Slashdot Log In
"Very Severe Hole" In Vista UAC Design
Posted by
kdawson
on Tue Feb 13, 2007 04:07 PM
from the she-said-he-said dept.
from the she-said-he-said dept.
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
This discussion has been archived.
No new comments can be posted.
"Very Severe Hole" In Vista UAC Design
|
Log In/Create an Account
| Top
| 813 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
An even bigger hole... (Score:5, Insightful)
(http://skippus.blogspot.com/ | Last Journal: Sunday June 19 2005, @07:25AM)
There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.
Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.
The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.
After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.
Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.
Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!
If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.
As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.
Re:An even bigger hole... (Score:5, Funny)
(http://dotpavan.googlepages.com/home)
no doubt, thats why Dell is marketing its harware for Vista as great for "booting the OS, w/o running apps or games [googlepages.com]" (link via this [dell.com])
Since when did booting an OS become a "feature" of the OS?
Re:An even bigger hole... (Score:5, Funny)
(http://deoan.org/ | Last Journal: Monday February 12 2007, @12:08AM)
Re:An even bigger hole... (Score:5, Funny)
(http://www.schoolofshaolin.com/ | Last Journal: Friday August 25 2006, @10:59AM)
Re:An even bigger hole... (Score:4, Funny)
(http://wellhellosailor.com/ | Last Journal: Thursday November 08, @03:23PM)
Swinging a Blunt Object (Score:5, Insightful)
(http://cheeseburgerbrown.com/ | Last Journal: Tuesday November 06, @02:10PM)
"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."
This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.
Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)
Re:Swinging a Blunt Object (Score:5, Interesting)
I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.
Take care
-mat
Re:Swinging a Blunt Object (Score:5, Insightful)
You know, if any *nix software required the user to be root to run, we would string the developers up alongside the guy who thought Clippy would be a good idea.
Why should it be any different for third-party applications requiring Administrator privileges to run on Windows?
Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model. After all, a virus in *nix could conceivably blow away a user directory, but unless it's exploiting a buffer overflow or other coding error hole, it can't take down the system. The same is possible in Windows, but not available by default to your average Dell user.
Re:Swinging a Blunt Object (Score:4, Interesting)
Presumably you mean "any *nix software which claimed to be some kind of ordinary user application".
You'd probably also want to ensure that the software itself was wiped from the face of the planet, since if the "developer" dosn't know about the setuid permission bit it's rather unlikely that they they know enough to write software which has any chance of being bug free...
Microsoft is so busy catering to the third party developers in order to maintain their lock-in, that they forgot how to put their foot down on truly important software engineering issues, like security. Locking down XP to an almost *nix-like state can be done. There are read/write/execute permissions available on every directory, drive letter, and registry key, and Windows supports the "home directory sandbox" model.
In theory XP's permissions system is more capable than that on unix type systems. Since every permission is an ACL (including deny options, thus you could say "Any user in accounts except for Anne and Bob can do this..) In practice it appears even Microsoft have problems securing Windows properly.
Steve is that you? (Score:5, Funny)
(http://www.tk421.net/ | Last Journal: Tuesday August 24 2004, @07:40AM)
Re:An even bigger hole... (Score:5, Funny)
One of these things is not like the others,
One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?
Re:An even bigger hole... (Score:5, Funny)
Re:An even bigger hole... (Score:4, Informative)
(http://www.imaginaryrobots.net/)
Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program. If I wanted to install openoffice as my cousin vinnie, I could do so. Vista's all-or-nothing UAC is nothing more than an attempt to shift blame to the users, so that MS can claim to provide better security than ever before.
Re:An even bigger hole... (Score:4, Informative)
In theory UAC should behave like this as well. UAC is mostly a way of elevating priveledges, just like sudo, minus the password. Administrators on Windows actually run under lower priveledge accounts, and then elevate for specific tasks that require administrator priveledges.
See, the real problem is so many things in Windows requires Administrator by default. Even stuff that shouldn't. Thats the real problem here.
