Users' Admin Logins Make Most Windows Malware Worse 420
nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."
What they need to do... (Score:5, Interesting)
Microsoft Legacy is Microsoft's biggest problem (Score:4, Interesting)
I am sure this is not news to anyone whether you love or hate Microsoft. The fact is the coding practices commonly followed under DOS and then under Windows have been rather poor. The reasons for it are many, but largely because of a thirst for performance. But in order to keep people hooked on Windows, they have to keep supporting the mistakes of others as well as their own. This is what they call "backward compatibility."
But there is a way out of it and for some reason they seem unwilling to do it. Write a new OS, virtualize old Windows for "legacy support" and eventually all the software vendors will port their code to work with the new Microsoft OS natively just as they did with Mac OS X. I can't imagine why Microsoft is unwilling to do that... got any suggestions anyone?
Re:You mean... (Score:5, Interesting)
The question is why it hasn't been meaningfully addressed in Windows for such a long time.
Because it would break compatibility. Actually, and I hate to say it, it ain't MS's fault. Or at least not only theirs.
A simple example: In the good (bad) old days of 95 and 98 and the lack of sensible rights management, it didn't matter whether you use the HKLM or the HKCU registry branch. Both were equally unprotected, and since your software worked with every user (and you needn't care about such trivialities as watching out for a lack of reg keys), software vendors simply dumped their registry junk into the HKLM tree.
The same applies to access to sensible system areas, like drivers (copy protection crapware) or code injection. Programmers simply assumed it is possible because hey, the system didn't really care about it!
In comes Win2k and suddenly, when you are not logged in as admin, your games don't work. Now why the hell does a friggin' game need admin rights, you ask? Because it wants to load a copycripple driver, because it wants to write in the HKLM (or similar sensible) hives or because of other things that didn't matter earlier due to a lack of rights management and due to being the easy way out of a programming problem.
MS is to blame to allow this for far too long. Users are to blame to put up with it and accept that they're "forced" to use admin privs to run programs. And most of all, programmers are to blame that took the easy way out and ignore rights. No, they needn't be able to forsee it (even though they should have). But since the practice still prevails (run a copy protected game without admin rights, see if you succeed), the blame is squarely on third party software. Not MS this time.
I hate to say it, and I know it's unpopular on /. to "defend" them. But it's not MS that has dropped this ball.
Re:Simple possible solution (Score:3, Interesting)
Most software developers are freakin' lazy.
Most codebases are ancient, and people who wrote them already retired. That's the sad truth of many industry workhorses (Mentor Graphics is one example.) Another sad truth is that many people own and use older releases of major software packages. Modern AutoCAD 2009 will run on Vista perfectly, but can you afford $4,500 per seat to upgrade your old AutoCAD 2007 which still does the job on XP?
definitely possible.. (Score:2, Interesting)
Re:Windows "Run as Root" Culture is the Problem (Score:4, Interesting)
Uhm... Microsoft has had Windows setup to not require administrative privileges for many, many, many years. I blame software developers who abused the fact that people did.
You are right and some companies do actually force this on all their corporate desktops. In the majority of cases this is not done and most people especially home computer owners don't do this. As for blaming developers well you could lay some of the blame at them but that is really unfair since it was Microsoft who made it so easy for people to give themselves administer privileges.
Looking at Linux/Unix security. Basically from inception a normal user only had limited privileges and to do anything as a system admin required knowing the root password or being a member of a sudo (1980's) group that had particular privileges. This was instilled in Unix and now Linux users from the time they started using the system. This is not to say that some users are stupid enough to work as root, however those that do this, especially in the corporate world are usually brought to task very quickly. The same has never been true with Microsoft OS's.
When a vendor writes software for Unix/Linux they should know and if not are usually told in no uncertain terms that requiring root access for their particular product requires a "please explain" because most applications don't require root privilege although there are exceptions. Even installation especially if the software is being tested is normally set up in what is called a "sand-box". Again Microsoft fails on enforcing this (Vista was an attempt).
Re:You mean... (Score:5, Interesting)
It would be a hell of alot easier of software developers didn't require administrative privileges when they really don't need them. I tried to run in a "user" usergroup when I replaces win2k pro with win xp pro but nothing ran correctly. I tried using the "run as" menu and a program called sudo-win which would elevate my privs temporarily then reduce them again. Nothing would install correctly, nothing would run correctly. Even programs that don't use any administrator functions or zones wouldn't work correctly. Realistically, running in a non-admin account is a pain in the ass.
