Slashdot Mirror
"Very Severe Hole" In Vista UAC Design
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.
Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.
The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.
After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.
Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.
Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!
If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.
As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.
Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature.
It's not so much a "hole", as it is an "orifice".
Wizard Needs Food, Badly
I believe that even RPM on linux runs the install scripts with admin access...
Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.
Why bother.
Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model. Things like APT have other nightmare scenarios (what if someone compromises the repository?), but not having to run shitty little EXEs to install applications isn't something I miss from Windows.
While I'm at it, why does a printer (or other non-intrusive peripheral) driver have to have unfettered access to the life blood of the OS?
Does this mean that Vista does not allow users to install local copies of programs (eg, Tetris)?
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
...they're trying to install Tetris? Haven't they heard of Crack Attack?
Normally I don't give any credit to marketing droids... but Apple's "Security" switcher ad is right on target:
p ple-getamac-security_480x376.mov
http://images.apple.com/movies/us/apple/getamac/a
...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.
When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.
The one thing Apple did that Microsoft really ought to copy, they don't. Figures.
I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.
"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."
This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.
Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)
These stories are free but worth money.
rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.
By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).
RTFM.
Video version of the above commentary here.
So let me get this straight... deleting a shortcut brings up a pile of popups, but installing something doesn't?! Who's trading security for annoyance here?
Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
Microsoft programmers *still* don't understand the basic principals behind user access controls or how to implement security. Nothing to see here, move along.
My humor is probably your flamebait
Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?
I guess MS didn't learn anything from id.
Beauty is in the eye of the beerholder.
That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.
The *nix model also has a far way to go for Joe Sixpack users too. Want to install software? Need root? How many people can remember root passwords etc?
Still, the hardest part of using *nix for Joe Sixpack is managing permissions of devices etc. Want to use a serial port? Got to set up permissions. If it is a USB serial port, then you have to do this every time you boot/plug in (unless you're hairy chested enough to write a script).
The capabilities of the technology have far outstripped the capabilities of the average user.
Engineering is the art of compromise.
If you are a standard user, you have to enter a password to elevate privileges. However Vista has a compromise mode of sorts. You can run as an administrator, but leave UAC on. This allows you to elevate without entering a password. You still have to elevate privilege, but it requires no password. Turning UAC off makes administrator accounts function as they did in XP where you have privilege at all times.
They just haven't put it into windows yet. They have to write up a patent app first, and then get the press release ready saying that everyone is copying their creative stuff.
More importantly, rpm doesn't run as setuid root (at least not on any sane system...)
The World Wide Web is dying. Soon, we shall have only the Internet.
priceless - didn't see that one.. OUCH!
CS majors know the time/space tradeoff, but they never get taught the 3rd, crucial, tradeoff of the set: comprehension!
Your post is even funnier if you read it out loud in the Simpson's "Comic Book Guy" voice.
IANAP but shouldn't there be a way for the OS to know the difference between an app that wants to install kernel level code and one that just wants to let you play Tetris? If so, couldn't it be implemented in such a way that you are only asked for security clearance (press the OK button) if the former is true? Seems like a tiered system would be the best way to balance security with ease-of-use.
After 8 trillion years of hype and build up I'd figure this would be the least that Vista would do for it's users.
... particularly because Vista was supposed to address some of the problems Microsoft had when trying to balance security and ease of use in XP. We now live in a very dangerous time as far as digital stuff is concerned, and I think continuing to hide as much security from people as possible (while paying lip service to it in other ways like UAC) is foolish. End users are going to have to learn to be careful, and learn a little bit about security. Cars didn't used to have locks, either. Times change, and people have to adapt to it to some extent.
That said, I personally very much liked the Vista user experience (I'm back to XP for now, but I had the beta and RC1). But after the first couple of days, I turned off UAC (and besides, I like to manage my security myself). It did nothing but ask me if I wanted to do what I was doing. Like another early poster here, I almost immediately reverted to clicking any damn OK button I saw. And God knows, I turned the sound off almost immediately. Moreover, I turned it off because it seemed like a talented Bad Guy would simply bury his Evil Code in something that seemed benign, and Joe User would just click through it. But all of that has been covered at great length in these hallowed halls already.
My point is still this: the bad guys are out there now. That's just reality. Telling people not to worry and to go back to sleep doesn't serve anyone anymore. I don't think power user knowledge is necessary for the average person, but frank awareness of basic online safety puts it in the hands of the individual user to some extent, and eases some of the strain for the OS designers/engineers. Because while MS has made some dumb and dangerous mistakes in the past, I still think of it this way: when you're designing any piece of software, you can't completely anticipate the security issues that will come up a year down the road, and you can't reduce how hard a user will work to circumvent your attempts to protect them, no matter how inobtrusive they may be.
I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.
It is pitch black. You are likely to be eaten by a grue.
Microsoft has created a culture of choosing between security/good/whatever and 'ease of use'. Going all the way back to older versions of Windows in which there was no user permissions model.
Hearing that all frigging installers are going to want admin perms is a frigging joke. Part of the reason Windows is insecure is you can't do anything without being an admin. It's not like it even supports a model whereby you install the software into your own location. Every piece of software expects to be able to write registries, replace system DLLs, and generally crap into a few common folders.
I mean, well over a decade I could download any old UNIX software, untar it, set an environent variable, and just run the damned software. No root perms needed, just glorious, easy to run/trivial to uninstall software.
This means that people aren't going to install their animated cursors in a sandbox which only affects them. They'll do it as admin, and potentially bork the whole machine.
This just makes me laugh.
Cheers
Lost at C:>. Found at C.
Yes, that's the whole crux of the matter - rpm can't (shouldn't) automagically elevate its priveledges - in fact, once running, it's running with the authority of the UID which launched it - period. No priveledge elevation on the fly here (and I consider that a really good thing)!
And synaptic won't run without root privileges. So what?
So, requiring software to use (possibly unnecessary) elevated privileges to install thus allowing unrestricted access to the system and circumventing all user security is a "design choice"?
As the Mac vs. PC commercial goes, "You are coming to a sad realization. Cancel or Allow?"
It must have been something you assimilated. . . .
No, it's a potential risk.
As in:
Yes, if you elevate yourself to admin you can ruin your system.
Installing software usually requires admin access, so you have to authenticate, opening yourself up to admin.
Super elite hax0r Rutkowska is worried that by default, installers usually need to be run as admin.
The truth is out. Microsoft didn't kill clippy in MS Office, they just moved him upstairs to an entire operating system designed to ask unwieldy and confusing questions.
This link allegedly tells you how to turn the questions off , but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?
Reduce, reuse, cycle
Spoken like someone who doesn't use Vista as a limited user.
You still have to authenticate with administrator access before you run the installer. There is no on-the-fly elevation.
From the article, a comment by Mark Russinovich:
So if you aren't guaranteed that your elevated processes arent susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption..
This is it, 100%. The problem with so much of Windows XP is that you had to run as administrator for silly things like games and everything else. These account-internal privilige levels are to simply allow the non-admin account to be able to do anything at all, and the "all installers are Admin" is a reasonable if somewhat permissive cost to pay, as it is better than the "Everything is admin" which is what it used to be.
Test your net with Netalyzr
That phrase brings a tear to my eye.
NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.
Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.
There are 2 ways to install software.
1. Drag application folder where ever you want it
2. If application does need to install a control panel, kext, or any other system file, then you can create an installer. When the installer tries to install the files that need the elevated permissions, it then tells you what it is trying to do and asks for an admin user/password
How is that hard to grasp at MS? Assuming everything needs admin permissions is just insane, and insisting it isn't a security hole and is a "design choice" is just fucking retarded.
today is spelling optional day.
