"Very Severe Hole" In Vista UAC Design

Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

An even bigger hole...

There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.

Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.

The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.

After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.

Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.

Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!

If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.

As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.

Re:An even bigger hole...

offtopic, yet:

no doubt, thats why Dell is marketing its harware for Vista as great for "booting the OS, w/o running apps or games [googlepages.com]" (link via this [dell.com])

Since when did booting an OS become a "feature" of the OS?

Re:An even bigger hole...

I see *someone* never used Windows 95!

Re:An even bigger hole...

I think a full bootup a victory on Windows ME would be even more excuse for celebration.

Re:An even bigger hole...

I don't know why everybody harshes on ME. Sure, you have to beat it into coma before it behaves, but after that, it's almost as good as windows '98!

Swinging a Blunt Object

I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.

"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."

This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.

Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)

Re:Swinging a Blunt Object

You know what really gets me about the annoying Vista security model? It's that the one in XP isn't THAT bad, its just the default configuration that is THAT bad. If you (1) password protect the "administrator" account and (2) run as a non-admin user when not doing admin things (most of the time), you will eliminate many problems.

I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.

Take care

-mat

Re:Swinging a Blunt Object

I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.

You know, if any *nix software required the user to be root to run, we would string the developers up alongside the guy who thought Clippy would be a good idea.

Why should it be any different for third-party applications requiring Administrator privileges to run on Windows?

Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model. After all, a virus in *nix could conceivably blow away a user directory, but unless it's exploiting a buffer overflow or other coding error hole, it can't take down the system. The same is possible in Windows, but not available by default to your average Dell user.

Re:Swinging a Blunt Object

You know, if any *nix software required the user to be root to run, we would string the developers up alongside the guy who thought Clippy would be a good idea.

Presumably you mean "any *nix software which claimed to be some kind of ordinary user application".
You'd probably also want to ensure that the software itself was wiped from the face of the planet, since if the "developer" dosn't know about the setuid permission bit it's rather unlikely that they they know enough to write software which has any chance of being bug free...

Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model.

In theory XP's permissions system is more capable than that on unix type systems. Since every permission is an ACL (including deny options, thus you could say "Any user in accounts except for Anne and Bob can do this..) In practice it appears even Microsoft have problems securing Windows properly.

Steve is that you?

Video version of the above commentary here [apple.com].

Re:An even bigger hole...

You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to turn your machine into a child porn and warez server, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay?

One of these things is not like the others,
One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?

Re:An even bigger hole...

Sorry, did I miss something? I was too busy clicking "Allow" 7 times to notice which one was bad. None of them were bad, were they?

Re:An even bigger hole...

Sorry, but linux and OSX only ask you for your password when doing potentially dangerous things. You are not prompted when moving files from one of your own folders to another of your own folders. You are not prompted when editing your own menus. You ARE prompted when doing something that will affect other users of the system, such as installing software site-wide. If you want to install a warez server under your own home folder, go nuts, you already explicitly have permission to do so.

Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program. If I wanted to install openoffice as my cousin vinnie, I could do so. Vista's all-or-nothing UAC is nothing more than an attempt to shift blame to the users, so that MS can claim to provide better security than ever before.

Re:An even bigger hole...

Sorry, but linux and OSX only ask you for your password when doing potentially dangerous things. You are not prompted when moving files from one of your own folders to another of your own folders. You are not prompted when editing your own menus.

In theory UAC should behave like this as well. UAC is mostly a way of elevating priveledges, just like sudo, minus the password. Administrators on Windows actually run under lower priveledge accounts, and then elevate for specific tasks that require administrator priveledges.

See, the real problem is so many things in Windows requires Administrator by default. Even stuff that shouldn't. Thats the real problem here.

Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program. If I wanted to install openoffice as my cousin vinnie, I could do so.

You can do this in Window's too. It has a "Run As" option, and ACLs that let you any arbitrary number of users or groups' access to the file.

It's not that simple

Sorry, but linux and OSX only ask you for your password when doing potentially dangerous things. You are not prompted when moving files from one of your own folders to another of your own folders. You are not prompted when editing your own menus. You ARE prompted when doing something that will affect other users of the system, such as installing software site-wide. If you want to install a warez server under your own home folder, go nuts, you already explicitly have permission to do so.

The problem is that security isn't simply relegated to actions affecting system files and program installations. If you've ever cleaned a Windows box that had been hit by some virus or malicious website (back when websites could affect IE bookmarks, etc.) you probably noticed a glut of shortcuts and bookmarks pointing to websites that the "attackers" wanted you to visit. This all takes place within the userspace yet it is undesirable behavior. Likewise, copy/pasting to-from the browser has been pointed out to be a security hole [slashdot.org] even though the actions take place entirely in the userspace. I'm not saying that the kernel shouldn't be protected, but that ignoring userspace interactions entirely is equally wrong.

It does not sound like MS has addressed the problem properly if UAC is instantly conditioning users to always click "ok", but to say that it should only be invoked when attempting "dangerous" operations belies the complexity of the issue. At the end of the day my kernel getting infected is not my primary concern - the integrity of my personal files is. Even if I had to purchase a brand new box with a new OS license off the shelf it's still easier/cheaper to do than trying to replace the accumulation of files I've created, downloaded, purchased, etc.

Re:An even bigger hole...

You ARE prompted when doing something that will affect other users of the system

You mean like modifying files that you don't have ownership of?

UAC does not, and has never, prompted users when they move files that they have permissions to. It does, however, prompt when you move files that are in the common desktop or in the common start menu folders.

Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program.

