Slashdot Log In
Tricking Vista's UAC To Hide Malware
Posted by
kdawson
on Mon Feb 26, 2007 07:42 AM
from the protective-coloration dept.
from the protective-coloration dept.
Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.
This discussion has been archived.
No new comments can be posted.
Tricking Vista's UAC To Hide Malware
|
Log In/Create an Account
| Top
| 221 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Importance? (Score:4, Funny)
Re:Importance? (Score:4, Interesting)
(http://money.kevingunn.org/)
If I had to enter my password to continue I would understand the difference, but just a click to continue? Does this work at all?
Re:Importance? (Score:4, Interesting)
Yet another bad car analogy (Score:4, Insightful)
(http://www.ajwm.net/amayer/)
No.
People don't build their own cars for the same reason they don't write their own OS from scratch: it's too much work, and they don't need to.
People use free OSes for the same reason they don't buy cars with the hoods welded shut. The difference is that there's no auto manufacturer with sufficient monopoly that that they'd ever sell any cars with the hood welded shut.
paraphrase (Score:2, Interesting)
I love Microsoft's response:
Meh... the same users who show enough common sense to click on the "you've won a free ipod enter your credit card information here" will obviously be able to know the difference between a good system message and a bad system message
Hooray for apathy!
Re:paraphrase (Score:5, Funny)
Re:paraphrase (Score:4, Funny)
Screw that, if i'm the 999,999th vistor I deserve a prize and I dont care what no washington computer fatcat wants to do with my internet windows.
Its tricking the user as much as Vista (Score:2, Interesting)
No tricking involved (Score:5, Insightful)
I have found myself clicking continue at the same time my thought registers to *not* click because of something not looking quite right. Since I am no longer developing software for a living, the only OS on my system is Ubuntu! Thank God for Debian, Ubuntu, Red Hat, et al. for their tremendous efforts to give everyone a reasonable alternative; whether we choose to use it is certainly a choice, but we do have the choice.
Re:No tricking involved (Score:4, Insightful)
The "OK/Cancel mistake" has been in usability textbooks as an example of what no to do for more than a decade now. It is quite clear to anyone who has had any formal training in human-computer interaction that either MS hires the worst UI people on the planet, or the marketing department overrides all of the UI people's proposed changes. It is also clear that either MS is only vaguely aware that UI deign is an important part of security, or they are a lot more interested in providing the perception of security than the reality. My opinions is that Vista security is a lot like searches at the airport. For the most part it is completely ineffective at actually increasing overall security when it is important, but it is very, very visible and "in your face" so people assume "something is being done" and are mollified.
Not an issue (Score:3, Insightful)
We need to cut down on the complexity. (Score:4, Insightful)
So maybe what they need to do is to get back to the fundamentals. We only need to look as far as OpenBSD to see how keeping things simple and intelligent results in a very secure operating system. Instead of writing new (and probably buggy) code to try and prevent things like malware, they just repeatedly go over the code they already have, to try to ensure that it is exploit-free. And it works. OpenBSD is a damn secure system.
Re:We need to cut down on the complexity. (Score:4, Insightful)
To clean a Windows box means reinstalling the entire damn thing.
It is also a lot harder to use a *nix based box as a botnet zombie. It isn't impossible, but each machine has to be manually cracked, unlike Windows up to XP which it can be fully automated. I will hold off on final Vista judgments until more information can be gathered.
To Quote Scotty in Star Trek III The more they over think the plumbing the easier it is to stop up the drain.
Simple *nix user level security has proven for over 20 years to be more effective than anything MSFT has produce in the same amount of time.
ACL's make life easier for large installs, but it is the small ones that cause the most problems. That is why large *nix installs use both.
Different colors?? (Score:5, Interesting)
To be honest, Vista's UAC saved my butt recently. I have no idea what application was vulnerable -- but it somehow tried to run exec.exe, which was downloaded into one of my temp folders. The file was deleted after it failed to run (because I said "no"), and then would appear back in a few seconds and try to run again. I'm happy that whatever application was vulnerable wasn't able to do anything to my system.
<tangent> Anyway, while some people may say it's annoying, I'm not sure exactly how many actions a typical user would take that would require UAC prompts. After the first few days of configuring, installing apps, etc..., I have little need to do anything that requires UAC prompts. Defrag is set up to run every night, anti virus is set up to download updates, my resolution settings don't change, etc... </tangent>
C'mon, give MS a break here! (Score:5, Insightful)
(Last Journal: Monday April 03 2006, @07:23PM)
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?
Sorry, this does not constitute a threat. Just one more indication that we need some form of licensure before letting people anywhere near a computer.
I'll gladly join in on the MS bashing - when appropriate. In this case, any blame rests solidly with users who have no idea what they should or shouldn't let run on their computers.