Obviously a definition of balance with which I am not familiar.
Like balancing locking my doors against the inconvenience of my kids carrying keys to the house.
HA HA!
This is kind of a funny statement from the Microsoft guy. After all, one of the main draws of Windows Vista is supposed to be "more security".
And now this guy says that there is not actually a "security boundary". So he agrees that there are "implementation issues" in the security features, but he declares them to be ok, and not bugs.
So what is the point of security when it is not actually working? From what I can understand, MIC is fundamentally flawed, because it does not block read access. And UIPI has holes, so it is not actually effected. Oh, and UAC can be tricked by calling your exploit install.exe.
... a flood of new viruses/trojans all named setup.exe.
I write MacOS installer applications for time to time. When I do I try to always get by with the minimum of rights needed to to do the task. The MacOS installer applications give this option and if you need administrator or root right the OS will ask for the password each time the installer is run.
Doesn't Vista ask for the admin password before running an application in that level? Or does it drop into that level of access without asking first?
Any EXE with "setup" or "patch" in the name will be assumed to require elevation, because no programs to date have manifests which specify whether they need to be elevated or not; and so Windows has to guess. The filename is a perfectly good indicator, as most setups will need elevation (Program Files is not writable without elevation). Windows uses other factors too; it can detect Windows Installers, NSIS installers, and a couple of others regardless of the filename.
If you don't like this automatic detection you can turn it off via the Group Policy Editor. It's under the global Computer settings under Security Settings somewhere, with the rest of the UAC options. Remember you'll have to manually launch installers elevated now, although Windows does try to detect when installs fail and will offer to try elevation and XP compatibility mode automatically.
Myself, I actually made my computer less secure by turning off the secure desktop (the screen resolution change that happens every time a UAC prompt comes up). I don't want Windows yanking me away from whatever I'm doing because I got bored waiting for the UAC prompt to appear then all of a sudden it decides to finally show up and hog keyboard/mouse focus. Sometimes if your computer is busy the UAC prompt won't even appear for 5-10 seconds, and you're sitting at a useless but very secure desktop alone for that time. So I turned it off and now they appear on the normal desktop. Of course they could potentially be sent window messages now by any app; but I don't let just any app run on my computer. I was safe back when I used XP SP1 and I could turn UAC off if I wanted to and still be safe.
UAC only kicks in when I try to do something to a file or system resource that I don't have permission to access. Period. End of story.
In the unix world, if I want to modify a file that I don't own I must elevate my permissions using something like su root. And that's somehow *less* annoying than Vista's UAC prompt?
The only time I can see this being more annoying is when I'm doing lots of actions that require admin privs. Microsoft did their best to group operations in such a way that you only get one prompt. If I try and delete 20 files, all of which I don't have access to, I'll get 1 UAC prompt.
But sometimes they can't group these operations together, such as when I'm installing several applications when I'm first setting up my machine. In these scenarios, su root is superior in the sense that I su root once and that's it. With UAC, I'll get a prompt for each install.
But if you know you're going to be installing lots of applications and you don't want to be bothered with multiple UAC prompts, then just turn off UAC while you're doing those installations. Simple as that. And not harder that su root.
So what's the big deal? The vast majority of users don't install new applications every day. In fact, the vast majority of users don't do anything that requires admin privs on a daily basis. This is a non-issue.
I've been using Vista since late November. During the first few days of use I got a lot of UAC prompts, but I really didn't find them all that annoying. One extra click just wasn't a big deal. After getting my machine setup the way I wanted it, I rarely got any UAC prompts. Just doesn't happen all that often.
Since almost everybody who will run Vista will get it on a new machine with most of the software they will use pre-installed, this is even more of a non-issue.
But the biggest point is that the way that unix does it, with a session-based elevation, is no less time consuming (in fact, it's usually more time consuming), and it's FAR more dangerous for a "dumb" user because they will tend to just leave their session elevated.
Not only pointless and pedantic, but also long-winded!
Bravo.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.
Sophisticated? SOPHISTICATED? Isn't this the guy that sniffed out the Sony Rootkit? I don't think that word means what you think it means, Mr Sysinternals.
You're giving admin privileges to an installer. It can do whatever it bloody well wants and you can't stop it. Hardly sophisticated code needed there. All you need is a user to hit 'Allow' after they try running 'IAmNotAVirus-2.0.1.exe.'
Course, UAC's getting disabled by default anyway, so I don't see what the problem is... Anyone who actually wants to get stuff done will turn it off cause Limited users are still basically worthless outside of maybe surfing the net...
Although she's putting on a frumpy look in that article she looks pretty cute. "You have requested to get access to a very nice hole from Joanna? Cancel or Allow?" -- Allow!
Comment is in subject
"One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack."
All right - Vista is tremendous improvement in some respects and in others it's a real pain in the ass.
However, the reason it is a pain in the ass is due to this absolutely retarded line of thinking quoted above. Let me explain, somewhere along the way the Vista architects decided that ALL users of Vista were not qualified to use their computers. As such, anytime any program is executed one is prompted to confirm that they do in fact, want to run the program that was just run. Then depending on how signed and trusted the program is, you may need to confirm again that you would like to run the program, and again, and again. Also, if it tries to use the network, you might need to let it.
"UAC puts the user at risk of a sophisticated code execution attack." - but the user has to RUN THE CODE FIRST.
UAC is a problem in search of problem.
You see the issue is that software is installing and running applications without the knowledge of the user. That is the problem. Not this business of me as a user clicking on a program and running it.
UAC assumes that the user doesn't know he or she is running a program. As such, you are warned and prompted to death when running applications.
The THING IS, I KNOW WHAT I JUST TRIED TO RUN.
UAC has no concept of the source of the execution command. What really needed to be added to Vista is a concept of the "source" of code execution. In the case of UAC there should be the notion of not only the code execution but of the source, such as a keyboard, mouse or other input device. These sources identify execution requests as coming from a HUMAN, and not some nasty zombie pc making virus.
UAC should really work as follows: if the action taken comes from a trusted hardware source, trust it and do the action. if not, warn the user. One more step that I could probably tolerate as a user is a notification of trust. Better yet, just show a little icon like that admin privilege escalation shield that indicates the code is trusted.
The devil is in the details of course, but I'm sure that something could be worked out that is infinitely better than what is now going on in Vista.
Howard Roark, if he were real, would weep at the notion of Vista.
Most companies take on the personality of their CEO. So, if you have a CEO that is a "Very Severe Hole", you must expect them to put out software that also contains very severe holes... (And yes, I'm referring to Ballmer, not Gates, here.)
I'm not really sure what the complaints are about--sure, there should be a way for Microsoft to check whether a setup program actually NEEDS admin priviledges before requiring them. But--seriously--all these whiners who keep clicking OK were almost certainly already running EVERYTHING as an admin. Some of these posts aren't true--or their computer is set up wrong--you can change your wallpaper, move files in your own user directory, copy text FROM Internet Explorer--without being prompted. My apologies to the poster who had to click through prompts before opening the registry editor (I mean, seriously--if you don't find prompts for registry editing tools to be acceptable, what exactly WOULD be acceptable?).
There are definitely too many prompts. A lot of them just go to show how sloppy Windows programming really is--and hopefully the annoyance factor might actually FORCE developers to start testing for non-admins. It is still going to suck when you're doing initial setup (including copying files into program folders, hacking the registry, etc.), but hopefully Microsoft can get developers to writing software that requires admin rights to use in the process. And maybe Microsoft can work on a flag that determines when even the setup doesn't need to run as admin.