Clearly, you don't understand anything about how Windows works. Windows has had access control lists practically everywhere in the OS since Windows NT.

Oh, and the ACLs in Windows are far, far more "fine-grained" than the usable-but-primitive permission bits in Linux.

Re:An even bigger hole...

I could spend a lot of time beriding your ignorance, but instead, you can google three words--linux extended attributes--and you will understand for yourself.

Re:An even bigger hole...

Oh, and the ACLs in Windows are far, far more "fine-grained" than the usable-but-primitive permission bits in Linux.

Uh, Linux has supported POSIX Access Control Lists and Extended Attributes for quite a while now.

Heck, it dates from the days when ext2 was the king of filesystems, and that's a long way back. (Granted, at least on ext3, you have to specifically turn them on in mount options or with tune2fs, but on XFS, JFS and (to my knowledge) Reiser3 and 4, they're supported out of box.)

And when people say POSIX, they mean "real *nixes have had these features for, like, centuries". =)

What you're saying next? "Active Directory is so much more better authentication system than /etc/passwd, which is also a security risk that exposes encrypted passwords to users"? =)

Um, what does that have to do with anything?

I'm sorry, exactly where did I say that it was acceptable in OS X or Linux? Seriously, point it out, because I honestly don't remember saying anything like that.

Since you brought it up, though, yes, Linux could definitely use some work in this area. I also get tired of sudo password prompts for doing some basic system configuration and maintenance tasks, especially stuff that only applies to my account, not the OS as a whole. If you want me to jump on the bandwagon of having less stuff requiring admin access in Linux, count me in. I can't speak for OS X because I've never used it.

However, in defense of Linux, Vista is much worse. I've never had a prompt pop up in Linux that expressed concern because I was copying text from my browser to the clipboard. In Vista, I did. It may sound petty and silly, but it was the proverbial straw that broke the camel's back. The truth is, though, that I was constantly being prompted to do stuff that had nothing even remotely to do with system configuration or administration. Stupid stuff like renaming a file that was nowhere near a system directory. Stupid stuff like running a program that doesn't even come close to touching kernel code. Stupid stuff like... Well, you get the idea, I'm not going to sit here and list every stupid prompt I got.

So am I Microsoft-bashing? Yeah, I suppose I am. But it's not because I have an ax to grind with the company or because I think the alternative is perfect, it's because this particular product truly sucks ass. Yes, I know that there are zealots out there who would complain no matter how well Vista might have worked, but if you think I'm one of them or that's why I posted my message, you're barking up the wrong tree.

(Have you tried Vista yet?)

Re:An even bigger hole...

I still don't understand where the supposed security gain is. Since when is malware unable to click ok itself?

UAC prompt opens in separate logical desktop. Applications from main desktop can not send windows messages to it which means malware will be unable to click ok itself.

Re:An even bigger hole...

Im with you. I get annoyed pretty quick when it comes to crap popping up on my screen but I've been running Vista since launch and it really doesnt bother me. Im kinda glad its asking if its ok to do some of these things. Its already prevented one program that was piggy backing on another app I downloaded from installing. I downloaded the program which I trusted from a source I trusted. Well guess what was hidden in the install that vista blocked from auto running? Spyware!

Everyone seems to be making a huge deal out of nothing and they alway get +5 moderation for doing so. If you dont like UAC then shut it off and move on, its not that hard...oh wait I forgot. Microsoft sucks no matter what they do!

Re:An even bigger hole...

Because on Linux/Mac, sudo allows one preemptive security check to enable a process to do multiple admin tasks, where UAC prompts on each action. This is analogous to house training a dog. Sudo gets the dog to ask to be let out where he takes care of business. UAC gets the dog to ask: Can I piss on the carpet, then can I do a dump on the rug, then ...

Re:An even bigger hole...

I've been running Vista RTM since release and I hardly see any UAC prompts. The only times are when I run VMware or install a program.

You want to run an application, is that okay?

That's the applications fault. Most applications shouldn't need administrative rights to run, and if they've been written properly they won't prompt. WinRAR 3.61 never prompts for me, but 3.62 has UAC prompts for everything. AFAIK "Windows XP Certified" programs require programs to be written so that they can run without elevated privileges so this is nothing new. People just assumed that everyone would run in an Administrator account and ignored those guidelines.

You want to copy a file, is that okay?

That never happens unless you're copying files into protected directories such as Program Files or the Windows directory. I copy files around all the time without UAC prompts because I keep them in my User directories or an external hard drive.

You want to change your desktop background, is that okay?

This is just FUD. That never happens. If you right click on an image in IE7 and set it to background a regular IE prompt will appear, but no UAC.

You want to copy text from IE7, is that okay?

I can copy text just fine, doesn't seem to prompt for me.

You want to delete an old text file, is that okay?

See above, only in restricted directories.

You want to paste text into a form field in IE7, is that okay?

I just tried copy and pasting info into the login page at Bank of America and I get no prompts. Even copy and pasting into sensitive fields such as "Social Security Number" on a Citibank credit card application resulted in zero prompts.

UAC prompts are annoying and frequent when you first do a complete reinstall because you'll be installing applications and drivers that need elevated privileges. After that you should not encounter it in your day to day activities. I see a UAC prompt once a day and that's only because I use VMware. If I used Virtual PC I could avoid it completely.

MOST computer users buy their PCs from Dell, HP, etc and they are preloaded with drivers and some basic software. The regular user won't be seeing as many UAC prompts because they'll be installing only a few programs (music player, possible word processing, games).

So that's where clippy went!