Re:C'mon, give MS a break here! (Score:4, Insightful)
(http://www.quadesl.com/)
True, and we are in a dangerous "middle-ground" between a complex tool that only knowledgeable people use, and a true appliance that anybody uses.
The problem is that the operating system is too brittle and vulnerable to be considered an appliance. Do you ever think about how you use your toaster? If I put this new organic untrusted bread in the toaster will my toaster be taken over and corrupt the blender and waffle maker and start a kitchen rebellion? If I put in this DVD of "Ishtar" in my DVD player will it require a weekend to reinstall it's OS and useful applications?
No, that doesn't happen because appliances are robust and there isn't much a user can do to hurt them when used in their intended ways.
Now the current computers (particularly windows) are becoming appliances but haven't gotten to the critical point where they really become appliances. that transition will happen when a big chunk of the OS is hidden from the user and the user works in a Sandbox. It will be a lot less useful because it will only do what it was designed to do, but it will be safe and reliable for it's intended purpose. Then it will be an appliance.
The problem is that computers are sold as the answer to lots of the average user's non-problems. Like any good for sale in a capitalistic society, it's jammed down the throats of everybody the seller can get their hands on. So lots of people who maybe shouldn't be using computers (in their current unrestrained form) are using them (they are the ones who you get your spam from).
This is a windows problem not only because of shoddy engineering, but also because of Microsoft's position in the market. Let's look at the three major OS's:
Linux (BSD et al): It's a computer hobbiest's paradice, lots of great code, well defined heirarchy. Plus in general hard to get your hands on if you are "Joe User" who just wants to get a computer to e-mail the kids at school. This means that the people who are using this os WANT to use it for some reason (insert long list here), and they are going out of their way to use it. This means that this segment is typically very computer savvy and not likely to be pwned as a group.
Macintosh: This is also a "Harder to get" computer for two reasons. First, they are very expensive compared to the best-buy special. Second they are only sold in a few places. These two reasons make the Mac a sought-out computer rather than what the sales droid told you to buy. The average user is probably less computer savvy than the average Linux user, but in the case of the Mac, apple also "has your back" to some degree with frequent patches and a well designed core OS that minimizes your risk to begin with.
Windows: This is the default OS you get if you close your eyes and pick a computer. This means that if you have no clue about computers, chances are you get a windows box. Its fertile ground for stupid users to take advantage of (can I interest you in a free screensaver?). And in addition to that, MS has huge legacy issues that they can't change or they break business apps. MS has painted itself into this corner by selling to the lowest common denominator.
Change the borders to any color you like, there are still a huge amount of computer users that shouldn't be computer users under the current OS choices.
Better listen up, guys... (Score:5, Funny)
(http://gmail.com/)
or, get it to look like spam (Score:5, Funny)
(http://www.devinmoore.com/ | Last Journal: Thursday May 24, @06:16AM)
Mirrordot Link (Score:1)
(http://www.angelfire.com/linux/wills/ | Last Journal: Thursday October 11, @11:24AM)
I got binary nonsense when I followed the link to the article.
The Mirrordot link works: http://mirrordot.org/stories/bdc4f568dcc5c7b125832 2aec4d77944/index.html [mirrordot.org]
UAC is not there for *user* protection (Score:1, Insightful)
(http://www-gap.dcs.s...ians/Theaetetus.html | Last Journal: Friday August 15 2003, @08:32AM)
This isn't security, this is a legal CYA.
Re:UAC is not there for *user* protection (Score:5, Insightful)
I would be interested in what you consider would protect the user. You have three options here.
1/ No-one decides what goes on your computer. It's an open free-for-all.
2/ Microsoft decides what goes on your computer. Corporate lock-down.
3/ You decide what goes on your computer. You're the boss.
We've already seen what happens with option 1. It's a security nightmare for everyone. I can imagine just how popular the second option there would be, people already have plenty to bitch about the controlling nature of Microsoft without adding to it.
So it's got to be option number 3. The only other thing Microsoft can do then is to warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide.
Which is pretty much what is happening here. And still people complain.
Re:UAC is not there for *user* protection (Score:4, Insightful)
(http://joe-baldwin.net/ | Last Journal: Saturday September 02 2006, @11:58AM)
It wouldn't be their fault. Nor should it be their fault.
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
If Microsoft was held liable for the actions of third party applications, it would open up the way for lawsuits against pretty much every other OS provider that gave their customers a chance to run nasty programs on their OS. Imagine the lunacy that would result from that. Imagine the ass-covering lockdown that would most likely result. Not very nice at all...
Anti-Virus makers, make Virus.... same old scare (Score:5, Insightful)
This is a corporate propaganda directive, possibly directly from the CEO him/herself. "Find something, and lets use it to make us money"
The old anti virus company making viruses, just to fuel sales... has come true. They dont have to release the viruses though, but simply they figured something out, and to tell the world that something.
Profit at all costs.