For all the flak that it (mostly rightly) gets, Vista did change that for good. Since its release, the percentage of apps that require admin privileges to run dropped very significantly - so much so that the only one I still have installed on my desktop is Acronis True Image, and that one actually needs it, as it does disk-level backup (though it should really rather pop up the UAC prompt when it actually starts backing up, and not on startup).
Re:Installers shouldn't need root (Score:3, Interesting)
Technically, it is quite possible to make installers that do not require admin at all - those that install into user data folder. MSI fully supports that scenario, it's just that very few people actually bother to provide this as an option in their installers.
Re:Cancel or Allow (Score:5, Interesting)
Steam won't run without admin privileges (Score:5, Interesting)
But Valve will go after you for trying.
My question:
Customer 06/11/2006 04:15 AM
I am not willing to play (and let other people play) HL2 using the Admin account on my computer because of the obvious security implications (I don't want my computer infested with malware).
Is there any way to run it without admin privileges? I installed it using admin privileges and went back to my unprivileged account but turns out it needs to write data to the install folder (bad programmer - no donut for you).
Which are the files STEAM tries to write to in the install folder?
If it turns out to be too complicated I'll just download the no-steam version with BitTorrent ;-).
Their response:
Response (Josh) 06/13/2006 01:34 PM
Thiago, It cannot be run without admin privileges. I know you were probably joking, but I would also encourage you to avoid any product that claims to get around Steam. We take cheating and hacking very seriously.
Ignorance on users part (including IT people) (Score:5, Interesting)
It's a combination of ignorant users and ignorant IT people. I've never seen a single IT person use "runas" (impersonation), ACLs on the Windows file system or registry or and this is the damning one, a command line utility that allows you to selectively strip administrative rights on applications as you use them thatâ(TM)s been on Microsoftâ(TM)s site for years (after I pointed it out to them).
There was a reason once upon a time Microsoft chose to release Windows XP in such a way as to have users running with administrative rights. A reason that is extremely weak now - many people were upgrading to Windows XP from Windows 9x/ME and Microsoft didn't want to incur the support cost (or their partners) of having lots of applications stop working. Among them is the popular WinAmp. It used ancient APIs for its configuration file, WINAMP.INI, that stored global preferential data (as opposed to per user) in C:\WINDOWS\WINAMP.INI. If you didn't have administrative rights, it would just hang when you fired it up. Google Desktop when first released would *NOT* work on a non-administrative desktop. The list of offending applications goes on and on, e.g., a friend of mine had oceanic navigation software that insisted running with admin rights.
However, it turns out there is a programmatic mechanism in place in every copy of Windows XP (and Windows 2000) that allows you to strip administrative rights when you launch a process. Microsoft never exposed users to this ability for reasons that to this day are unclear to me. The magic API in question is CreateRestrictedToken.
But what really was an eye opener to me is when I would point out a tool on Microsoft's site to strip out administrative rights when you run a program. Namely, years ago you could have made the situation tenable in the case of apps like WinAmp and Google Desktop by yes, logging onto your desktop as an administrator but launching most Internet facing application without administrative rights but hereâ(TM)s the clincher *AND NOT CHANGING USERS* . In fact, I've been doing this for years.
Nonetheless I observed an incredible amount of laziness on IT professionals when I pointed out these capabilities. Laziness, apathy and the usual suspect of insecurity ("Don't tell me what to do, I know what I'm doing"). Yes, that's right, you manage a CISCO PIX firewall, you must be a security guru all around and follow best practices.
So given my former life as a Windows software developer I took it upon myself to create a turn key installer that at least protects Jane & Joe Average called *RemoveAdmin*:
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515
RemoveAdmin is a utility to strip administrative rights off apps as they're launched under Windows XP and Windows 2000 where unfortunately 99.9% of home users run with administrative rights.
The default RemoveAdmin installer creates shortcuts for IE and Firefox but if you analyze the shortcut, you see IE and Firefox are passed as an argument to the removeAdmin.exe program.
You can trivially setup another shortcut for Opera and/or any other Internet facing application... as you should since you can't trust foreign computer systems you connect to.
Itâ(TM)s version 0.1 since I havenâ(TM)t created a FAQ and thereâ(TM)s the situation that if you have multiple administrative SIDs it wonâ(TM)t work (not the case for most people). I need to fix that, create a FAQ and also offer to adjust the ACLs on the Startup folder to tighten security such that when combined with RemoveAdmin, breaching your system on account of your browsing becomes because crazy hard.