The truth is out. Microsoft didn't kill clippy [cnn.com] in MS Office, they just moved him upstairs to an entire operating system designed to ask unwieldy and confusing [eweek.com] questions.

This link allegedly tells you how to turn the questions off [microsoft.com], but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?

Re:An even bigger hole...

UAC is so amazingly, fundamentally flawed. Has been from the beginning. As you noted, it's susceptible to user numbness. It's also susceptible to the dancing pigs phenomenon, something mentioned by Microsoft's own Steve Riley (see http://www.microsoft.com/technet/community/columns /secmgmt/sm0405.mspx [microsoft.com], and search for the words "dancing pigs".

Mac has issued a salutation. Allow or deny? Comedy gold, and yet Apple hit the nail on the head.

My expectation is that at least 50% of Windows Vista consumers will turn UAC off entirely, and the remaining 50% will ignore it (psychologically disable it) to the point that it may as well be disabled - especially applies in the enterprise computing world where Joe won't be allowed to turn it off, but still wants to do whatever he wants. Meaning that in the default configuration of users as hobbled admins, every Vista user is then an admin. Just like they are in XP. Really validates 5 years of hard work on security.

The cause of your problems and the solution

NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.

Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.

Apple got it right

There are 2 ways to install software.

1. Drag application folder where ever you want it
2. If application does need to install a control panel, kext, or any other system file, then you can create an installer. When the installer tries to install the files that need the elevated permissions, it then tells you what it is trying to do and asks for an admin user/password

How is that hard to grasp at MS? Assuming everything needs admin permissions is just insane, and insisting it isn't a security hole and is a "design choice" is just fucking retarded.

Re:Apple got it right

No, it is completely different. For an MSI to run on windows, it needs to use the installer SERVICE which is running under the sytem account. This means that any installer inherently is running through a system user account. And if you had read the article, EVERY installer asks to be run as administrator in Vista, regardless of its intent. There is no exception made for a game, such as Tetris. RTFA yourself.

Re:Apple got it right

Then the article is wrong. You can manifest an installer or exe to default to admin and UAC prompts, or AsInvoker if you know you can install without special access (installing to a user directory only for example). You can see more information here: http://channel9.msdn.com/Showpost.aspx?postid=2112 71 [msdn.com]

It's not the software.

That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.

Re:It's not the software.

I had probably the most frustrating ten minutes i have ever spent on a computer before.

Start, typed in regedit enter.
Vista:Are you sure you want to run this program?
Me: Yes. I went OUT of my way, hit start, run and typed in the pogram name I wanted. Thanks for checking though. (click) ....
Edit the registry, close it. That was easy. ....
double clicked on setup. Stupid shield on my icon, what does that mean?
Vista: are you sure you want to run this? it's a program, you know.
Me: Oh that must be what the shield is for. Vista feels like it should protect me from software!
Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click) .....
Install......that was easy. ....
Oops, there's a problem. Well, let's grab the correct file from the build server and copy it over ...
Open my computer, go to program files ....
Vista: Are you sure you want to go there?
Me:Yes (click) ...
open up the application folder ....
drag a file from a network share to the application folder....
Vista: Are you sure you want to overwrite this file?
Me: Yes (click)
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Yes (click)
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
Me: (Pounds head) (click) ....
Drag to Desktop. ....
Drag from desktop to application folder. ...
Vista:
Are you sure you want to overwrite this file?
me: for the love of god yes
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Die.Die.Die.Die.

Re:It's not the software.

Sounds like Clippy has been re-incarnated.

*shudder*

Re:It's not the software.

He did warn us that if we struck him down he would become more powerful than ever.

Maybe we should have listened.

Re:It's not the software.

Great, it's Darth Clippious.

Re:It's not the software.

Sounds like Clippy has been re-incarnated.

The sad thing is that I've seen Clippy like once or twice years ago, and that is what I thought this dialog reminded me of, but worse because from what I remember Clippy would start yelling at you when you did anything, and you could just tell him to go away, but now its worse because the operating system blocks and asks you to click a bozo box every time you do anything?

* smashes head on desk *

Let me be clear, I don't use MS software because it is not designed for a computer professional like myself. To be honest, I don't know who its designed for, or if its even designed at all.

The first time I heard Windows was having this UAC thing, I knew that it would suck as only Microsoft could make it suck. I knew it would annoy the hell out of the user so bad that it would do one of two things. 1) annoy them to the point that they just turn it off (I understand this is allowed in Vista) 2) annoy the user and they don't turn it off, they just bend over and take it, and the 1 out of a million clicks when your supposed to say No, you click Yes because that is what you ALWAYS HAVE TO DO TO GET ANYTHING DONE.

* smashes head on desk again *

Microsoft can't even rip off existing security models that work like the elevated priveledges in OS X. Microsoft embarasses me as a computer professional, and I don't even use their stuff, because people associate MS with computers.

Thanks for the grandparent post for sharing their experience, and thank you Apple, Linux, and Sun for making computers usable.

Oh, and I almost forgot.

Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges.

Isn't this the case where 99.9% of the time YOU WANT TO BE ASKED? Didn't Microsoft invent the term "driveby install"?

* smashes head on desk again *

Re:It's not the software.

Microsoft embarasses me as a computer professional

Wow, I had never heard anyone said it so succinctly, but that's it, baby. I always felt an unrecognized sense of shame for the state of computers today, and I never quite realized why. This is it. Things should be *soooo* much further along today, if it weren't for the predatory monopolistic effects of MS. Throughout so much of the short PC history, there were rays of sunshine (Quarterdeck's multitasking DOS thing, many IP stacks, etc., etc), that were quashed by their monopoly. To see this happen, and realize their mediocracy, and not have done anything about it, definitely brings a sense of shame.