You can do this in Window's too. It has a "Run As" option, and ACLs that let you any arbitrary number of users or groups' access to the file.
It's not that simple (Score:4, Interesting)
The problem is that security isn't simply relegated to actions affecting system files and program installations. If you've ever cleaned a Windows box that had been hit by some virus or malicious website (back when websites could affect IE bookmarks, etc.) you probably noticed a glut of shortcuts and bookmarks pointing to websites that the "attackers" wanted you to visit. This all takes place within the userspace yet it is undesirable behavior. Likewise, copy/pasting to-from the browser has been pointed out to be a security hole [slashdot.org] even though the actions take place entirely in the userspace. I'm not saying that the kernel shouldn't be protected, but that ignoring userspace interactions entirely is equally wrong.
It does not sound like MS has addressed the problem properly if UAC is instantly conditioning users to always click "ok", but to say that it should only be invoked when attempting "dangerous" operations belies the complexity of the issue. At the end of the day my kernel getting infected is not my primary concern - the integrity of my personal files is. Even if I had to purchase a brand new box with a new OS license off the shelf it's still easier/cheaper to do than trying to replace the accumulation of files I've created, downloaded, purchased, etc.
Re:An even bigger hole... (Score:5, Informative)
You mean like modifying files that you don't have ownership of?
UAC does not, and has never, prompted users when they move files that they have permissions to. It does, however, prompt when you move files that are in the common desktop or in the common start menu folders.
Clearly, you don't understand anything about how Windows works. Windows has had access control lists practically everywhere in the OS since Windows NT.
Oh, and the ACLs in Windows are far, far more "fine-grained" than the usable-but-primitive permission bits in Linux.
Re:An even bigger hole... (Score:5, Informative)
(http://emvis.net/~sean/)
Re:An even bigger hole... (Score:4, Informative)
(http://www.iki.fi/wwwwolf/)
Uh, Linux has supported POSIX Access Control Lists and Extended Attributes for quite a while now.
Heck, it dates from the days when ext2 was the king of filesystems, and that's a long way back. (Granted, at least on ext3, you have to specifically turn them on in mount options or with tune2fs, but on XFS, JFS and (to my knowledge) Reiser3 and 4, they're supported out of box.)
And when people say POSIX, they mean "real *nixes have had these features for, like, centuries". =)
What you're saying next? "Active Directory is so much more better authentication system than /etc/passwd, which is also a security risk that exposes encrypted passwords to users"? =)
Um, what does that have to do with anything? (Score:4, Informative)
(http://skippus.blogspot.com/ | Last Journal: Sunday June 19 2005, @07:25AM)
I'm sorry, exactly where did I say that it was acceptable in OS X or Linux? Seriously, point it out, because I honestly don't remember saying anything like that.
Since you brought it up, though, yes, Linux could definitely use some work in this area. I also get tired of sudo password prompts for doing some basic system configuration and maintenance tasks, especially stuff that only applies to my account, not the OS as a whole. If you want me to jump on the bandwagon of having less stuff requiring admin access in Linux, count me in. I can't speak for OS X because I've never used it.
However, in defense of Linux, Vista is much worse. I've never had a prompt pop up in Linux that expressed concern because I was copying text from my browser to the clipboard. In Vista, I did. It may sound petty and silly, but it was the proverbial straw that broke the camel's back. The truth is, though, that I was constantly being prompted to do stuff that had nothing even remotely to do with system configuration or administration. Stupid stuff like renaming a file that was nowhere near a system directory. Stupid stuff like running a program that doesn't even come close to touching kernel code. Stupid stuff like... Well, you get the idea, I'm not going to sit here and list every stupid prompt I got.
So am I Microsoft-bashing? Yeah, I suppose I am. But it's not because I have an ax to grind with the company or because I think the alternative is perfect, it's because this particular product truly sucks ass. Yes, I know that there are zealots out there who would complain no matter how well Vista might have worked, but if you think I'm one of them or that's why I posted my message, you're barking up the wrong tree.
