Slashdot Log In
Security Hole In Windows 7 UAC
Posted by
kdawson
on Mon Feb 02, 2009 05:03 AM
from the cancel-or-allow dept.
from the cancel-or-allow dept.
An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."
Related Stories
Submission: Big security hole punched in Windows 7 by Anonymous Coward
[+]
Microsoft Caves, Will Change UAC In Windows 7 249 comments
CWmike writes "Reacting to intense criticism of an important security feature in Windows 7 (which we discussed a few days back), Microsoft today said it will change the behavior of User Account Control in Windows 7's release candidate. In a blog post, two Microsoft executives responsible for Windows development, John DeVaan and Steven Sinofsky, said 'We are going to deliver two changes to the Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. Second, changing the level of the UAC will also prompt for confirmation.' They said the changes were prompted by feedback from users, including comments on an earlier post Thursday by DeVaan in which he defended the modifications Microsoft made to UAC in Windows 7."
[+]
Technology: UAC Whitelist Hole In Windows 7 496 comments
David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
"Gerald" (Score:5, Funny)
Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.
Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.
Short: Don't work as Administrator (Score:3, Insightful)
This was discussed elsewhere (heise.de) earlier...
Short answer: this only works iff you are logged in as Administrator already...
Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning". Even adding captchas/moving the warning around/whatever will only be a fake-solution that will only work 'till there's a better script.
Re:Short: Don't work as Administrator (Score:5, Informative)
That's completely wrong. The entire point of the UAC prompt is that it can't be automatically dismissed by simulated user input. The UAC prompt runs on a separate virtual desktop from everything else (which is why it flickers), and the kernel enforces that only real user input can touch it, and you can't run your own code in the kernel without going through a UAC prompt, so it's secure.
If this guy is right and UAC can be disabled without user input, then the entire UAC system instantly becomes pointless. Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts. If you can't do that, then UAC has failed. Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.
Parent
Re:Short: Don't work as Administrator (Score:4, Insightful)
Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts.
Uh no. UAC's purpose is to make it possible (in practice) not to use administrator accounts. Pretty much the complete opposite.
Parent
Re:Short: Don't work as Administrator (Score:4, Informative)
I'm afraid you're wrong. When UAC is on programs you execute are run under your user account which is normally (by default) a member of the Administrators group. However, the programs are run in a special mode where they are prevented from actually using most of the administrative rights granted to your account. (You can read all about it in Wikipedia [wikipedia.org].) When a UAC prompt comes up you don't have to type a password because you're not logging in to a different account; you're just granting permission to use the full administrative rights your account already has.
It is also possible to use UAC from a non-administrator account. In this mode you must type a password every time a UAC prompt comes up, instead of just clicking "continue". Few people do this because it is not the default setup and it's even more annoying than regular UAC.
Parent
This is completely false. (Score:5, Informative)
That is 100% not true. Your user account *is running as a regular user* no matter what group it is in. It doesn't matter if you are in the admin group (unless you stupidly disable UAC, in which case you basically run as root).
"UAC" = "sudo [program name]"
"Vista, Administrator Group" = "your account is in
"Vista, non admin group" = "sudo [program name] with password, but that depends on the group policy... "
Your highly moderated post is 100% mis-information and is *not true*. YOU ARE NOT RUNNING AS ROOT UNTIL YOU ELEVATE VIA UAC!!
Parent
Re:Short: Don't work as Administrator (Score:4, Insightful)
And only when Microsoft change this will Windows be half way towards being secure.
Parent
Re:Short: Don't work as Administrator (Score:5, Insightful)
The real problem, and one that doesn't have a good techincal or sociological fix, is that most windows users are doing administration duties that far exceed their skills. Users get confronted with all sorts of dialogs they don't understand but just want to get on with it. I bet you, that if you popped up a page to someone saying "This video needs a newer version of flash" and redirected them to some completely bogus page that gave them a plugin with a completely bogus signature most people would go ahead and install it anyway. What is the latest version anyway? Couldn't even remember who makes it, and those companies keep on merging and rebranding and whatnot. No amount of UAC, or running as an unprivilidged user could possibly fix that because they are the ones with the admin keys and they're handing them out too easily.