Re:It's not the software.

My few hours with Vista taught me something important about operating system design. That is, a good operating system should make you feel like you're in control of your computer. Like you're the one calling the shots and that the system will do exactly what you want it to do without fuss. Further, the experience of using a good OS should make you TRUST your computer and feel as if your computer TRUSTS you. You should not have to beg an OS to install an app or run an executable. Even if you do something that is possibly dangerous to security, the most it should do is ask "are you SURE?"

I don't want to wonder if my computer is tattling on me if I'm downloading an mp3 without DRM or watching a copy of a video that a colleague gave me. I don't want to think my computer is a rat or a punk. I don't want to think my computer will rebel if I run a perfectly legal program like Alcohol or rip.net or want to install the k-lite mega codec pack.

DirectX10? It's going to take more than DirectX10 for me to accept my computer as a spy in my home.

Re:It's not the software.

a good operating system should make you feel like you're in control of your computer

Kernel (Jessup): Son, we live in a world that has firewalls, and those firewalls have to be guarded by software with guns.
Whose gonna do it? You? You, Slashdotter? Windows has a greater responsibility than you could possibly fathom.
You weep for Tux, and you curse the DRM. You have that luxury. You have the luxury of not knowing what Windows knows.
That Tux's death, while tragic, probably saved lives. And Window's existence, while grotesque and incomprehensible to you, saves lives.
You don't want the truth because deep down in places you don't talk about on Slashdot, you want Windows on that firewall, you need Windows on that firewall.
Windows use words like honor, code, loyalty. Windows uses these words as the backbone of a codebase spent defending something.
You use them as a punchline. Windows has neither the time nor the inclination to explain itself to a Slashdotter who rises and sleeps under the blanket of the very freedom that Windows provides, and then questions the manner in which Windows provides it.
Windows would rather you just said thank you, and bought copies for your entire extended family. Otherwise, Windows suggests you pick up a browser, and send a POST.
Either way, Windows doesn't give a damn what you think you are entitled to.

;)

Re:It's not the software.

PopeRatzo: "DirectX10? It's going to take more than DirectX10 for me to accept my computer as a spy in my home."

Microsoft: "Well, what if we give you a nicer looking start menu too?"

Re:It's not the software.

And the worst part is, if you tell them the truth -- "it does that because Microsoft sucks at making software" -- they don't believe you and think you've got some kind of unfounded grudge against Microsoft!

Re:It's not the software.

You have just clicked yes. Did you really want to click yes?

Re:It's not the software.

Are you sure you want to cancel the operation?
[ OK ] [Cancel]

Re:It's not the software.

Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click) .....

Wait, you TRUST your employer? What is this board coming to?

Re:It's not the software.

So, this is *exactly* like the latest "get a Mac" ad. Maybe even funnier!

Re:It's not the software.

Is it sad or scary when hyperbolic advertising isn't?

Re:It's not the software.

Most of those prompts were redundant, either because they enforce things guaranteed by the underlying file permissions, or because the authorization could've been cached.

Vista:Are you sure you want to run this program?

Of course! It's got +X set!

Vista: are you sure you want to run this? it's a program, you know.

Ditto.

Vista: This is from AMD. Do you trust AMD?

Redundant. If I didn't trust them, I wouldn't have set +X.

Vista: Are you sure you want to go there?

Since Program Files shouldn't be world writable, this should prompt you for the administrator password. This authoriation should then be cached for Explorer.exe.

Vista: Are you sure you want to overwrite this file?

I'll let this slide, because even 'cp' prompts for that.

Vista:A program wants to write to the Program Files folder. Is this ok?

Should've grabbed cached authorization for Explorer.exe. Unless Explorer.exe was compromised in the 30 seconds between this action and the previous one, no security is lost here.

Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.

That's just idiotic.

Are you sure you want to overwrite this file?

Again, I'd let it slide depending on preference.

Vista:A program wants to write to the Program Files folder. Is this ok?

Cached authorization again.

It's really not that hard. UNIX/sudo got this right god knows how long ago. Apple did the right thing and just copied the sudo mechanism wholesale. Microsoft should to.

Re:It's not the software.

I've just tried this on Vista Ultimate edition, and experienced no problems at all, apart from a UAC warning asking me if I really wanted to dump an unknown executable into my Program Files directory (and for some reason, a warning saying that a UAC warning was about to appear...).

However, I suspect the GP is talking out of his arse. The file was from another PC, in another workgroup, drag-and-dropped straight into the Program Files directory. I even tried it in the Windows folder, and it was fine.

Re:It's not the software.

Apple didn't copy the sudo mechanism. They copied sudo itself, shipped it with the operating system, and used it from the GUI.

So changing /etc/sudoers can affect the GUI. This can be important, because the default behavior is to cache credentials for 5 minutes, which can leave your system exposed to the next thing that wants Administrator privs. Changing the cache timeout to 0 fixes that, nicely.

Re:It's not the software.

cause then there will be a story on here going on about how Microsoft stole from Unix, then we get 800 comments about how microsoft is evil for doing it, yet no one will mention that Apple did the same thing cause they aren't the evil microsoft.

Whatever. For starters, Apple didn't just steal from Unix, they build their OS on top of Unix. And you can't read any article on OSX around here without a dozen posts pointing that out, so the "no one will mention" part is just crap. Of course Apple never hid the fact that they were "stealing" Unix by building their OS on top of BSD. The whole point being to start with a solid OS with all these great Unixy concepts built in and add their Apply interface on top. Whereas when Microsoft steals these features after another five years, they'll act like they were struck by inspiration out of the blue and done something that nobody's done before, like they have with every other idea they've stolen. So the "did the same thing" part is crap too.