Yes, it is true that Vista assumes all installation/setup programs require elevated permissions. This is fair because setup programs will often (if not almost always) need access to create registry keys, system files and libraries, etc... One big piece of the puzzle that this article misses, however, is the ability to specify in your program's manifest that it requires elevated access. This means I could compile any executable and embed a manifest that the executable I compiled requires this elevated access. This is the one place I can say the UAC varies from such features in *nix operating systems. The next step is obvious: social engineering. If you can convince the user that allowing elevated access for a malicious program is instead a good/necessary thing, then the UAC is, in a sense, defeated. However, this applies to any OS. If I were to install a .deb file on any debian-based distro of Linux, and entered my password blindly, I would be able to install malicious software on my machine, or even do something as drastic as installing a new kernel and changing which kernel my system boots up to. I fail to see how the UAC, in this respect, is any different from Linux or MacOSX - you either have super-user access or you do not, and you require super-user access to install software. I'm happy enough to at least see the effort from Microsoft to make this principal finally apply to Windows, and if it doesn't make everyone happy, then I'd like to see them come up with something better.
Wow, that was fast. This was the guy that wrote sysinternals, and characterized the Sony rootkit. He's been at Micro$oft for what, 6 weeks, and his first assignment is to defend Vista security. He traded a lifelong reputation of being an honest and brilliant engineer for a pile of cash and a cushy job as a marketing droid. Too bad we'll no longer trust anything he writes.
I am far from an RPM guru... but I have written a few in my day. Basically the way that an RPM works is you write a spec file which is just a script that tells RPM what actions to perform to install the actual binary. For example, put this file here, change its permissions, restart the running daemon associated with this package, etc. AFAIK the set of commands that you can give to RPM is limited, and I believe that you are not able to tell it to do things like load kernel modules. So sure, if you install an untrusted RPM it can do all kinds of nasty things like clobber your files, but there are limitations to what RPM can do. If you're really paranoid you can also run rpm with SELinux, which obviously has no analog in the Windows world.
#include ".signature"
> "booting the OS, w/o running apps or games"
I can't believe Dell actually posted that description as their 'good' configuration guideline. Silly me, I always thought the purpose of an OS was to run applications, 'it can boot' isn't the 'good' baseline it is the 'absolute minimum'.
The amazing thing is Dell is one of Microsoft's oldest allies, if they are admitting you can't do ANY real work on a 'modern processor' with 512M memory and that you will suffer until you get a dual core machine with 2GB memory and a 256MB video, that just about kills off most of the upgrade market, especially in corporate America.
Democrat delenda est
Why is it that OS vendors have never really taken seriously fine-grained security models?
VMS (yes, VMS) showed just how effective this could be. If I remember right (and it's been a while), VMS provided about 25 different privileges, and you could mix-and-match to make sure that an installer, for example, ran with only the privileges it needed.
I'm disappointed that one of the things Apple did not add/improve in its adoption of Mach and other Unix concepts was a security model that was better than "privileged(root)/not privileged".
Although nothing MS does really shocks me, I'm still surprised that after the "Year of Security" emphasis from Microsoft this didn't come out as a core part of Vista.
I'm also disappointed this doesn't seem to be a topic of discussion in current Operating System research. Can anyone point me to good new work on establishing and then implementing more fine-grained OS privileges? About the only advance here I know about are Access Control Lists, etc. applied to the file system. That's great for file security, but doesn't help much for the rest of the operating environment...
dave
The real problem is that Windows has so much third party software around. Even if you could install an application safely (through a "package manager" or something), the installed program itself could still be malicious and for example nuke all your personal files.
On Linux you are in better position since you install most of the software from the distributor's repository, which is usually quite safe and tested. However in Windows world this would probably not be an option.
- you, the authorized user,
- delegate permission to (elevate privilege for),
- the relevant user or process rights,
- just high enough and
- just long enough
to get the job done. If I'm logged into, say, Linux or Mac OS X and installing software, the running process has it's privilege escalated if I authorize it (for example using "sudo" in a Terminal window). To the degree that I'm familiar with or trust the process that I'm running, I can "trust" that the system will allow it to do its work and won't allow other random things that just happen to occur at the same time but which I didn't authorize to employ those same elevated privileges. For example, actions that I may perform in other windows at the same time, or actions by other users on the same system, or actions by other processes will continue to function with their respective limited (and different) permission sets. This model has been employed and refined on multi-user, multi-processing general purpose computing systems for over forty years (the general ideas pre-dates UNIX) and it works reasonably well, largely without annoying the end user.By contrast, under the Vista model, a malicious program could hop onto your system with limited rights, and then just wait until the inevitable day when the user disabled UAC. Then it can happily write itself to the filesystem, change the registry and install the keystroke logger with Admin rights. Disabling the security monitor is, well, a mind-numblingly bad idea that probably resulted from months and months of design meetings which utterly failed to consider looking *outside* of Microsoft to consider ideas or experience that other operating systems or research projects might have to offer.
You wrote:
If you mod me down, I shall become more powerful than you could possibly imagine.
Sure sounds like Apple pegged it right... ( http://www.apple.com/getamac , specifically the "security" ad :-)
dave
Windows Vista's security model: really quite similar to sudo, except that it doesn't prompt for passwords.
>Super elite hax0r Rutkowska is worried that by default, installers usually need to be run as admin. Super elite hax0rs are, apparently, morons...
Almost 200 comments and only one DOOM joke? Sigh. I must be old.
Go ahead moderators, do your worst. I was moderating back before the times when you were still playing with Duplos and crapping in your pants. Oh, that was last night? Well, then...
A host is a host from coast to coast...
Unless it's down, or slow, or fails to POST!
like "Ok" anyway. If the default is to deny it, it will deny it, if the default is to allow it, it will allow it.
Norton Internet Security works the same way, when a program like BoDog Poker gets updated, Norton Firewall will ask the user "BoDog Poker was recently Updated? Do you want to block or allow it?" the combo box defaults to block, and then they just hit "Ok" and it blocks the program. Anyway then they call me to come in a unblock it for them so they can play BoDog poker again. Usually they just tell me something like their Internet doesn't work anymore. I check their system, and the Internet works fine, just not for their game. Then I check the Firewall settings and see that the game is blocked, and I unblock it. Something they don't know how to do by themselves.
Symantec is worried that Microsoft is giving Vista these built in security controls, but the Norton series of security programs had them before Vista did.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Mac: "Hi, I'm a Mac."
Security: "Mac is attempting a salutation; allow or deny?"
PC: "Allow."
Mac: What's up PC?"
Security: "Mac is asking a question; allow or deny?"
PC: "Allow--yeah, um, it's this new security feature built into Vista. It's a little annoying, but it makes security rock-solid."
Mac: "Oh yeah? Well, that's cool--hey, want to play a game of Tetris?"
Security: "..."
PC: "Tetris? Well I'm a bit rusty, but--hey Security, how come you didn't say anything?"
Security: "Pfft--It's Tetris, I mean, I don't give a shit..."
PC: "Well, OK, I just thought it was kinda odd that you didn't ask. So Mac, refresh my memory, how do you play this game ag--"
Mac: "F**K YOU BUDDY!"
Mac takes out Vista Security guard with Uzi.
PC: "Whoa! What is this Mac, I thought we were down?"
Mac: "DOWN ON THE FLOOR MOTHER F**CKER!"
Mac shoots PC with Uzi; PC blue-screens.
Mac takes picture of blue-screened PC, saves it to cool photo album he created with iLife! [TM]
Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!
VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?
Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.
As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.
Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.
rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.