Most users don't understand trust, they want to see a nice little lock icon telling them this site is safe, this site is bad. Same goes for plugins. Same goes for software. If you try educating them they'll just go blank *bad thing* *bad thing* *REALLY bad thing* but they won't understand and just want the simple answer. There's some very professional looking sites out there that appear to give you good software. They often even look better than the real deal because the frauds are all about appearances while the real sites focus on delivering good software, no offence intended. While it does amount to some degree of security scissors, most users would be better of if they only downloaded from safe, verified sources of software and plugins. If only Linux would stop asking all the other technical questions, the repository model would be much better for these people. It's not the end-all and be-all of security but it concentrates 99% of the superuser tasks in one place and makes it that much harder for some random application to throw up a superuser prompt.
Parent
Re:Short: Don't work as Administrator (Score:4, Insightful)
Microsoft is in a tough position with regards to this. A large portion of the annoyance with Vista was 1) compatibility, which stemmed from bad time frames and poor vendor interaction, admitted, but also from enforcing proper security and structure that they hadn't done, that broke poorly written code. 2) from UAC going off very frequently due to applications constantly trying to elevate their privileges which is in most cases unnecessary.
Parent
Re: (Score:3, Insightful)
No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.
Re:Short: Don't work as Administrator (Score:4, Informative)
No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.
"Administrator" in Vista is not the same as "Administrator" in earlier versions. It is akin to be being an 'admin' in OS X or Ubuntu - it just means you can elevate your privileges if required, not that you can do whatever you please.
Parent
Re:Short: Don't work as Administrator (Score:5, Interesting)
When has a windows administrator account ever meant that you could do whatever you please?
I'm sat here right now, running an admin account on XP, and if I try to delete the "Desktop" folder in my own account, I can't. It tells me "Desktop is a Windows system folder and is required for Windows to run properly. It cannot be deleted". Never mind the fact that I've changed the location of that folder by fiddling with the registry to put it on a separate hard drive, the redundant copy on C:\ is still protected against deletion.
Contrast this against the stories about *nix systems where some fool runs rm -rf as admin and it only stops deleting things when it deletes the delete command itself... that is being allowed to do whatever you want.
Parent
Re:Short: Don't work as Administrator (Score:4, Informative)
Well it's not that simple. On OS X for example you can be an administrator and you still can't delete system files. You need to be root to do that. Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do. On Linux you can.
So for that hypothetical admin user to delete everything he would have to first become root (either by doing sudo, or starting a root shell, being authenticated first) and then executing rm -rf /
So, to recap, being an Administrator and just executing rm -rf / will not delete system files.
Parent
Re:Short: Don't work as Administrator (Score:5, Informative)
Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do.
sudo su -
Congratulations, you're logged in as root.
sudo passwd
Even more congratulations are due, you now have the ability to login from the login window as root.
So, to recap, being an Administrator and just executing rm -rf / will not delete system files.
Actually, on an OS X system there are (or were, I haven't looked for a while) a lot of system-level files (including a lot of stuff in /Applications, like Installer.app) that are writable by any 'admin' user. So even without elevating, an 'admin' user could do a lot of damage to an OS X machine.
Parent
Re:Short: Don't work as Administrator (Score:5, Insightful)
Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning".
You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?
Parent
Re:Short: Don't work as Administrator (Score:5, Informative)
You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?
Right on the money.
I use Synergy 2 [sourceforge.net], which lets me control my keyboard and mouse from another computer over the network. It's functionally no different to a keypress simulator like the G.P. mentioned.
When using Synergy, I cannot use the remote mouse and keyboard to accept UAC prompts. I have to move to the local machine and physically click the button locally for it to work. Same goes for administrative apps -- if an app is running with administrative privileges, Synergy cannot register clicks on the privileged window. Unless I run Synergy itself as an administrator.
Parent
Re:Short: Don't work as Administrator (Score:4, Insightful)
Easier said than done.
Many developers are lazy and create apps that only work if the USER is an administrator. Other times it will only work if the user that installed the app is the USER (Again, need administrator to install it in the first place!).
BTW: Fixing this is my bread and butter.
Parent
The beta worked! (Score:5, Funny)
Even the malware will be ready for Windows 7!
Microsoft already replied (Score:5, Informative)
MS have already said that this flaw is "by design" to stop the appearance of too many UAC prompts when users alter their own system settings
http://www.istartedsomething.com/20090131/microsoft-dismisses-windows-7-uac-security-flaw-insists-by-design/ [istartedsomething.com]
Re: (Score:3, Insightful)
* The only way this could be changed without the userâ(TM)s knowledge is by malicious code already running on the box.
* In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)
What exactly is UAC then trying to protect people against? If protecting against malicious code isn't in the requirements, then it seems pretty useless.