(Have you tried Vista yet?)
Re:An even bigger hole... (Score:5, Informative)
UAC prompt opens in separate logical desktop. Applications from main desktop can not send windows messages to it which means malware will be unable to click ok itself.
Re:An even bigger hole... (Score:4, Insightful)
Everyone seems to be making a huge deal out of nothing and they alway get +5 moderation for doing so. If you dont like UAC then shut it off and move on, its not that hard...oh wait I forgot. Microsoft sucks no matter what they do!
Re:An even bigger hole... (Score:4, Funny)
(http://free.fr/)
Re:An even bigger hole... (Score:4, Informative)
UAC prompts are annoying and frequent when you first do a complete reinstall because you'll be installing applications and drivers that need elevated privileges. After that you should not encounter it in your day to day activities. I see a UAC prompt once a day and that's only because I use VMware. If I used Virtual PC I could avoid it completely.
MOST computer users buy their PCs from Dell, HP, etc and they are preloaded with drivers and some basic software. The regular user won't be seeing as many UAC prompts because they'll be installing only a few programs (music player, possible word processing, games).
So that's where clippy went! (Score:5, Interesting)
This link allegedly tells you how to turn the questions off [microsoft.com], but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?
Re:An even bigger hole... (Score:5, Insightful)
Mac has issued a salutation. Allow or deny? Comedy gold, and yet Apple hit the nail on the head.
My expectation is that at least 50% of Windows Vista consumers will turn UAC off entirely, and the remaining 50% will ignore it (psychologically disable it) to the point that it may as well be disabled - especially applies in the enterprise computing world where Joe won't be allowed to turn it off, but still wants to do whatever he wants. Meaning that in the default configuration of users as hobbled admins, every Vista user is then an admin. Just like they are in XP. Really validates 5 years of hard work on security.
The cause of your problems and the solution (Score:5, Informative)
(http://blog.mzzt.net/)
NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.
Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.
Apple got it right (Score:5, Insightful)
(http://www.exacttarget.com/)
1. Drag application folder where ever you want it
2. If application does need to install a control panel, kext, or any other system file, then you can create an installer. When the installer tries to install the files that need the elevated permissions, it then tells you what it is trying to do and asks for an admin user/password
How is that hard to grasp at MS? Assuming everything needs admin permissions is just insane, and insisting it isn't a security hole and is a "design choice" is just fucking retarded.
Re:Apple got it right (Score:5, Informative)
(http://www.exacttarget.com/)
Re:Apple got it right (Score:5, Informative)
It's not the software. (Score:5, Informative)
(http://skippus.blogspot.com/ | Last Journal: Sunday June 19 2005, @07:25AM)
That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.
Re:It's not the software. (Score:5, Interesting)
Start, typed in regedit enter.
Vista:Are you sure you want to run this program?
Me: Yes. I went OUT of my way, hit start, run and typed in the pogram name I wanted. Thanks for checking though. (click)
Edit the registry, close it. That was easy.
double clicked on setup. Stupid shield on my icon, what does that mean?
Vista: are you sure you want to run this? it's a program, you know.
Me: Oh that must be what the shield is for. Vista feels like it should protect me from software!
Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click)
Install......that was easy.
Oops, there's a problem. Well, let's grab the correct file from the build server and copy it over
Open my computer, go to program files
Vista: Are you sure you want to go there?
Me:Yes (click)
open up the application folder
drag a file from a network share to the application folder....
Vista: Are you sure you want to overwrite this file?
Me: Yes (click)
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Yes (click)
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
Me: (Pounds head) (click)
Drag to Desktop.
Drag from desktop to application folder.
Vista:
Are you sure you want to overwrite this file?
me: for the love of god yes
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Die.Die.Die.Die.
Re:It's not the software. (Score:5, Funny)
*shudder*
Re:It's not the software. (Score:5, Funny)
(http://www.neverwhen.net/)
He did warn us that if we struck him down he would become more powerful than ever.