Funny, I once tried to extract files from an RPM and couldn't figure out how to do it without being root.
I think that microsoft programmers and designers have not considered the "don't bug me principle".
,OK.....
The last thing a user needs is a constant stream of dialogs and pop ups taking his attention away from the task at hand.
But if microsoft security strategy consist of blaming the user whe he gets finally tired os clicking OK, OK
In general, I think that computers programs must be more user aware. I get tired each time a program takes away the focus out of the area I am working. I think a little of artificial inteligence should be applied in software development. The computer should be aware of what the user is doing and bother him only whe it is really necessary.
I think also that it is time to give the computer some sensors, like image recognition for or eye tracking for example, to really be aware of the users and what is he doing. Also instead of passwords why not use face recognition software? Instead of locking the computer manually when we walk away, why could not the computer be aware of it and lock itself... and unlock when we come back?
Computers are still blind and deaf. Although they have microphones they are deaf, although thely have cameras they are blind. They do not listen or heard us. They do not feel us. It is about time to change it!
I'm sorry, exactly where did I say that it was acceptable in OS X or Linux? Seriously, point it out, because I honestly don't remember saying anything like that.
Since you brought it up, though, yes, Linux could definitely use some work in this area. I also get tired of sudo password prompts for doing some basic system configuration and maintenance tasks, especially stuff that only applies to my account, not the OS as a whole. If you want me to jump on the bandwagon of having less stuff requiring admin access in Linux, count me in. I can't speak for OS X because I've never used it.
However, in defense of Linux, Vista is much worse. I've never had a prompt pop up in Linux that expressed concern because I was copying text from my browser to the clipboard. In Vista, I did. It may sound petty and silly, but it was the proverbial straw that broke the camel's back. The truth is, though, that I was constantly being prompted to do stuff that had nothing even remotely to do with system configuration or administration. Stupid stuff like renaming a file that was nowhere near a system directory. Stupid stuff like running a program that doesn't even come close to touching kernel code. Stupid stuff like... Well, you get the idea, I'm not going to sit here and list every stupid prompt I got.
So am I Microsoft-bashing? Yeah, I suppose I am. But it's not because I have an ax to grind with the company or because I think the alternative is perfect, it's because this particular product truly sucks ass. Yes, I know that there are zealots out there who would complain no matter how well Vista might have worked, but if you think I'm one of them or that's why I posted my message, you're barking up the wrong tree.
(Have you tried Vista yet?)
He traded a lifelong reputation of being an honest and brilliant engineer for a pile of cash and a cushy job as a marketing droid.
Are there any further openings in that area?
The parent is not in the 1%, the parent is in the >25%.
Do you trade off usability for your pre-empted blame culture excuse? The answer lies at your own gate and in your answer lies your fate.
http://www.youtube.com/watch?v=X4FF_aT_mE8
"You are learning about a severe operating system vulnerability. Cancel, or allow?"
The problem is that security isn't simply relegated to actions affecting system files and program installations. If you've ever cleaned a Windows box that had been hit by some virus or malicious website (back when websites could affect IE bookmarks, etc.) you probably noticed a glut of shortcuts and bookmarks pointing to websites that the "attackers" wanted you to visit. This all takes place within the userspace yet it is undesirable behavior. Likewise, copy/pasting to-from the browser has been pointed out to be a security hole even though the actions take place entirely in the userspace. I'm not saying that the kernel shouldn't be protected, but that ignoring userspace interactions entirely is equally wrong.
It does not sound like MS has addressed the problem properly if UAC is instantly conditioning users to always click "ok", but to say that it should only be invoked when attempting "dangerous" operations belies the complexity of the issue. At the end of the day my kernel getting infected is not my primary concern - the integrity of my personal files is. Even if I had to purchase a brand new box with a new OS license off the shelf it's still easier/cheaper to do than trying to replace the accumulation of files I've created, downloaded, purchased, etc.
First time in a while I've bemoaned not having mod puentes.
Very clear take on the contrast btw. OSX and Vista. Maybe in RC2 they'll roll out the WinSUDO caching (yah RIGHT)
That is not exactly true. Yes, by default every program recognized as an installer (setup.exe, things with "setup" or "installer" in the version info block, etc.) is elevated unless otherwise manifested.
So, could this be exploited by a malicious setup.exe? Certainly, but to say that "every application installer" must be elevated is false. Good setup authors can manifest their setup so that it doesn't require administrative privileges.
I'm just approaching this from the other side of the coin.
1) So, all Vista installers run with admin. priv.
2) Installing a downloaded Tetris game allows the game installer to change virtually anything in the system.
Why does a game need an installer at all ? Why not just unzip the game into your user account/home directory or better yet drag the game icon to the place you want it ? Why do Windows applications all seem to need an installer ?
On OS X and NeXTstep before it, application icons are actually covers for directories containing all of the support files including executables need by the application. Furthermore, applications are not supposed to assume that they can write to their own directory. This is convenient for running applications from servers without installing on the local machine or for running directly off a CD-ROM. If an application needs to store user data or write configuration files, there are standard places to put the files. When needed, the individual application copies files to standard places using the user's permissions and not admin permissions.
The first time any application is run, the user is asked if it is OK. If some crap is downloaded and executed unintentionally, the user is given a chance to say WTF and stop it. Any time any application needs privileges beyond the user's default privileges, an admin passwd is required.
No installers (except in crap-ware and unusual circumstances and even then they require an admin password for upgraded privileges!
Remarkable little user irritation.
Why can't Microsoft copy this behavior ? It has been for sale since 1988.
OS X isnt perfect, but sometimes it is better.
I wish there was more money involved in the open source community so that we can afford public service announcement begging the public not to purchase Vista. I'm also very discouraged at the fact that you can no longer purchase a computer with anything BUT Vista on it. I'm sure this has to be illegal... forcing someone to purchase a different computer model because the one you want comes with Vista on it whether you like it or not?! And who's to say that Microsoft will continue to support Windows XP after 6 months from now?
It literally makes me sick that company's with such power, such cash and capital are allowed to get away with things like this that ultimately hurt the consumer. Why isn't anyone standing up for the consumers anymore? I mean, I know Jobbs wants to end DRM, but that will benefit him a lot as well.
Aside from all of these factors... Its not even secure. If a proof of concept virus was sold for Vista on the black market for $50k, and a Tetris installer can get root or administrative access to the operating system... then its just as insecure as any other windows operating system, and its all DRM and PMP!?
If I have a heart attack as a result of the anger and frustration that Microsoft causes me on a daily basis, do you think I could sue them? If so, I'm going to stop taking my daily aspirin, and I'll roll the dice on life or death. I hear theres no Windows in Heaven.
Relocating to San Francisco / Palo Alto... Hire me?
On the brightside there's a virus floating around that takes advantage of this to install Linux over Vista thus solving all the security and issues and slowdowns.
You keep using that word. I do not think it means what you think it means.
If you mod me down, I shall become more powerful than you could possibly imagine.
As for the article - installers pretty much have to elevate.
/bin, but instead install a local bin directory.
I would argue this notion is fundamentally wrong.
An installer should only have to elevate if it has to modify the system, or possibly existing applications in some way.
I don't have to elevate for all Linux installations for example if I am not going to install something in
In OS X you can install an application just fine without elevation, unless again it requires system access - but most software is self-contained and has no need to add system files. Thus when an installer asks you for a password you have a better feel if whatever app your installing should really have that level of access.