It may be fun and easy to take a poke at the "/. doublestandard", but it only reveals that you don't understand that it isn't a double standard at all. Microsoft has a bad rep for a reason among those who have been paying attention, and hey, maybe you don't know or understand why but don't think Apple would get a pass if they truly did the same things Microsoft does.

Next up: Why viewing Halliburton in a harsher light than Bob's General Contracting is also not an unfair double standard.

Re:It's not the software.

At the command line, Apple simply uses sudo. At the GUI layer, the security architecture is more complex than sudo. It borrows some concepts, but only in a very limited sense. When you authenticate, you don't necessarily become root. Sometimes, you are just given permission to make modificaitons within a program, where root privileges aren't strictly required for anything, but the app's author wanted to restrict certain capabilities to admin users on the machine. Apple's security model is designed around requesting rights (like "com.apple.installer.installSoftware") from the security server, and those rights have certain properties that you can set, like a timeout, whether root privileges are actually required for this right, etc ... In many cases, you're authenticating for permission to run a SetUID command-line tool that's been factored out of the GUI app you're working in. For example, when you authenticate in Installer.app, Installer.app does not elevate to being run with root privileges. It launches a SetUID binary called "runner", which runs with as root.

Apple copied sudo's idea of "least required privileges" as the basis of its GUI security model, but I don't know if sudo was the first example of LRP. Maybe it was. But the GUI security model is definitely more complex than sudo, and apparently, it's a hell of a lot better than what Microsoft came up with for Vista. Using heuristics to identify which executables should get admin rights just seems like a horrendously stupid idea. Microsoft should've put its foot down on this one and forced developers of installer applications to properly request credentials. But they chose backwards-compatibility, as always, and now they're basically guessing who needs admin rights and who doesn't.

Re:It's not the software.

"You are coming to a sad realization. Cancel or Allow?"

Re:It's not the software.

You were lucky. Try logging into Vista using a domain account. Then try copying a file from a restricted share to which the local machine users are not automatically authenticated but to which the logged in domain user is. Try to copy the file to a restricted destination like C:\. You go to do the copy, get all of the prompts you listed and then guess what: when you authenticated to the remote share by logging into the machine you authenticated as the domain user, but the local administrator under whose context the elevated copy is being performed never authenticated to the remote share and you get prompted yet again for credentials.

This is an annoyance for an end user but a major pain in the neck for software. I develop software that does not run elevated that accesses a remote file and the passes the file path into an out-of-process server that is running elevated. We either had to make the server no longer run elevated or prompt the user for credentials they already used to log into the machine (and which they don't think they need because they can get to the files just fine themselves) and then pass these credentials to the server with the path. Fortunately our architecture allowed us to have our server to not run elevated and get some other server to do the tasks that needed to be done elevated.

Vista is really a pain in the neck. What's funny about it is that I was at a Vista iterop event at Microsoft last November (yes I sometimes have to fraternize with the enemy) and every MS developer I worked with had to tell me how much they loved working on Vista and that they had been using Vista on their development machines for months. I asked them if they had disabled UAC and they said "no, why would you want to do that?" I then asked them if it wasn't annoying to be prompted all the time and they said "no." I can only assume that they must have been brainwashed.

Re:It's not the software.

Its mostly because Windows has been so piss-poor with their default settings in the past, so trying to get a more secure-by-default setup is like pulling teeth. I remember once reading in a security book that integrating security into your application after the fact is several times harder than designing it that way by default. Windows is in the unenviable position of having to integrate security after the fact.

Regardless, I think that a Windows version of sudo is a very good step. They just should have spent more time working on permissions so that it didn't trigger so much (assuming that what the posters' have said is accurate). The setup thing in TFA is kinda stupid, but installers almost always write to Program Files in Windows, and rarely have a per-user installation method like in Linux. A better solution would have been to try and encourage installers to have a per-user installation method.

Anyways, it may be that I'm just lucky that I haven't had a lot of problems with UAC. But I haven't had to go registry diving or modify any system directories in Vista yet, so theres that too.

Re:It's not the software.

Classic windows security. You can either do anything, or you can't even change the background picture.

Re:It's not the software.

People bitch when it's so easy to get this stuff on a windows machine, Microsoft finally does something about it and people decide to bitch about that.

No, people aren't bitching about them doing something, they're bitching about them doing something WRONG. Linux and Mac's have a similar approach to this problem, but their solution (sudo) is not annoying, so it actually works. All Microsoft had to do was copy that solution to improve security, instead they came up with their own and made it obtrusive in the process.

I have yet to experience these supposed headaches with Vista yet, the only time that shield pops up is when I run a program that is potentially harmful to my computer

Although I also have not seen these prompts when copying text, I have seen them in plenty of places aside from installing programs. Places that make absolutely no sense, such as storing wireless settings. There is no reason that action should require admin privileges and thus a prompt.

How many story's were posted about programs looking like they came from an official place only to release a trojan? sure you get a program from download.com and figure it's safe but after installing a program it suddenly fucks up your PC, with Vista it will actually ask if you trust it let you know where it came from the works.

And how would that help? You download a program from somewhere, and double click to install it. Whether it is a trojan or not, Windows is going to ask you for permission. Since you downloaded it, you obviously think it is not a trojan, so you would press Ok on the permissions dialog. Turns out it is a trojan, and your system is compromised. A permission dialog does nothing to protect you here.

Re:It's not the software.