Re:You mean... (Score:5, Interesting)
>>which is hard to figure out because Windows won't tell you because you don't need to know.
Yep. In Linux you get the rather common sense "permission denied" message when you try installing something and it tries to write to a directory you don't have rights to. In Windows, it fails silently most of the time. Drove me up the wall when a program I'd installed was working on a computer I set up for my mother, when it turns out even though she could see the program with her "mom" account, something or other needed admin privs, and it was dying silently.
Re:You mean... (Score:3, Interesting)
Microsoft made admin-mode annoying, so that the users would complain to the makers of the software that annoys them, rather than demanding MS to fix things ;)
Re:You mean... (Score:2, Interesting)
The user doesn't have different permissions between the command-line and the GUI. In both circumstances, when something is done that needs super-user privileges, the user is prompted for their password by sudo [wikipedia.org].
The only difference between the GUI and the CLI is that with the GUI you don't have to manually run sudo. You automatically get a pretty little window asking for your password. With the CLI, you need to run the program with sudo manually.
Re:It's going to take a moment... (Score:5, Interesting)
A Mac fan extolling the merits of the command line.
It's going to take some time to get used to. Forgive me.
Why? Quite a few current OS X users switched to OS X from various other *NIX'es and Linux. It really isn't so surprising that many OS X users are command line freaks.
Have you ever tried to not be admin? (Score:2, Interesting)
Re:The Problem lies elsewhere (Score:4, Interesting)
Vendor Locking is Great! for the bottom line.
Ask yourself, how can I configure something that only allows my products ?
Also, How can I support my stuff from way back ?
And you'll end up where Microsoft is today.
Re:You mean... (Score:1, Interesting)
It's worse than that. Even when you know permissions are the problem the tools for checking and setting permissions properly in Windows XP & 2000 (don't know about Vista) are fricking atrocious! They are unintuitive and confusing. Half the time I run into a permissions problem I will try, and then fail, to figure it out. Then I give up and run the program as admin. It's frustrating. No wonder most people just run as admin in the first place.
Now don't go putting down Windows users (Score:3, Interesting)
I'm longtime software engineer, I've used UNIX and Linux professionally...and I still run Windws as an admin, all the time.
Why? For starters, vim--yes, vim, the open source editor with roots in secure operating systems--writes to its own folder in Program Files, which is a huge no-no. I can get around this by installing vim to it's own special folder, like c:\vim, but it's a symptom of the overall problem. While most new commercial applications do things right, older apps don't, and there's a real issue with free software not handling things correctly. The proper way to handle this is to figure out what software works correctly and what doesn't (which isn't always easy, because some programs only do bad things in particular cases, and it may take months to realize this), and keeping the bad ones out of Program Files.
Re:You mean... (Score:3, Interesting)
Part of the problem is directory structure in Windows. Applications for some reason want to write some .dlls to one location(generally Windows system folder), user settings to another and bulk of the files to a third. Instead of shoving all the .dlls and application files into Program files\appname and should shove all the settings into My Documents\My Settings\Appname to make backing up easy as backing up My Docs.
Re:Windows is busted (Score:3, Interesting)
The NT line has traditionally been for business, not for home use. 9x is completely stuffed from a local security perspective. Businesses need security locally. Home users don't. That's why 9x was such a good home OS.
The NT model isn't necessarily better. While local security was vastly improved, security for remote suffered, as it opens ports to the outside world by default that aren't needed, screaming for attention from malicious crackers. How do you think Sasser worked?
Re:You mean... (Score:3, Interesting)
So, MS have to introduce backwards-compatibility hacks, like UAC, to keep people happy, and of course the idiot users simply turn off security.
The other problem MS have had is that in order to keep people on the rolling treadmill of updates and upgrades (fuelled by file format changes), they have had to maintain backwards compatibility beyond what would normally make any sense. OK, linux hasn't been the model of API stability, but because it's OSS, it means people can build old apps from gcc2.95/kernel 2.2 & 2.4 on gcc3 and gcc4 with kernel 2.6. Windows users can't do this, they are often utterly dependent on proprietary applications and if they needed a recompiled version would have to pray the authors would be willing to do it at a fair price or even were still in business.
OK, having had a tiny grain of sympathy, it's blown away because MS brought this situation about through their own inaction and short-sighted corporate greed.
DropMyRights and StripMyRights (Score:2, Interesting)
The main weakness of this approach is that Windows has dozens of ways to launch applications, and it's impossible to get DropMyRights to intercept all of them. There's a related tool, StripMyRights [sysint.no], which gives you two ways to make any