In Vista you cannot have any installer do any setup things (like prepping directories or checking to upgrade a program) without running as admin. This is madness, because you are going to always be telling vista it's OK for even the most trivial installer to go ahead and elevate.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Running RC2, when I try to install software, it sometimes fails, then asks if I want to run the install again as Administrator. When this happens, I have to approve UAC some 5 times for one install. (One to run the installer, one to give permissions to install, which fails, one to run the installer again, one to elevate to administrator, one to grant permission to install.)
UAC is just broken. As the Apple ad shows, it pops up so often that it will just be ignored. If it only came up when true Administrator access was needed, and actually required that the user type their password, it would be much more effective.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
or for apt-get install.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
in our concept of a personal computer.
Yes, this is a specific flaw in response to the problem, but why do we have the problem? Why is it that when you browse to a web page, you are endangering an accounting database you have on your machine?
What I am leading up to is this: there is too much coupling between computer applications via the personal computer operating system. It isn't just that MS put installers into God mode -- although that is bad.
Imagine you ran your computer as an X terminal or Citrix client, and you connected to applications running on remote servers. Installing or upgrading one piece of software could do very little to affect another. Now imagine a variation on this: what if we never created installers. What if we distrbuted software in virtual machines that you simply dragged onto your disk, and the operating system provided window management, clipboard integration, and file service? Furthermore the virtual machine would have no access to system files, anymore than a network client has access.
Your browser should at the very least run in some kind of a sandbox.
There was some possibility, a decade ago, of a change in the nature of applications. The OpenDoc idea was that the user experience would be document centric, and vendors would provide various capabilities users could employ on the documents. This was a beautiful idea: instead of builing lots of boiler plate capabilities, you as a developer would create only the bit you wanted to add to the software universe. OpenDoc never got past beta, and the OLE model, based on heavyweight applications, won. Well, if you're going to go that way, why not package each application with its own complete, but lightweight, runtime system? If you need to install an active X, why install it for every application on the system?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Once you have run a program via sudo, can a mailcious program not inject further keystrokes into your terminal application and therefore run anything it wants?
:(
Or with the default sudo configuration (without tty_tickets), can a malicious program not simply wait for you to authenticate yourself to sudo, and then run anything it wants via sudo from then on?
Or more fun: can't a malicious program wait for your to run your terminal emulator and run sudo, and then listen for further keypresses, steal your password, and use it as it wants from then on?
Privilige elevation is trivial on most systems once malicious software is running on the system.
What a load of crap. OS X doesn't require your password to access System Preferences or run XCode or change your desktop background or modify your Dock (Start menu on Vista).
"Sufferin' succotash."
Chairman Bill doesnt seems to sleep at the Holiday Inn, and has lost interest in developing software and is now buying 4 star hotel chains with the Saudis.
I'm just here for the sigs
hehe... vista security = US homeland sec.
full of holes, every little thing is a bomb/virii
but it looks pretty, makes you feel good (by looks, not by values which there is none), and is way overprotective.
From the NSIS (Nullsoft Scriptable Install System) documentation:
RequestExecutionLevel none|user|highest|admin
Specifies the requested execution level for Windows Vista. The value is embedded in the installer and uninstaller's XML manifest and tells Vista, and probably future versions of Windows, what privileges level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows Vista automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin have virtually the same effect.
It's recommended, at least by Microsoft, that every application will be marked with the required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.
More information about this topic can be found at MSDN. Keywords include "UAC", "requested execution level", "vista manifest" and "vista security".
So it seems that there is an option, "user", which might cause NSIS to run in non-admin (depending on whether Vista's auto-handling is overriding), and that other installers might also be able to run non-admin....and let's hope it's called Wiggety UAC...
blah blah blah
It is a failing in the RPM format. If it was a deb you could have run dpkg-deb extract foo.deb /tmp/blah. Or ar x foo.deb; tar -zxf data.tar.gz. I believe there is an rpm2cpio utility that will let you do something similar with an RPM.
I right click on the link click on open in new tab, click on the tab and watch the very funny clip!!!
That's pretty much the subject of the new Apple commerical....
h tml
http://www.macobserver.com/article/2007/02/06.2.s
2 cents,
QueenB
HDGary secures my bank
NIS is a joke of a security protocol... you get access to an NFS server because you are who you say you are?
And the User/Group/World security model of the Kernel only allows a user to be a member of 16 (or 32) groups. I can't think of a single company that needs a user to be a member of more than 16 groups.
That's because you don't have the correct options ;) Debian solves this between the "fakeroot" utility as well as flags that let you specify alternative list and cache directories.
I found that out when I was setting up a chroot debian install in a subdirectory when I was playing with network booting and nfs root filesystems.
If I have been able to see further than others, it is because I bought a pair of binoculars.
I just remembered one of my #1 vista annoyances.
*every single fucking time* you install anything, after it's finished, vista asks:
"Did this application install correctly?"
Even clippy wasn't this bad.
I have to be root to install a package using apt*.
.deb could have the same malicious intent as suggested in TFA.
Any such
Why can't applications for Debian* be installed into user space if there is no need to mess with the system.
After many many many many times of hitting "reload" I managed to receive enough page text that I could read this progression before the CyberSitter filter here at the library dumped the whole page. I'm so glad I spent the effort. That's some good humorous reading right there.
the NPG electrode was replaced with carbon blac
Someone should make a spoof like this and put it on the tubes.
I would like to know what popups you get during "normal" operation of the computer. You're in the process of setting up your computer, installing some software you're familiar with, and changing the background to something you like. That's understandable for a lot of computer users. But what about a typical little old lady? All she does is email, browse the web, and play Spider Solitare. She NEVER installs an application and I would wager she represents about 40% of the computer users out there. They're the ones that need this sort of protection. She clicks on shortcuts and mistakenly drags them (and therefore loses them, where'd it go???). She double clicks on attachments all the time *shudder*. The list goes on. So, now that you have your computer all set up, how many times do you get the nag screens during normal use? Just running programs, games, email, Internet Exploder, etc., not doing a lot of copying and pasting, moving shortcuts, and installing programs. Just curious if I need to keep running XP until MS comes out with the next big OS or not. Thanks. :)
Anonymous Cowards are at -6...
Someone writes a utility to auto-click all the annoying boxes. With Vista you work harder, instead of smarter.
I don't plan on upgrading until they force me to.
Like an austin powers thing..
/on osx, let's see the malware guess your password!
Mole.. Mole.... my Molestake!
HACK~!
CS majors know the time/space tradeoff, but they never get taught the 3rd, crucial, tradeoff of the set: comprehension!
Tell me that MS isn't routing those extra clicks to some banner ads someplace...
the NPG electrode was replaced with carbon blac
If you can't get it from the official Debian servers you can always compile it yourself.
I know, I know. You're going to complain about not everyone wanting to build their own applications from source. When Debian has the funding that Microsoft does then you can start throwing dirt in that direction. You get what you pay for--or, in the case of Microsoft, you pay for it but you still don't get it.
the NPG electrode was replaced with carbon blac
Technical definition, please. And how does the system know? Isn't it broken as designed that the system has to know about "setup programs"? I always thought they're just programs like any other one (as they should be).
'Microsoft's Mark Russinovich'
Boy is THAT ever true!
Exactly. For people who have running as non-admin for a few years now, this is nothing new. It is allowing most of the population of Vista users who will be running as non-admin in Vista to share our pain. That is a good thing. It means, as long as they don't turn UAC off, that people will begin shunning applications that don't work properly as non-admin. This should have been done a long time ago. It will be a painful couple of years adjusting for people that never knew non-admin existed, but so be it. Anything to wake up clueless app devs.
The Allow Starts Now
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
Agile Developers are idiots.
