forever and Windows to run programs written for DOS 5.0 even in 2009 and beyond. Ridiculous, but it is true.

If you are a business who relies upon some certain software to get work done and do NOT have the time, money or resources to switch to something else, it is in your interest to demand your software vendor (in this case Microsoft) NOT to remove compatibility for X application.

If you look at the Windows 2000 leaked source code, you can find plenty of comments about VERY specific application fixes. Yes, XP broke stuff. Vista broke more. But it probably did not break what the enterprises care about (Vista likely did break many things, hence why 7 is being rushed and so many enterprises skipped Vista and will go to 7 after some extensive testing).

Today I experienced a game that does not work on Vista. Microids' Corsairs from 1998, made for Windows 9x. Tried compatibility modes, the latest patches, etc. It just kept crashing. Microsoft does not care about your 'classic' games at all. All they care about is the enterprises who actually buy the expensive volume licenses Microsoft is always trying to sell.

It's a conspiracy!

[Anonymous Coward]

They're paid off by the Anti-Virus companies. If not for administrative login, who would buy their crap?

Re:Windows "Run as Root" Culture is the Problem

[Anonymous Coward]

Thanks for the laugh.

The days of games writing directly to the video card ended ohhh lets see, about 13 years ago...

Re:What they need to do...

[dbIII]

IMHO that is just silly. There should be an account that can do everything (including modifying files that malware has a hold of - this file locking bullshit is very 1980s), however you shouldn't ever have to use it unless you are doing something important. I have personally had to waste a lot of time fixing access to files when people mucked up MS Windows file permissions and I couldn't just do the sensible thing of logging on as Administrator to fix it - it is purely security theatre when you have the rights to change the password of the owner to anything you like but do not have the permissions to get to the file until you log off and back on again as them. The first few days after a long holiday is usually full of rubbish like that even if you don't have many MS Windows machines.

MS Windows are no longer the cheap option in the server room, or thanks to malware, they are not the cheap option on the desktop either. Personally I think it's time to let them go back to their better suited role of hobby machines at home until the first gaming console with more than 4GB buries them in that role.

Apparently you haven't heard

[symbolset]

of road warriors, bluetooth, pirate WAPs, Promiscuous mode, and a lot of other modern technologies. Your network is not the hallowed ground you think it is.

The only trusted host on the network is a Known Host with a secure connection. Ever and always. There is no excuse for having open ports ever, let alone by default on a desktop, unless you intend to deliver a service on that port to untrusted strangers.

This has been common knowledge and best practice for at least 15 years.

Re:You mean...

[the white plague]

Anecdotal evidence sucks.

Yes, but the user experience is what counts. All it takes is one video game to pitch a fit that it doesn't have admin privileges and hundreds of thousands of users have learned the lesson "just run as admin, it's less bother". The last couple months Fallout3 has been the popular game of the moment teaching users that security is painful to use.

Re:You mean...

[thetoadwarrior]

MS shouldn't even allow you to be an admin. It should have an admin password which you can use to perform certain tasks but it's only that task that has admin rights and they're gone once it's over.

It's not like this is some sort of new concept or anything so I'm not sure why they won't do it.

Sounds like an interesting idea

[FoamingToad]

As well as that, how about setting the default admin account so you have no sounds, no desktop wallpaper, no animated cursors - none of the flashy crap that users seem intent on encumbering themselves with. You want the bling == run as a limited user.

However this would require limiting the capabilities of the Admin account, and this is something I'm not entirely happy with (as, admin *should* be equivalent to god mode).

Microsoft's biggest problem

[symbolset]

Microsoft's biggest market advantage is the amount of legacy software that supports their platform.

Microsoft's biggest problem, which I noted before Vista was even released [slashdot.org], is that we're well invested in third party software and we've figured out how to play well with their previous platform over six long years. Our nest is well feathered. It's comfy and we don't want to leave it. Especially for a cold new future where we have to buy everything and figure everything out all over again. If we have to do that, why stick with the vendor that guarantees we'll feel this pain again in a little while?

The problem, two years later is even deeper because nobody in their right mind bought into this dog, and so they've been burrowing deeper into their XP cave this whole time.

It's probably too late now to save the Microsoft platform. It's been eight years since the 25 October 2001 release of XP. They have before them the task of creating something that's sufficiently similar to save their "Microsoft brand", sufficiently different from their "Vista debacle", and competitive against a swelling sea of free options. It's a lost cause. "If we have to change to something that radically different, and buy/engineer all our software over again, why not get Macs, or try this 'free' thing?"