What you aren't understanding is: it isn't the concept of asking for permission when you need to do something that requires administrator rights, that Microsoft got right, it's the way they implemented this feature that is so bad. Microsoft often gets the general ideas right, but the details are so wrong.

Higher up in the thread someone mentions what happens when you copy a file to a folder in Program Files. Because Program Files folders are protected you need elevated permissions to do that. The right thing to do is say that it requires elevated permissions, ask if you want to do it, then do it. But in some cases it asks you 3 times for one file (do you want to copy, do you want to elevate, do you want to overwrite, do you want to be admin, do you need help with writing your letter). Why can't they give you one box that says, "The file already exists and this copy requires administrator rights, do you want to allow this?", then when you say OK, you are done. Why, why, why can't they do this, are they short of money?

And Mac and Linux do exactly the same thing, they ask your permission to do admin tasks, except they got the details right so they don't irritate the user to death. A guarantee people are just going to shut off UAC because it's annoying, defeating the whole purpose.

Re:It's not the software.

Not OS files, but my own documents in my user directory.

I find that hard to believe, unless you're talking about pre-RC2 Vista. Operations on files which you own or have normal permissions to, such as all the files in your user directory, do *not* cause a UAC prompt. Simple as that. Think of it this way, if you were on Unix, it would simply deny you access to the file in question. You would then have to su root to get the job done. In Vista, it makes that elevation a lot faster and easier.

For repeated, but seperate operations (like installing a lot of applications when you're setting up your machine), you can disable UAC. This is basically the same thing as su root if your account is an admin account. Once you're done, re-enable it. It's really not that hard.

Stuff like changing the layout of my Start menu.

You'll only get a UAC prompt when modify start menu folders that are shown to all users. Why? Because these aren't folders you own. See my previous point. Also, why bother rearranging start menu folders in Vista? If you want to find something, type in the first couple of letters and it appears. It's MUCH faster than drilling down through folders.

Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.

You're either making this up, or you were using something that was even pre-pre RC1. This simply does not happen with Vista post-RC1.

Re:It's not the software.

The better solution is what OS X does: extend "sudo" to the GUI. The first time the app needs escalated privileges, prompt for the user's password. Then, cache those privileges for a reasonable amount of time and don't prompt. Unless the app in question is compromised in that interval, it doesn't matter.

The problem with UAC is that it fails to separate the two orthogonal issues of sanity-checking the user's behavior, and maintaining system security. Consider how "Program Files" is handled. Browsing into "Program Files" throws up a UAC alert. It shouldn't do that --- "Program Files" is readable to everyone. Writing to "Program Files" should throw up a UAC alert, but only the first time in the caching period. The question at that point isn't "Do you really want to modify this directory" (of course I do!), but rather "Do you want to give Explorer.exe permission to modify this directory". When you follow the first train of thought, you end up with prompting the user each time, because obviously each copy requires a separate sanity-check. If you follow the second train of thought, you see that the caching mechanism is just fine, since if Explorer.exe was authorized 30 seconds ago, it's unlikely it was compromised since then, and should retain that authorization.

Re:It's not the software.

The better solution is what OS X does: extend "sudo" to the GUI. The first time the app needs escalated privileges, prompt for the user's password. Then, cache those privileges for a reasonable amount of time and don't prompt. Unless the app in question is compromised in that interval, it doesn't matter.

It's not a matter of the "app in question" being compromised. Vista doesn't elevate the entire user, it only elevates the application. For the entire length of execution of that application, the application will run elevated. For instance, Visual Studio.NET is an application that pretty much always needs to be run as admin. When I run the application as admin, it stays as admin. I get 1 UAC prompt, and for the entire lifetime of the process it is running as admin. No caching. No timeouts. No additional prompts.

If you cached the elevated credentials authorization for "X" minutes, or whatever, you would be giving a free pass to any malware that happened to be trying to do something bad. That's an incredibly bad solution. But I have to assume that's not what you're suggesting.

Browsing into "Program Files" throws up a UAC alert.

No, it doesn't. By default, all users on the system can read files in c:\Program Files.

Writing to "Program Files" should throw up a UAC alert, but only the first time in the caching period.

It does throw up a UAC, but I've already explained why the "caching period" is a bad idea. Now, what might be a good idea is running explorer.exe elevated when you need to perform lots of different file operations that require admin privs. And you can easily do that.

If you follow the second train of thought, you see that the caching mechanism is just fine, since if Explorer.exe was authorized 30 seconds ago, it's unlikely it was compromised since then, and should retain that authorization.

Ok, I think I see where the confusion is. Explorer is unique in the sense that when you authorize a file operation via UAC it doesn't elevate the entire explorer process. There are a bunch of reasons for this. You *can* elevate the entire explorer process if you want, which will achieve what you're looking to do.

That make sense?

Re:An even bigger hole...

I'm a Windows developer. Last time I got a new machine, I counted the number of applications that I needed to install to completely set up my development environment. That number was over forty. You're telling me that I need to track changes to every one of those applications? Not easy on an OS that doesn't have anything like apt...one reason that while I write Windows code by day I run Linux at home.

There have also been a number of times in my career where I have had to use development software written by companies that either went out of business, or stopped supporting that software. What then?

What Apple understands and Microsoft does not is that it is not my job to make the OS work better. It is the OS's job to make my life easier.

So what's new?

I believe that even RPM on linux runs the install scripts with admin access...

Re:So what's new?

I believe that even RPM on linux runs the install scripts with admin access...

Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.