But, What Now? (Score:1)
Re:But, What Now? (Score:4, Insightful)
(http://localhost/)
Re:But, What Now? (Score:4, Insightful)
(http://localhost/)
Will it happen all the time? Absolutely. Are a significant number of computer operators basically shaved apes without a clue about security? Absolutely. Does that make it Microsoft's fault? Absolutuely not.
How do you suggest Microsoft cures the world of dumb computer users who won't do what they are told, and what go against what common sense would dictate? Say someone bought a car, drove it until it died and then brought it to a repair shop where it was discovered there was no oil or engine coolant in it. ("Well, I saw some lights go on, but there are so many lights on the dashboard I just ignored them and kept driving.") Would it be the fault of Chevrolet because the operator couldn't be bothered to RTFM or understand how to properly operate a car before doing so?
Old Unix security issue (Score:2)
I am colourblind (Score:4, Informative)
(http://www.tentoomany.com/)
Isn't this the whole point of UAC? (Score:2)
(http://home.happyface.net/)
1) Sneak in a file with a virus payload
2) Execute that file, triggering the UAC
3) User blindly clicks "OK"
Of course, the point of UAC is to prompt the user when something is trying to run that requires admin privledges. Users know that when they see this box randomly pop up that something unusual is happening.
Unless they just said to install some software or tried to change a setting themselves, seeing this pop up when they visit MySpace or something shouldn't be a problem.
UAC is meant to provide users with an alert saying "something bad may be happening, stop it?" It's not meant to completely lock down your computer to the point where you have to log off and back on as an admin to do anything.
Wow... (Score:2)
(Last Journal: Wednesday November 06 2002, @05:15PM)
If I can infect your system with a trojan and drop files onto your hard drive and then remotely run code, I can get you to click OK to a box that could infect your system.
Truly groundbreaking work here. Seriously, I mean, if all I have to do to possibly infect your system, is infect your system... well hell, Vista will probably be recalled!
As usual, TFA doesn't live up to the summary hype. But that won't stop the MS haters from jumping on board with a "See! It's broken!"
Really, the story for me here is "Someone infects your Vista with a bug and tries to elevate the program to Admin, and even though you're infected Vista STILL pops up a warning box... it just happens to be green instead of orange."
My biggest beef with UAC (Score:3, Interesting)
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode.
- Making sure the heap is in a different place on each computer.
- UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good.
- Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.
Wait a second (Score:2)
Since when do restricted users get to delegate administrative privlidges ?
Huh? (Score:1)
(http://www.timalmond.com/)
But presumably that also has some sort of UAC when you try and run it?
Who cares about this if you've already compromised the security? anyone else think that Symantec are getting nervous?
Are those the only choices ? (Score:1)
(Last Journal: Friday July 14 2006, @07:12AM)
Isn't there an option to be utterly disinterested due to the unlikihood of seeing it for years to come?
Followup on colorblind users (Score:2)
(http://telebody.com | Last Journal: Tuesday July 30 2002, @07:28AM)
I thought it was only red/green though in fact it can cover a whole bunch of colors, and apparently at least 1% of the population has color blindness of some type.
It strikes me that Vista's use of green, red, orange, gray, etc. are totally underminded by colorblindness which can confuse colors, dim them or render them conceptually meaningless if I understand the article correctly. Seems like the dialogs should include a mode name too.
Re:I didn't think it was that difficult (Score:2)
Re:I didn't think it was that difficult (Score:3, Informative)
Re:I didn't think it was that difficult (Score:2)
(http://slashdot.org/ | Last Journal: Monday October 04 2004, @03:55PM)
Re:I didn't think it was that difficult (Score:1)
(http://www.ferrgle.co.uk/)
It IS damn annoying though!
I personally feel that most people won't turn it off because they won't realise that they can.
But in saying that most people won't read what it says anyway.
(The above is based on experience.)
Re:I didn't think it was that difficult (Score:3, Funny)
From what I understand, the UAC thing comes up all the time
It does not.
I'm rather amazed at the number of posters who criticize Vista without having used it. Many people make good points about the all-or-nothing permission granting of the UAC, but it is better than having people run as Admin. My guess is that the typical user will still run as admin most of the time, since it's convenient. Microsoft should guide people through the simple steps of setting up a user account when the OS first comes up. It's less hassle than typing in the license key. Then again, I don't have a boxed version of Vista, so maybe they say something about that in the retail version.
Re:I didn't think it was that difficult (Score:2)
(http://www.rigidsoftware.com/ | Last Journal: Saturday September 24 2005, @11:58PM)
Re:UAC? (Score:2)
(Last Journal: Tuesday October 30, @10:59AM)
It does seem appropriate -- they both are directly responsible for all Hell breaking loose.
I wish Slashdot was like Digg... (Score:2)
(Last Journal: Tuesday October 30, @10:59AM)