I disagree with your premise... If the point is to make it so you don't have to be admin to install programs anymore that will be a huge nightmare for sys admins everywhere. I suppose there is another way a group policy or something to keep people from installing things, but if all software suddenly doesn't need admin rights to install, how is the sys admin supposed to lock down systems and keep them from being flooded with hundreds of tetris games?
Further, UAC is annoying in so many more ways than installing programs. Changing your IP address requires a UAC authorization, I don't have Vista installed but a contractor that does some work for me has it installed on his laptop now, he was trying to show me some stuff the other day, and had to get on my wireless network (one UAC), install a program (3 UACs happened during download/install), and then use that program to access the internet (another UAC)... Right then I said I would never install Vista ever, there is nothing I hate more than Windows need to inform you of every single little issue or problem, even when you know it (I hate the popup informing you that your network card is unplugged for example in XP, 90% of the time I'm on wireless networks, but the other 10% I don't want to have to go in to network connections and enable the wired connection... Instead I get a big red x and a popup every time I start my computer "Your network cable is unplugged") UAC just takes this philosophy to astoundingly high levels.
...for the anthem of Windows Vista.
how is the sys admin supposed to lock down systems and keep them from being flooded with hundreds of tetris games?
;)
I for one welcome our new tetris overl... uhh, nevermind
Seven puppies were harmed during the making of this post.
Well, duh, that's a given.
Quarterdeck's software you referred to was called DESQview.
I thought it only took one demonic invasion...
You know, "fool me once, shame on you, fool me twice, shame on me."
should do what you want (I think, I'm not at a system I can check).
Check the man pages for both rpm2cpio and cpio before you try it.
In theory there is no difference between theory and practice.
In practice, however, there is.
In Linux I don't have to be root to install an RPM do I?
Okay, yes I do... but I can run stuff from tar balls in my home dir.
I wish I could mod the parent comment up! The light has dawned and I suddenly understand. Yes, what the parent says makes perfect sense now. I hope it works and every vendor releases software that doesn't gratuitously escalate permissions.
VERY INSIGHTFUL!
Start > Next... > Next.... > Finish... > wtf!
HeadON, Apply directly to the forehead...
Can we customize UAC to *LOOK* like Clippy?
Can we customize USA to *SOUND* like Clippy?
Why on earth people are using the 32-bit Vista is beyond me. The best security is ONLY in x64. Address Space Relocation (ASLR), PatchGuard (which would prevent this "attack"), forced signed drivers, et al. Microsoft really had no choice with Vista and UAC; Compromises had to be made. I'm still convinced that UAC, despite some flaws, provides a *significant* additional layer of security. Security is a process, requiring multiple layers. You should not rely on any one layer by itself. As well, I believe Hardware DEP would prevent the "sophisticated attack" Russinovich theorizes. It is a shame so many OEM's disable this feature in BIOS and Windows defaults to protecting only specific Windows services and components.
it seems that they are targeting centralised IT depts and encouraging them to lock out any user installed software - for many companies this probably look like a win win solution, but for any company with free thinking self motivated people - a disaster!
time to buy your personal mac book!
today is spelling optional day.
In Soviet Russia, Chimpanzees Shame You!
As far as I can see Joanna Rutkowska's original criticism was that you need to be admin to install software. How is this different from Linux or any other OS?
Mark Russinovich then revealed that a non-admin process could cause an admin process to run arbitrary code. That sounds like more of a real problem.
First, I strongly suggest you upgrade that RC1 copy you've got. Vista doesn't ask confirmation on nearly as much as you seem to imply.
Second, Microsoft made a DESIGN CHOICE, which is what the idiot who was quoted in the article is too stupid to understand.
Let's examine micsosoft's options for a moment, though before we do that, let's concede to an underlying assumption that, as much as you or anyone doesn't like, it is inevitably inescapable:
Installing software and installing drivers requires administrative privilages.
.
Now, for Microsoft's options:
1. Let users continue to run at administrator privilages on non-domain (read: home/SOHO) PC's a-la WinXP and prior.
Pros: no annoyance. Cons: MASSIVELY Insecure. Enormous amounts of malware infect enormous amounts of home/SOHO machines, enormous amounts of people get hurt by it. Essentially any program can trash the OS, and in many cases the program can propagate without either asking the user's permission, or by getting his consent without him knowing he has given it.
2. Apply a unixlike permission system, where users will need to confirm their identities by typing a password every time they stray from their userspace (to install a program or driver, say, or when a piece of malware they've run attempts to install itself in their system).
Pros: User is made explicitly aware that he is being asked to give a piece software permission to tamper with the OS guts.
Cons: Every time you'd need to elevate yourself to administrator privileges, you'd need to type a password. For users who aren't security-minded sysadmins, this can be more than a tad annoying.
Most modern desktop linux distros - all but Ubuntu I believe - work like this.
That's the basic 2 variants. What the article was screaming was that Vista isn't far enough on the security scale.
What you're screaming is that it's TOO far on the security scale.
What the MS guys actually did is, I believe, the best of both worlds. It's not as secure as a password/2-/3-factor-auth system, or a system that has different access levels for installing applications (tetris) and for installing drivers (and mess with OS guts) - lest a tetris setup will install a driver.
All it does is blacken the screen and ask you if you YES or NO - Do you want to give a program - presumeably the one you are running - administrative permissions.
It actually plugs a real, working, activated set of permissions system in place.
No more saving files in c:\. That's what home directories are for.
From what I see, it's perfect:
1. Joe "GetInfestedbyMalware" User can easily be educated as to the darkening authentication prompt and what it means. To those who have a tech come in and maintain the computer, a "Just say no" policy should prevent an unimagineable amount of pain, even without him really understanding what is happening. "If you see a darkening screen, say NO".
2. More powerful users (such as yourself) will need to be taught to WORK CORRECTLY (within their userspace) before they become...
3. Users that work correctly, i.e. within their environment (as I am working now on my gentoo box). These users do not get annoyed by the permission system because it does not interfere in the least with their work, except when they're initially setting up the system (the really smart ones will simply log in as an administrator and run all the setups there, to save the annoying screens, then log out and back in as a user).
Yes, you need to pull administrative access occasionally to install a new bit of software, but that should be a rare event (unless the purpose of your using a computer is to install and uninstall programs rather than use them, in which case, go back to working XP-style and work under an admin account). You need to give yourself admin access if you want to run regedit or alter a system file. You don't need admin access to use your productivity software (say, office), play games (be it solitaire or Oblivion), or surf the web.
Ma
-
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Those UAC guys got it all wrong when they started those experiments up there on Phobos and Deimos. We all know what happened when all that started going wrong.
For this very reason.
It's simply embarrassing to be the one advocating computers and technology, and have to explain some absolutely retarded functionality, and all you can say is "I don't know why the fuck it does that, it just does."
What's worse, everyone is trying to emulate them.
I mean, I understand -- the PC hardware revolution was largely because MS could run on any "IBM compatible". But it does make you wonder what could've happened and despair -- for instance, what if Linux had been a few years earlier? What if Linux had taken the place of DOS/Windows as being the one familiar environment you could make work anywhere, so that we had the same situation in software as we do in hardware -- true vendor independence?
Couldn't really happen, I know, but I wish... Oh, how I wish...
In any case, that is why I will never officially support Windows. Windows bugs are just embarrassing, both that computer "professionals" are capable of such crap, and that it looks to the end-user like it's the fault of my software.
Don't thank God, thank a doctor!
Not even that -i is disabled by default, but that it's an option at all.
/y on DOS/NT). In that case, the first time I see an "are you sure" box, I can run "cp --help" and see a quick summary of options I could use. From there, it's only a short step to aliasing "cp" to "cp -y".
