Security Hole In Windows 7 UAC 388
An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."
Fix it FFS. (Score:2, Interesting)
re. MS's 'By Design' / 'Won't Fix' response, they basically say - 'This doesn't matter as if this happens you are already infected'.
You need the damn UAC setting prompt so you are ALERTED TO THE FACT THAT THIS HAS HAPPENED SOMEHOW ASAP.
Yes the user may have done something stupid to allow infection, but the UAC setting prompt would then protect them from further damage even before the malicious code check package was updated to find whatever was out there infecting systems.
The Highest UAC setting would prevent this but it is not default.
All they have to do to fix this entirely, and make the current default not effected by this flaw, is change the UAC settings security certificate.
Pointless. (Score:3, Interesting)
Re:Microsoft already replied (Score:3, Interesting)
UAC is horrible.
Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".
It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".
It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.
YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.
Re:Microsoft already replied (Score:5, Interesting)
I kind of agree with the less-is-more approach to end user interactions. I get a lot of clients who have learned to cope with the modern click-prompt overload by simply clicking somewhat randomly on everything that comes up in front of them. Frequently, this leads to disabling some vitally important part of their computer in a way that any person who actually read prompts would have easily avoided.
Sadly, the less computer savvy you are, the more likely you are to be constantly deluged with upgrade prompts from Adobe, install requests for Safari from Apple, and the multitude of prompts when Hewlett Packard's genuinely awful drivers crash. Prompts to continue subscriptions to Symantec, upgrade to the latest acrobat, log in to windows messenger, etc. And, of course, each separate component has its own prompts. "Click here to upgrade. I see you've clicked here to upgrade, would you like me to go to the internet and upgrade? Upgrade will begin when you click the OK button below. Upgrading... Upgrade has completed, click OK below to continue. Thank you for upgrading, please visit unintelligiblylongwebsite.com/pagenobodywilleverclickon.html to give us feedback on this process. Press Dismiss below to return to the installer. Thank you for returning to the installer. If you are satisfied with this interaction, press OK below."
90% of users have no idea what their computer is doing, or should be doing, under the hood. If they weren't already suffering from click-fatigue, they wouldn't be the right people to decide on technical issues anyway.
Obviously, it shouldn't be possible to disable UAC without actually getting a UAC prompt. But in general, UAC is an annoying system that most users completely tune out. Instead of hightening user knowledge, it simply drowns out any real issues.
Anonymous submitters (Score:5, Interesting)
I wonder if Slashdot should allow anonymous article submissions? Isn't it useful information to know if the submitter is also the subject of the article or its reference source? Shouldn't we be allowed to know that, so we can better judge the credibility of the article and its source(s)? Transparency is ALWAYS good.
What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
Re:Microsoft already replied (Score:4, Interesting)
"Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM."
No, my application is not signed or recognised by MS, who believe they should have the final say over these things. A nice little box pops up saying "your system administrator has set policies to stop these things running at startup" and allowing you to click on them to start them up.
*I* am the system administrator and there was no way I could find to stop this behaviour, despite looking in all the UAC dialogs.
"There's no good reason for writing there,"
Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.
"doing so is exactly what messed up "running as an administrator" in XP"
No, what messed up "running as administrator" was "running as administrator". I don't need to write to program files to fuck up your system, if anything you run has admin privileges.
"Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC."
Where did I complain about warnings?
I don't give a crap about warnings.
"It's almost like you're being proud of being an idiot."
And it's almost like you can't read.
"if you're still on 32bit Windows, this is not even a problem."
This is all on Vista 32 bit.
But it kinda confirms my thought that you were running vague software written by Linux people for Windows.
And what *exactly* do you mean by that? WTF is wrong with software not written by a company big enough to pay MS to get things signed? Shouldn't I, as an educated power user, be able to decide to run what I want?
Why shouldn't I have the flexibility to run windows with the UAC security turned on (so I get warned about unautorised system changges), but be able to add startup exceptions of my choosing?
It's a clusterfuck, it's a bad hack which fails to leave any room for flexibility, whilst at the same time implementing dodgy compromises in the name of backward compatibility.