That's the same in Vista

If you are a standard user, you have to enter a password to elevate privileges. However Vista has a compromise mode of sorts. You can run as an administrator, but leave UAC on. This allows you to elevate without entering a password. You still have to elevate privilege, but it requires no password. Turning UAC off makes administrator accounts function as they did in XP where you have privilege at all times.

You ought to watch those irrational beliefs . . .

Let's say rather that you need root authority to install rpm packages for use by all users.

rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.

By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).

RTFM.

Another approach.

Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.

Re:Another approach.

Sigh. The *point* of an App bundle is that you don't "extract" it. The OS knows how to read these things and treats them as part of the filesystem.

Re:Another approach.

Actually, the concept was on the original Mac before NeXT existed. Mac applications would have the executable in the data fork, and any supporting 'files' in the resource fork. NeXT didn't want to implement forks, so they used folders instead. This let them store applications on filesystems that didn't support forks (e.g. FAT, UFS, etc), and so was probably a better solution.

Executable installers....

Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model. Things like APT have other nightmare scenarios (what if someone compromises the repository?), but not having to run shitty little EXEs to install applications isn't something I miss from Windows.

"balance" ease of use

Ease of use and compatibility with DOS/Windows is a major reason that Microsoft got us into this security mess. The default user in XP was an administrator with no login password. Non-priveleged accounts were practically useless, mainly because you couldn't install any software using them. Now Vista is touted as allowing non-priveleged accounts, but the price you pay is that any old installer is priveleged. What an advance!

While I'm at it, why does a printer (or other non-intrusive peripheral) driver have to have unfettered access to the life blood of the OS?

Further proof

...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.

When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.

The one thing Apple did that Microsoft really ought to copy, they don't. Figures.

What?

So let me get this straight... deleting a shortcut [flickr.com] brings up a pile of popups, but installing something doesn't?! Who's trading security for annoyance here?

Balancing Security with Ease of use

Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.

DOOM: History repeats itself

Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?

I guess MS didn't learn anything from id.

Re:DOOM: History repeats itself

You think UAC is bad now? Just wait for Vista II: Hell on Earth [wikipedia.org]

Troubling ...

... particularly because Vista was supposed to address some of the problems Microsoft had when trying to balance security and ease of use in XP. We now live in a very dangerous time as far as digital stuff is concerned, and I think continuing to hide as much security from people as possible (while paying lip service to it in other ways like UAC) is foolish. End users are going to have to learn to be careful, and learn a little bit about security. Cars didn't used to have locks, either. Times change, and people have to adapt to it to some extent.

That said, I personally very much liked the Vista user experience (I'm back to XP for now, but I had the beta and RC1). But after the first couple of days, I turned off UAC (and besides, I like to manage my security myself). It did nothing but ask me if I wanted to do what I was doing. Like another early poster here, I almost immediately reverted to clicking any damn OK button I saw. And God knows, I turned the sound off almost immediately. Moreover, I turned it off because it seemed like a talented Bad Guy would simply bury his Evil Code in something that seemed benign, and Joe User would just click through it. But all of that has been covered at great length in these hallowed halls already.

My point is still this: the bad guys are out there now. That's just reality. Telling people not to worry and to go back to sleep doesn't serve anyone anymore. I don't think power user knowledge is necessary for the average person, but frank awareness of basic online safety puts it in the hands of the individual user to some extent, and eases some of the strain for the OS designers/engineers. Because while MS has made some dumb and dangerous mistakes in the past, I still think of it this way: when you're designing any piece of software, you can't completely anticipate the security issues that will come up a year down the road, and you can't reduce how hard a user will work to circumvent your attempts to protect them, no matter how inobtrusive they may be.

I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.

Oh, this is rich ...

Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use.

Microsoft has created a culture of choosing between security/good/whatever and 'ease of use'. Going all the way back to older versions of Windows in which there was no user permissions model.

Hearing that all frigging installers are going to want admin perms is a frigging joke. Part of the reason Windows is insecure is you can't do anything without being an admin. It's not like it even supports a model whereby you install the software into your own location. Every piece of software expects to be able to write registries, replace system DLLs, and generally crap into a few common folders.

I mean, well over a decade I could download any old UNIX software, untar it, set an environent variable, and just run the damned software. No root perms needed, just glorious, easy to run/trivial to uninstall software.

This means that people aren't going to install their animated cursors in a sandbox which only affects them. They'll do it as admin, and potentially bork the whole machine.

This just makes me laugh.

Cheers

I agree with MS' choice.

Any EXE with "setup" or "patch" in the name will be assumed to require elevation, because no programs to date have manifests which specify whether they need to be elevated or not; and so Windows has to guess. The filename is a perfectly good indicator, as most setups will need elevation (Program Files is not writable without elevation). Windows uses other factors too; it can detect Windows Installers, NSIS installers, and a couple of others regardless of the filename.

If you don't like this automatic detection you can turn it off via the Group Policy Editor. It's under the global Computer settings under Security Settings somewhere, with the rest of the UAC options. Remember you'll have to manually launch installers elevated now, although Windows does try to detect when installs fail and will offer to try elevation and XP compatibility mode automatically.

Myself, I actually made my computer less secure by turning off the secure desktop (the screen resolution change that happens every time a UAC prompt comes up). I don't want Windows yanking me away from whatever I'm doing because I got bored waiting for the UAC prompt to appear then all of a sudden it decides to finally show up and hog keyboard/mouse focus. Sometimes if your computer is busy the UAC prompt won't even appear for 5-10 seconds, and you're sitting at a useless but very secure desktop alone for that time. So I turned it off and now they appear on the normal desktop. Of course they could potentially be sent window messages now by any app; but I don't let just any app run on my computer. I was safe back when I used XP SP1 and I could turn UAC off if I wanted to and still be safe.