Re:Microsoft already replied (Score:5, Insightful)
Parent
Re: (Score:3, Insightful)
There is no way to properly prevent further attacks once a box is compromised. That's the nature of being compromised.
Re:Microsoft already replied (Score:5, Interesting)
I kind of agree with the less-is-more approach to end user interactions. I get a lot of clients who have learned to cope with the modern click-prompt overload by simply clicking somewhat randomly on everything that comes up in front of them. Frequently, this leads to disabling some vitally important part of their computer in a way that any person who actually read prompts would have easily avoided.
Sadly, the less computer savvy you are, the more likely you are to be constantly deluged with upgrade prompts from Adobe, install requests for Safari from Apple, and the multitude of prompts when Hewlett Packard's genuinely awful drivers crash. Prompts to continue subscriptions to Symantec, upgrade to the latest acrobat, log in to windows messenger, etc. And, of course, each separate component has its own prompts. "Click here to upgrade. I see you've clicked here to upgrade, would you like me to go to the internet and upgrade? Upgrade will begin when you click the OK button below. Upgrading... Upgrade has completed, click OK below to continue. Thank you for upgrading, please visit unintelligiblylongwebsite.com/pagenobodywilleverclickon.html to give us feedback on this process. Press Dismiss below to return to the installer. Thank you for returning to the installer. If you are satisfied with this interaction, press OK below."
90% of users have no idea what their computer is doing, or should be doing, under the hood. If they weren't already suffering from click-fatigue, they wouldn't be the right people to decide on technical issues anyway.
Obviously, it shouldn't be possible to disable UAC without actually getting a UAC prompt. But in general, UAC is an annoying system that most users completely tune out. Instead of hightening user knowledge, it simply drowns out any real issues.
Parent
Re:Microsoft already replied (Score:5, Insightful)
That's the problem with UAC. Too many prompts and users will just get frustrated and either disable it or blindly hit Ok.
I disagree. I used Vista exclusively for 5 months, and I only ever got a UAC question when I was trying to change some system settings, and that one time when I didn't, it turned out to be a trojan.
It's not that hard to anticipate a UAC question, really. Just ask yourself: "Would Linux require root for this?"
Actually, UAC is much more permissive.
And the people who get frustrated with it, shouldn't have admin rights in the first place.
Sure, the initial setup and configuration is packed with these, but it's worth it.
Parent
Re: (Score:3, Interesting)
UAC is horrible.
Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".
It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".
It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.
YMMV, you may not wan
Re: (Score:3, Informative)
Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".
Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM.
It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".
There's no good reason for writing there, and doing so is exactly what messed up "running as an administrator" in XP and below. Ask the author of your application to make it less retarded.
It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.
Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC. It's almost like you're being proud of being an idiot.
YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.
Yes, I'd prefer that they would install like normal driver
Re:Microsoft already replied (Score:4, Interesting)
"Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM."
No, my application is not signed or recognised by MS, who believe they should have the final say over these things. A nice little box pops up saying "your system administrator has set policies to stop these things running at startup" and allowing you to click on them to start them up.
*I* am the system administrator and there was no way I could find to stop this behaviour, despite looking in all the UAC dialogs.
"There's no good reason for writing there,"
Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.
"doing so is exactly what messed up "running as an administrator" in XP"
No, what messed up "running as administrator" was "running as administrator". I don't need to write to program files to fuck up your system, if anything you run has admin privileges.
"Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC."
Where did I complain about warnings?
I don't give a crap about warnings.
"It's almost like you're being proud of being an idiot."
And it's almost like you can't read.
"if you're still on 32bit Windows, this is not even a problem."
This is all on Vista 32 bit.
But it kinda confirms my thought that you were running vague software written by Linux people for Windows.
And what *exactly* do you mean by that? WTF is wrong with software not written by a company big enough to pay MS to get things signed? Shouldn't I, as an educated power user, be able to decide to run what I want?
Why shouldn't I have the flexibility to run windows with the UAC security turned on (so I get warned about unautorised system changges), but be able to add startup exceptions of my choosing?
It's a clusterfuck, it's a bad hack which fails to leave any room for flexibility, whilst at the same time implementing dodgy compromises in the name of backward compatibility.
Parent
Re: (Score:3, Insightful)
"There's no good reason for writing there,"
Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.
Um, isn't that exactly what happens in OS X with Preferences?
In OS X (and *NIX???), USER preferences are stored in the USER's "Home" directory. That way, permissions to write the "Applications" directory can be more tightly controlled, AND the USER can be granted permission to write in a relatively safe place (safe "system-wise", that is).
