Details on Refining Vista's User Control

borgboy writes "Windows Vista has gotten a lot of negative press recently following the release of the latest beta, especially regarding excessive prompting for privilege escalation for seemingly common activities. On his blog, Steve Hiskey, the Lead Program Manager for User Account Control in the Windows Security Core group, details what the issues with the excessive prompting are, what the design goals of the feature are, and how they plan to achieve them. Briefly - they know the excessive prompting is a royal pain, they know that have to reduce it to an absolute minimum to be both productive AND an effective security risk mitigation measure, and they want as much feedback as they can get on the beta."

Re:SAme as in OSXs early days

[plasmacutter]

I am a mac user, and have been using it since osX's early days, and the tasks they request authorization for are not "petty".

on the other hand, I have gotten those prompts in osX for microsoft and real built applications which were trying to do things which they had no business doing.

all the open source players i have installed on osX (I have 2 or 3) have never required root authorization for anything, yet wmp and real wanted to access my root files, why? This hints at how invasive the programs are, what are they doing monkeying around at that level on my system.

The user prompting you are seeing in windows is not necessarily excessive, it may arise from genuine security concerns because of how invasive microsoft is to their users, as reported in previous years consistently with hidden logs, spyware bundling, and surruptitious installation of DRM modules. (I have office 2004 on my mac, was prompted for a root pass, and immediately hunted down where the change was.. it turns out it snuck a drm bundle into my web browser!)

Re:Here's how to delete a file on Windows Vista

[deficite]

Perhaps that'll annoy people enough not to delete the system icons. I used to get so mad when I used the family computer and my dad would delete an icon for something on his account and it got deleted on mine too. Another thing about shortcuts I hate: some applications only install them for the account you installed the program with. I had to make shortcuts by hand for every account on the machine or manually copy the shortcut to the shared shortcuts.

Re:There you go again

[Tim+C]

How about if you add something extra to make sure no "malware" lands up on my system? Can you do that?

In a word, no. How is the OS supposed to know that that cute little systray weather forecast app you downloaded and installed is actually a trojan?

As long as a user can download and install/run software, the system is vulnerable, and there's nothing it can do about it.

Security Hole == Windows Message Pump

[cheezit]

What everyone seems to miss is that the fundamental flaw, which the blog author alludes to, is Microsoft's desire to allow applications to masquerade as the user and send messages via the Windows message pump (via SendMessage() etc).

The real flaw is that MS is maintaining a design decision that was made back in the days of Win3.1: there shall be one method for structured message passing (the message pump) which will cover user input, application IPC, system notifications, clipboard copying, window redraw requests, etc. This message pump is built into the core threading model for the OS (many other windowing systems have this too, it isn't just Windows).

Since there is only one front door, user input uses the same facility as everything else, and it becomes impossible to tell if the user pressed the "A" key or if an application sent a KEYPRESS message.

One solution is to have OS-enforced segregation between these types of input, and force multiple input channels. The mouse and keyboard (and other legitimate devices) get to use the "user input" channel, and other apps get to use a different channel.

But Microsoft doesn't want to do this because they want to enable Bob-style guided interactions with applications, where the target application can be automated/scripted without its knowledge. Changing this also has huge backward-compatibility issues---basically anything built for pre-Vista windows must be modified and rebuilt.

So MS is talking security, but this is a case where market footprint and backward compatibility are fighting with security---and ease of use is caught in the crossfire. A first for MS.