Re:Dammit

UAC has no concept of the source of the execution command. What really needed to be added to Vista is a concept of the "source" of code execution. In the case of UAC there should be the notion of not only the code execution but of the source, such as a keyboard, mouse or other input device. These sources identify execution requests as coming from a HUMAN, and not some nasty zombie pc making virus

I'm sure that's the way things would be if it were possible. I don't think you understand computers at a low enough level to know why things don't work this way. All of this source checking gets done long before machine-code instructions ever hit the core (CPU), so all you need to do is somehow intercept the call to find out if the "code" was launched by a human, change "zombie" to "human" and now your killer swarm of zombies just turned into a mob of violent humans.

In reality, the hardware is optimized for speed. That is, the core will execute the instructions it receives without any sort of bounds checking. If an instruction fails, then an error code is stored and the next instruction is fetched and executed. It's only during boot time that a kernel has the opportunity to install code at particular vectors to prevent other code from sitting there. That's the PC architecture -- it was designed years ago and for good or bad, we're stuck with it (Ironically, many people make the same argument about Microsoft). That's why the kernel is so important: if it fails to protect a particular interrupt vector or other system integration point, then a userland program can elevate itself to kernel-level privileges and walk all over both the running OS and the data on your hard drives.

The only way to implement your idea (and many others like it) would be to have the hardware recognize this "code source" (or whatever magic bullet you have defined) and act accordingly.

Long story short, people are looking for a technological solution to a lack of education. Like it or not, there's a lot of people on the Internet now that need education. Vista's UAC seems to be along those lines, though extremely insulting and inflexible to an advanced user. It's like it was designed to "raise awareness" of "potentially unsafe operations" so that someone who was previously a clueless idiot can now see that many operations are potentially unsafe. Of course, the prompts don't explain WHY to this person, which eliminates UAC even as an education tool.

People who complain about UAC don't understand UAC

Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!

VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?

Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.

As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.

Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.

Why have installer at all ?

1) So, all Vista installers run with admin. priv.
2) Installing a downloaded Tetris game allows the game installer to change virtually anything in the system.

Why does a game need an installer at all ? Why not just unzip the game into your user account/home directory or better yet drag the game icon to the place you want it ? Why do Windows applications all seem to need an installer ?

On OS X and NeXTstep before it, application icons are actually covers for directories containing all of the support files including executables need by the application. Furthermore, applications are not supposed to assume that they can write to their own directory. This is convenient for running applications from servers without installing on the local machine or for running directly off a CD-ROM. If an application needs to store user data or write configuration files, there are standard places to put the files. When needed, the individual application copies files to standard places using the user's permissions and not admin permissions.

The first time any application is run, the user is asked if it is OK. If some crap is downloaded and executed unintentionally, the user is given a chance to say WTF and stop it. Any time any application needs privileges beyond the user's default privileges, an admin passwd is required.

No installers (except in crap-ware and unusual circumstances and even then they require an admin password for upgraded privileges!
Remarkable little user irritation.

Why can't Microsoft copy this behavior ? It has been for sale since 1988.

OS X isnt perfect, but sometimes it is better.

Maybe this points out an underlying limitation

in our concept of a personal computer.

Yes, this is a specific flaw in response to the problem, but why do we have the problem? Why is it that when you browse to a web page, you are endangering an accounting database you have on your machine?

What I am leading up to is this: there is too much coupling between computer applications via the personal computer operating system. It isn't just that MS put installers into God mode -- although that is bad.

Imagine you ran your computer as an X terminal or Citrix client, and you connected to applications running on remote servers. Installing or upgrading one piece of software could do very little to affect another. Now imagine a variation on this: what if we never created installers. What if we distrbuted software in virtual machines that you simply dragged onto your disk, and the operating system provided window management, clipboard integration, and file service? Furthermore the virtual machine would have no access to system files, anymore than a network client has access.

Your browser should at the very least run in some kind of a sandbox.

There was some possibility, a decade ago, of a change in the nature of applications. The OpenDoc idea was that the user experience would be document centric, and vendors would provide various capabilities users could employ on the documents. This was a beautiful idea: instead of builing lots of boiler plate capabilities, you as a developer would create only the bit you wanted to add to the software universe. OpenDoc never got past beta, and the OLE model, based on heavyweight applications, won. Well, if you're going to go that way, why not package each application with its own complete, but lightweight, runtime system? If you need to install an active X, why install it for every application on the system?

Can it be overridden using manifests?

From the NSIS (Nullsoft Scriptable Install System) documentation:

RequestExecutionLevel none|user|highest|admin
Specifies the requested execution level for Windows Vista. The value is embedded in the installer and uninstaller's XML manifest and tells Vista, and probably future versions of Windows, what privileges level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows Vista automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin have virtually the same effect.

It's recommended, at least by Microsoft, that every application will be marked with the required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.

More information about this topic can be found at MSDN. Keywords include "UAC", "requested execution level", "vista manifest" and "vista security".

So it seems that there is an option, "user", which might cause NSIS to run in non-admin (depending on whether Vista's auto-handling is overriding), and that other installers might also be able to run non-admin.

Two issues confused?

As far as I can see Joanna Rutkowska's original criticism was that you need to be admin to install software. How is this different from Linux or any other OS?

Mark Russinovich then revealed that a non-admin process could cause an admin process to run arbitrary code. That sounds like more of a real problem.

Re:Tetris is a brand name

Your post is even funnier if you read it out loud in the Simpson's "Comic Book Guy" voice.