Never thought of that before.

[Phoenix]

I never thought of that. Windows is such a pain to use at all without the admin access that most people just shrug, set themselves up as a Power User just so they can use the damn thing.

But when you think about it, in the *nix community running as standard users is a staple...the norm if you will of computer operation. If you're logged on as "Bob" and you need the Admin-level access (install something, access a file that is not owned by your account, etc) you fire up "sudo" or a terminal window and SU it for a while.

If it's a nice graphical interface in either usage or installation...it'll even pop up and say "I'm sorry, you need admin access. Do you have the password?" And if you do then it'll just shrug and bloody well go and do it.

This is something that needs to be put in future versions of Windows. That and stop requiring The Sims 2 to have administrator access just so you can play paper dolls.

Phoenix

Re:Software makers know the registry inside out!

[WindBourne]

Did you setup the "MOM" account FIRST, before installing software as admin?
Eh???? Why would you have to install software second? At some point, you will want to add other users. Will they not be able to access the software?

The Problem lies elsewhere

[SerpentMage]

The reason why Windows is such a pain in the ass is because Windows was never designed for this.

Let's say I install OSX. The OSX app is self-contained, which means that it does not need anything outside of its circle.

Let's say that I install on Linux. The Linux app can either be installed locally per the user or for everybody. But it is a clear cut case.

Windows? WTF... I need to access the registry, the windows system directory, the program files directory, and the local user directory. It is a bleeding mess!

Microsoft to this day does not understand that the issue is the fact that they have not revamped the complete installation process. There is absolutely no need for Office, or any other application to need anything other the system files if it is running in "install to user" mode.

This is the problem, and until Microsoft understands that nothing will change.

No clear separation is the root of the problem

[Giant Electronic Bra]

Windows lacks a really clear separation between what is in the realm of the user and what is in the realm of the administrator. This is the real root of the problem.

Unix based systems started out as multi-user timesharing systems. From day one you owned exactly one set of filesystem resources, your home directory, and nothing else. An admin CAN create other shared directories, but there is a clear boundary between user and admin. ALL developers know this, it is very clear. Any administrator knows this, they can count on it, it is a very simple rule to understand "home directory belong to user, not home directory not belong to user".

The real problem with windows is who knows who the heck is supposed to own what? User related 'stuff' is scattered willy nilly all over the hard drive, and what and where it is varies with wild abandon between different versions of windows. There is simply no clear cut rule, and thus developers aren't really encouraged to understand the separation because it isn't simple or straightforward. Instead it is complex and you need to know different rules for different versions of windows.

Now in theory maybe this shouldn't be a problem. In theory your developers can go hunt up what the rules are in some knowledge base somewhere. In theory. In practice they are paid to get the product out the door. In practice they don't have a whole lot of extra time to waste on dealing with MS inept handling of the whole issue. In reality they just elevate the privs of their installer and get on with their real jobs.

Re:You mean...

[Dyolf Knip]

You mean shut down everything I was doing, which as a developer can get into quite a lot of apps and documents and windows and sessions? In other words, in order to install software I must undertake an activity essentially indistinguishable from power cycling? What a brilliont idea!

Re:You mean...

[SenFo]

This is very unlikely unless you were installing something using a really, really crappy installer. In either case, this is certainly not the fault of Windows. The operating system API definitely throws an exception if a user tries to access something that he/she does not have access to. It doesn't, however, have the ability to prevent a stupid developer from writing an installer that catches the exception without notifying the end-user of the security-related error. The same idiotic behavior can and will be observed in Linux if developers choose to ignore development best practices.

Re:Almost but not quite enough

[mishehu]

Tools like these are just a bandage on a wound needing stitches. If things were designed properly you'd have no need to use this utility in the first place!

Least privilege

[c_g_hills]

I find this interesting because I reinstalled my XP workstation only last week after several years and took the opportunity to start running in least privilege mode. It is quite apparent how much software there is that still does not function well using a non-admin account. A lot of my software I have converted to portable versions using thinapp which should prevent registry bloat, and allow me to take them with me on another device and keep all my settings.

Single user versus multiple users

[kbdd]

If Windows allowed to have multiple users logged in at the same time, I would do as I do under Linux, I would login twice, once as user for routine task and once as administrator for the rest. The problem with Windows is that each account has only one set of rights and you cannot easily fall back to admin rights when you need to, and you cannot have two users logged at the same time.