I'm sure there's a way to disable the Vista prompt, but I don't know what it is. In any case, Windows would tend to hide that deep in some configuration area -- I would hope to at least see a "don't ask me again" checkbox, but I doubt it.
Unix puts this kind of thing right there in your face. Let's suppose, for the sake of argument, that cp has -i on by default, and that there's a -y option to disable it (similar to
This is one problem I have with most GUIs -- the preferences are kept nowhere near where they're actually used. The extreme example of this is about:config in Firefox.
Oh, and on the flip side, one amazingly GOOD thing Firefox does: It defaults to asking you once whether or not you want to do something that some users might object to -- for instance, submit a form over an insecure connection, or flip between http/https. However, it includes a checkbox that is something to the effect of "Ask me every time." If you allow the action, but ignore the checkbox, it will never ask you that question again.
That combines what I consider to be the great principles of UI: Always ask the user before doing anything unexpected (unless the user explicitly asked for it), and always find a way to present features to the power user (don't hide them away in about:config), but do sane things by default, and make it easy enough to use the default that average users aren't overwhelmed by advanced options, but advanced users don't have to hunt for them. Especially nice because sometimes power users want to be lazy.
Don't thank God, thank a doctor!
As usual, really.
Let me put it this way: While it takes a bit of hacking, there are all kinds of things I can do, in Wine, under Linux, to make Windows programs more secure and unable to screw up each other or my Linux, and without giving the user a billion prompts.
Here's one really simple example: Cedega's "Point2Play" interface. Every game is installed in its own fake Windows installation, complete with a Program Files, WINDOWS dir, and so on. With symlinks and hardlinks, it should be possible to even share some things across installations, though I'm not sure if Cedega actually does this. And of course, while Cedega doesn't do it by default, it's certainly possible to disable all access outside that game's dir.
That would allow Microsoft to pretty much implement whatever system they wanted, while still providing options to run legacy programs. In fact, it should've been possible at any point in the past few years for MS to throw their weight around and create a Linux distro. After all, they aren't selling a kernel, and Wine already exists; certainly MS, who've been building compatibility modes into Windows for years now, could make Wine work flawlessly.
But instead of truly starting from the ground up, or stealing some of our better ideas, they instead extended their old system. Ok, fine, I'd probably do the same thing. But they seem to have not even bothered to test the thing.
Could they have made it work perfectly? Maybe not, but they could've done better than this. Frankly, this is an insult.
Oh, and for the record: Most Linux apps don't hardcode many absolute paths, and the ones they do can often be overriden by environment variables or commandline arguments. Thus, it's trivial to take a global installation and make it per-user, or for that matter per-group, or whatever else you want to do. Worst case, Linux has chroot; Windows doesn't.
Don't thank God, thank a doctor!
Why? Elevate once. Remember that decision. End of story. Zone alarm does it very well. The first time an app decides it wants to use a network as a client it prompts and asks do you want to let it. You have the option to allow this action once or every time the application tries. If you make a mistake you can go into a list of programs and change the setting. Likewise if an app wants to act as a server you get another prompt, again with the option to say "yes, always". It's not hard. The MS implementation of UAC is just horseshit.
These posts express my own personal views, not those of my employer
Only if the users is running as admin.
If someone moves to Vista, runs as admin for their daily regular account usage, and then disables UAC, then what do you expect?
The simpler alternative would be to just use a non-admin account for normal work, disable UAC, and use runas/makemeadmin or log out and log in as an admin account for administrative work.
At least IMO.
What can we see through the hole anyway, is it a bubbling brook, or ... is it a bit torrent or a stream of anonymouse proxies, with mountains of compromised data as a hazy backdrop. You can hear the roar of CPU fans as they go into overdrive, rustling paper as it flies off the desk. And as the user sits with his beloved before the radiating warmth of an overloaded PC, their eyes make contact and the Valentine rose in the grip of his teeth matches the redness of his embarrassed face.
And then she realized he was lying when he said his name was Linus.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
The only time I've encountered UACs is when installing programs, setting up a terminal server, writing over files, and changing things that I wouldn't want any random program doing, all of which are reasonable (well, perhaps not the writing over files). What the hell do you people do, randomly start deleting things on the start menu?
The point is that the malicious process does *not* need to be running as admin, and the user doesn't need to do anything if the process can attack the system with a privilege escalation exploit. This is not my opinion, it is fact, supported by a mountain of malware evidence.
If you mod me down, I shall become more powerful than you could possibly imagine.
When elevating priveleges during an installation, the environment also seems to change. While my drives remained mapped in explorer.exe (and every other application), they did not appear from within the installer app.
Not a big deal.
But at the end of the installation, I checked the "Run this application now" checkbox, and the environment separation (and presumabely the privelege elevation) was inherited by the spawned process! Bug or feature?
I call bullshit on this one.
I've only seen that message once, and the application in question didn't install correctly, so it was entirely justified.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
I used to respect Mark's opinion on security issues, now he's sold out to M$ and is singing from their hymn sheet. If he wasn't their b*tch now, he would be condeming this hole rather than saying it was s design decision.
No, really !
That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator. This, in Rutkowska's mind, is a "very severe hole in the design of UAC."
And a very stupid thing to do in the first place ! What's the purpose of determining if an executable is "an installer" ? What is an installer anyway ? If you want to install non-privileged (and if possible sandboxed) programs (tetris), you need a _place_ for that. What you _don't_ want is run it as administrator for the stupid reason that it's the only known way to copy files in a place every user can reach, and flood the registry with stupid useless keys.
That's typicall Microsoft technology. By doing useless, half baked and complex stuff like that (heuristic for "installers"), they open the road to vulnerability discoveries on every corner. Good luck with vista.
I also switched off UAC, after having to confirm 5 times for just one file copy operation.
I tried to copy a program from my old windows installation to the new vista program files folder. So I opened one explorer with a connection to the old xp (\\ip\share) and dragged a folder to the program files folder on vista.
It was something like: (I'm writing this down from my memory, so it might not be 100% exact)
1. Confirmation "You are copying an executable file from an untrusted location, do you want to continue?" - continue of course, it's my old pc
2. Confirmation "You are copying into a secured system folder, do you want to continue?" - yeah, that's what I wanna do
3. Confirmation "You are not allowed to copy from an untrusted source into a secured system folder. Please copy the file to my documents for example and then move it to the destination folder" - continue not possible.
4. Confirmation "You are copying an executable file from an untrusted location, do you want to continue?" - this time it copies on my desktop
5. Confirmation "You are moving a file into a secured system folder, do you want to continue " - continue and the file is where i want it.
(Although some exploits lead directly to admin rights, "Exploit chaining" has also been used by malware authors -- get on the box using a remote defect, or social engineering to get the malware running as a non-admin user, then find a "local" way to elevate privilege using a separate exploit. )
If it were "trivial" to do this on Mac OS X, for example, the twenty million Mac OS X machines in the world would be worth a lot of money to spammers. The same botmasters who own fleets of Windows machines would own fleets of Mac OS X machines, too. At the present time, they don't seem able to easily own Mac OS X systems. Heck, even if we only consider the six or or eight million Mac OS X systems which run Intel processors that's still a sufficiently tempting target.
If you mod me down, I shall become more powerful than you could possibly imagine.
The issue of security is two-fold.
First of all, there is the issue of how to organize the file system around users and what rights should users have.
An O/S should have a separate programs folder for each user. In fact, each user should have its own view of the WHOLE operating system, including system files. The concept of kernel/administration files visible to a non-administrator user is plain wrong, because the user may be tempted to access those files in some way.