Ooh goody! (Score:2, Interesting)
ANOTHER prompt! I have a great idea, why doesn't MS prompt the user telling them they are about to be prompted? Wouldn't that be just grand?
'You have hit the A on the keyboard. Continue (Y/N)?'
Genius.
UAC isn't "security" (Score:5, Interesting)
UAC is a hack to deal with the problem that the Win32 API is full of inherent security holes that would require changing lots third-party software to fix. So they put a prompt up if a program is about to use one of the features that contain or implement part of one of these security holes.
The only real way to fix it is to implement a designed-for-security API and designate Win32 and everything based on it "legacy", only run in a sandbox.
Which is what Windows 7 was rumored to be, a couple years ago.
Re:Short: Don't work as Administrator (Score:5, Interesting)
When has a windows administrator account ever meant that you could do whatever you please?
I'm sat here right now, running an admin account on XP, and if I try to delete the "Desktop" folder in my own account, I can't. It tells me "Desktop is a Windows system folder and is required for Windows to run properly. It cannot be deleted". Never mind the fact that I've changed the location of that folder by fiddling with the registry to put it on a separate hard drive, the redundant copy on C:\ is still protected against deletion.
Contrast this against the stories about *nix systems where some fool runs rm -rf as admin and it only stops deleting things when it deletes the delete command itself... that is being allowed to do whatever you want.
Re:Microsoft already replied (Score:3, Interesting)
but almost no game worked correctly
This is usually caused by DRM and/or anti-cheat software used by the game.
Re:Short: Don't work as Administrator (Score:3, Interesting)
In Linux (and OS X if you enable the root login) when you're root, it's assumed you know to not shoot yourself in the foot. In OS X, an admin isn't root. To actuall be root, you need to edit a config file (I forget which one) to enable the root login, then you can log in as root. However, OS X 10.2 and later make the admin process so friendly there is little to no need to ever log in to the desktop environment as root. If you need root in OS X, it's generally only for custom configurations of apache or samba, for which sudo will generally work fine, or you can just su - root. No need to log in to root via the GUI. Really.
As a regular user (even a wheel member) most distributions (and OS X) are smart enough to prompt you for the root password if you're requesting changes which require root to do so, and those credentials are either cached for that app and its children (in the case of YaST on SUSE), or, like sudo, you're authenticated for a period of time (some versions of OS X, I don't know if the current operates this way since my Mac is too old for leopard).
The problem is Windows' security model is hopelessly broken due to the shortcomings that come with backwards compatibility all the way to Windows 2.x and 3.x - on the old 16-bit environments it was never designed for networking to begin with (the network modules are fugly hacks) and are certainly not multiuser, so security was not even a consideration. This line of thinking continued even through Windows for Workgroups (which did have native networking) where security was only considered on the server side, and even Windows 95 which was fully networkable security was hardly considered because it was not considered a multiuser system and one of the selling points was near-100% backwards compatibility with all your favorite desktop applications - unfortunately including the ones which love to litter %windir%\*
Windows 2000 and Windows XP came from a grown-up OS called NT, but brought with it the backwards compatibility promised by Windows 95. This is due to applications like Quicken, Quickbooks, etc. - essentials for the continued success of Windows as a desktop operating system. Unfortunately those applications require administrator access because they were developed on Win16 and ported to Win32 with NO consideration for following best practices, especially for the install process. (note: when I've developed installers, all the way back to 16-bit, I've always followed best practices to avoid those issues on the client side even though my employer at the time would never pay the dough for the Windows logo certficiation process. My installers would have passed though! It doesn't take much effort to do so, and it makes maintainability easier and eases the load on support by avoiding DLL hell).
So, security has been broken by design. Vista and Windows X64 attempt to limit the problem through limited sandboxing and Windows File Protection, and Windows XP (x86) through Windows File Protection, but running older apps incur so many UAC prompts (or just plain won't work) that one is better off just turning off UAC and relying on antivirus and antispyware software. The only reasonable way to have backwards compatibility with previous Windows versions without broken security is through a compatibility layer like wine (but do you think M$ will really contribute to wine?!) or through virtualization, probably breaking directx components in those apps in the process.