Far be it for me to laud anything MacroSuck does; but, to me, this "symlink" just appears to be MS's attempt to provide a modicum of security for system and applic
Re:Microsoft already replied (Score:4, Insightful)
It took me 5 seconds to google some docs for user profile paths: User Data and Settings Management [microsoft.com]
Instead, the roaming stuff goes into:
C:\Documents and Settings\USERNAME\Application Data\Microsoft\Outlook
And the non-roaming stuff goes into
C:\Documents and Settings\USERNAME\Local Settings\Application Data\Microsoft\Outlook
Doesn't seem so awful.
Copy the user profile over?
Parent
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
And a beta's a beta.
That's why they make disclaimers.
Mechanical Analog (Score:4, Funny)
Re:Mechanical Analog (Score:5, Funny)
the worst car analogy I've seen on slashdot for a while.
Parent
Re:Mechanical Analog (Score:5, Funny)
Parent
How hard is it to copy something... (Score:5, Insightful)
correctly.
I mean, Linux and MacOSX (and others) have sudo for years, the original code dating back to 1980 according to Wikipedia.
The concept is not new : type your password to gain access to some privileges. That way bots and virus can't do everything while you can still administrative tasks easily.
My question is how hard is it to copy some 25 years old functionality (marketing it as brand new) and still don't get it right.
whoa, recursive Meta-UAC (Score:5, Funny)
==============
"It look like you're trying to alter the UAC settings, Cancel or Allow?"
*click*
"It looks like you've confirmed the change in UAC settings, Cancel or Allow?"
*click*
"The UAC settings have been altered, Cancel or Allow?"
*click**click**click**click**click*-----INPUT DEVICE FAILURE
It's a double-edged sword (Score:4, Insightful)
With Vista, there's no (official, at least) way to disable UAC except by a user actively going to Control Panel and disabling it.
This breaks a lot of things - particularly a lot of stuff concerning scripted/automated installers.
The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, a lot of the protection offered by UAC disappears.
Re:It's a double-edged sword (Score:4, Insightful)
Fixed.
Parent
Pointless. (Score:3, Interesting)
UAC (Score:5, Funny)
all this talk of UAC makes me feel like playing some doom again.
Security in UAC (Score:5, Insightful)
The biggest security hole in Windows 7's UAC is the user.
Long Zheng seems like a nice bloke (Score:4, Informative)
Watchmen (Score:3, Funny)
But... Who controls the user acces to the user access control?
"A prolific blogger ..." (Score:5, Insightful)
This is no different to me browsing the web as root in linux and running any shit that pops up
Anonymous submitters (Score:5, Interesting)
I wonder if Slashdot should allow anonymous article submissions? Isn't it useful information to know if the submitter is also the subject of the article or its reference source? Shouldn't we be allowed to know that, so we can better judge the credibility of the article and its source(s)? Transparency is ALWAYS good.
What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
Re:Anonymous submitters (Score:5, Informative)
What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
That would certainly be something [slashdot.org].
Parent
Re:Anonymous submitters (Score:4, Funny)
What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
Yeah, I sure as hell would want to know that [slashdot.org]!
Parent
Hmmm (Score:3, Insightful)
Seems like an odd bit of "by design".
Unless i'm mistaken, I (as a user) could download an application and run it on the mistaken assumption that my UAC settings would alert me if anything suspicious is going to happen.
The application could then drop my security level to the lowest possible (without me knowing) and then start silently installing a bunch of other stuff with no UAC prompts. If it was particulary careful, it could then reset the UAC level back to the what it was before it started.
I'm now completely compromised without the slightest indication that anything suspicious happened.
UAC is a stupid idea (Score:3, Insightful)
If you look at the computer as a whole, it is incredibly stupid that after the user selects some option, the computer will pop up a dialog asking the user if he is indeed the one who selected this option.
I realize the series of historic accidents that led to this absurd situation - but couldn't they figure out a better way that does not make the computer behave so incredibly stupidly?
UAC isn't "security" (Score:5, Interesting)
UAC is a hack to deal with the problem that the Win32 API is full of inherent security holes that would require changing lots third-party software to fix. So they put a prompt up if a program is about to use one of the features that contain or implement part of one of these security holes.
The only real way to fix it is to implement a designed-for-security API and designate Win32 and everything based on it "legacy", only run in a sandbox.
Which is what Windows 7 was rumored to be, a couple years ago.