Maybe we should have listened.
Re:It's not the software. (Score:5, Funny)
(http://hamfisted.net/)
Re:It's not the software. (Score:5, Interesting)
(http://www.spamgourmet.com/)
The sad thing is that I've seen Clippy like once or twice years ago, and that is what I thought this dialog reminded me of, but worse because from what I remember Clippy would start yelling at you when you did anything, and you could just tell him to go away, but now its worse because the operating system blocks and asks you to click a bozo box every time you do anything?
* smashes head on desk *
Let me be clear, I don't use MS software because it is not designed for a computer professional like myself. To be honest, I don't know who its designed for, or if its even designed at all.
The first time I heard Windows was having this UAC thing, I knew that it would suck as only Microsoft could make it suck. I knew it would annoy the hell out of the user so bad that it would do one of two things. 1) annoy them to the point that they just turn it off (I understand this is allowed in Vista) 2) annoy the user and they don't turn it off, they just bend over and take it, and the 1 out of a million clicks when your supposed to say No, you click Yes because that is what you ALWAYS HAVE TO DO TO GET ANYTHING DONE.
* smashes head on desk again *
Microsoft can't even rip off existing security models that work like the elevated priveledges in OS X. Microsoft embarasses me as a computer professional, and I don't even use their stuff, because people associate MS with computers.
Thanks for the grandparent post for sharing their experience, and thank you Apple, Linux, and Sun for making computers usable.
Oh, and I almost forgot.
Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges.
Isn't this the case where 99.9% of the time YOU WANT TO BE ASKED? Didn't Microsoft invent the term "driveby install"?
* smashes head on desk again *
Re:It's not the software. (Score:5, Interesting)
(http://slashdot.org/)
Wow, I had never heard anyone said it so succinctly, but that's it, baby. I always felt an unrecognized sense of shame for the state of computers today, and I never quite realized why. This is it. Things should be *soooo* much further along today, if it weren't for the predatory monopolistic effects of MS. Throughout so much of the short PC history, there were rays of sunshine (Quarterdeck's multitasking DOS thing, many IP stacks, etc., etc), that were quashed by their monopoly. To see this happen, and realize their mediocracy, and not have done anything about it, definitely brings a sense of shame.
Re:It's not the software. (Score:5, Insightful)
(http://thewaxwingslain.com/)
I don't want to wonder if my computer is tattling on me if I'm downloading an mp3 without DRM or watching a copy of a video that a colleague gave me. I don't want to think my computer is a rat or a punk. I don't want to think my computer will rebel if I run a perfectly legal program like Alcohol or rip.net or want to install the k-lite mega codec pack.
DirectX10? It's going to take more than DirectX10 for me to accept my computer as a spy in my home.
Re:It's not the software. (Score:5, Funny)
(http://www.emacswiki...iki/ChristopherSmith | Last Journal: Wednesday November 07, @07:35AM)
Whose gonna do it? You? You, Slashdotter? Windows has a greater responsibility than you could possibly fathom.
You weep for Tux, and you curse the DRM. You have that luxury. You have the luxury of not knowing what Windows knows.
That Tux's death, while tragic, probably saved lives. And Window's existence, while grotesque and incomprehensible to you, saves lives.
You don't want the truth because deep down in places you don't talk about on Slashdot, you want Windows on that firewall, you need Windows on that firewall.
Windows use words like honor, code, loyalty. Windows uses these words as the backbone of a codebase spent defending something.
You use them as a punchline. Windows has neither the time nor the inclination to explain itself to a Slashdotter who rises and sleeps under the blanket of the very freedom that Windows provides, and then questions the manner in which Windows provides it.
Windows would rather you just said thank you, and bought copies for your entire extended family. Otherwise, Windows suggests you pick up a browser, and send a POST.
Either way, Windows doesn't give a damn what you think you are entitled to.