Installing a software package should make the package available to the user that installed the package. Only the system administrator should ever be allowed to installed programs for all the users.
Secondly, there should be a simpler security model on top of access-control lists. ACLs is the most flexible security system, but it is very cumbersome to have to define access for every little thing inside the computer.
A better idea is to provide a ring security mechanism, on top of ACLs, like the one employed in the Intel 80x86 CPUs, but on the software level: each program runs within a ring, and has no access to the resources of inner rings, only access to the resources of its own ring and outer rings. Communications between an outer ring and an inner ring would take place through well established software gates.
The O/S would start any user at ring 0, i.e. able to touch any resource in the system. Certain applications would come pre-configured to run at ring 1, especially those with network connectivity: the email applications, the browser, the various server programs (http, ftp etc).
The user could elevate the ring of an application at will. For example, if one wishes to run a particularly suspect executable, then the ring of the program could be elevated to 2, thus being unable to access anything on the computer except anything through the software gates provided for that program.
Once software returns to the 'pay per use lease' model, your isp ( or ASP if they arent the same place by then ) will simply give you access to what you leased on their servers, so you wont be installing anything locally anyway. All you have is a 'smart' terminal.
At that point, except perhaps for device drivers, you wont need admin rights.
---- Booth was a patriot ----
here are already 38 flavours of Vista so surely they could just market a "Pure" vista for power customers, those who would know what they were getting themselves into. Apps could be VistaPure certified if they like and i see this as less difficult from the Mac switching processors twice.
Once there's a body of VistaPure certified software out there then the momentum can be built up to a switch over for Vista II in about 5 years time with extended continued support for existing Vista (Legacy) customers.
while i'm at it i find all this installer business quite shocking, why can't an App just unzip itself into a directory in program files and then be sandoboxed there by the OS? sure if a user wants to load/save files from a dialog they can do so wherever they have permission but how hard can it be just to otherwise not allow an app to read/write ANYWHERE above/outside it's directory path? You'd still be allowed to assign an application read/write permission to any location you yourself have access to (e.g. network shares) but you should also be able to view/edit a list of that apps dir/net/registry access permissions with a right click on it's shortcut.
i.e. all non-standard-OS-file-requestor operations that attempt to invoke a directory where the path does not begin with "C:/program files/the application/" and does not contain "../" be denied. far too f**king simple.
If you don't risk failure you don't risk success.
that windows vista might actually give us a good reason to consider using windows,
Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
Isn't that the fundamental design problem with windows in general? Sacrificing security in the name of ease of use? From all the hype I've read recently that "vista is the most secure ever", I thought that maybe, just maybe, windows would focus on security this time.
Apparently not.
I work for the Department of Redundancy Department.
if they are admitting you can't do ANY real work on a 'modern processor' with 512M memory and that you will suffer until you get a dual core machine with 2GB memory and a 256MB video, that just about kills off most of the upgrade market, especially in corporate America.
I have a dual core laptop with 1Gig RAM and a 256MB video card (okay, integrated graphics: I can set it to use 256Meg, out of the box it was 128Meg) and it is merely marked as "Vista Capable". Bought it a few weeks ago on sale.
I have Vista on the following laptop and it outperforms my XP install:
Pentium M 1.7Ghz
1GB RAM
Integrated 32MB video card
5400RPM 80GB HDD
This machine (3 years old) blows for development work (Visual Studio 2005 kills it with paging; Visual Studio 2003 sucked a bit and InstallShield always took a couple minutes to load). I put Vista on, threw in an old thumb drive to use as spare cache, and it's outperforming my XP install by far.
The Windows Vista upgrade advisor also lists my machine as Vista Capable and it is quite capable. I just don't get Aero Glass and I wouldn't dare trying to run Media Center on such a bad video card. Without the thumb drive as cache it performs just as poorly as it did in XP.
I've actually gotten a couple other developers to make that switch until our new laptops come in (this time we spec'ed out the machines so IT doesn't give us more crap).
-- What did Spock find in Kirk's toilet? The captain's log.
Some may argue that Mark Russinovich, often a thorn in Microsoft's side, sold out when they bought ("hired") him. However, Mark has a long and enviable track record of exposing Microsoft problems. I am not prepared to ignore that track record so easily, and I appreciate the honesty of his response to Joanna Rutkowska, whom hasn't discovered anything here of significance IMHO.
The perfect operating system will not be realized so long as imperfect users interface with it.
Vista no longer has a start button. It has a blue marble with wavy color boxes in it.
IMO, the problem isn't so much with MS, it is with Windows application developers. As the Windows security model evolved, most of the developers' attitudes got stuck back at Windows95.
The lazy attitudes of developers (or the companies that employ them) have brought this situation to us.
I've lost count of the number of applications that "need" admin rights to install or even run. Most of the time, it's just a matter of rights to a specific directory or reg key (thank goodness for regmon/filemon!), but to play it safe they tell you that you've got to be admin.
The photo editing software that came with my Nikon camera out-and-out states in the "system requirements" that you have to be running as admin to even -use- the application.
That's not a MS issue, that is a lazy/incompetent application developer issue. Well ok, it's also a closed-source software issue, but that's a whole other holy war...
A house divided against itself cannot stand.
Well thats true as a wide generality. IF there is an available priv escalation exploit available, then yes. But thats true of every OS. Every OS has had it's share of priv escalations. Every OS closes them as fast as they're found.
However, I'm not sure what this has to do with the effectiveness of UAC.
My is guess you only have seen "Windows" in your short life.
The real issue is that developers/packagers/MS don't care about security.
All they care about is that you don't nag them to do support for a permission issue.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
This can't be the same guy who blew the whistle on the Sony CD rootkit in 2005. It just can't.
Sony Music is probably whupping themselves upside their collective head and lamenting, "Now why couldn't have WE gottten to him first?"
I guess he who takes the King's pence gets to be the King's sock puppet.
AC, get an account!
p p Paths\setup.exe] and delete the RunAsOnNonAdminInstall value
r rentVersion\App Paths\setup.exe]
If the MSI just copies files and registry entries to where the user has rights you will not be nagged for an Admin password.
If the MSI was created using InstallShield then it will create a Setup.exe (used to install the InstallShield engine to do the installation instead of MSIexec.exe!!)
setup.exe is a "Special filename" in Windows. Launching anything in Windows called setup.exe assumes you need to be admin and prompts you. Think of it as XP's UAC.
-to Avoid it: rename setup.exe to anthing.exe (if Install$hit will let you!)
-to remove the "feature":
goto [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\A
Or for script kiddies:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu
"RunAsOnNonAdminInstall"=-
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
The big difference between OS X, Ubuntu, Fedora, and Windows, is that Microsoft is still trying to make money. Large portions of all these 'nix based OS's are open source, and companies cannot charge for this. Microsoft, as a software company, sells two main software packages, Office and Windows. UAC is designed to do one thing for Microsoft, enhance the sales of their line of mice. Excessive clicking in dialog boxes will lead to the degradation of mice everywhere. You should run out now and get your Vista approved mouse.
Microsoft's biggest problem lies in not having a development base large enough to rewrite an OS. There are parts of the OS that have been around since the beginnings of Windows. Attempting to integrate today's security with yesterday's software would be, I'd imagine, incredibly difficult.
I guess you didn't quite catch the "A Few Good Men" reference, and the fact that while Nickelson's character believed he espoused those traits, he actually expressed the opposite.
The cesspool just got a check and balance.
Nice try, Micro$oft guy!
Next time when you moderate, browse at -1!!
News about the Kettle Open Source project: on my blog
Bill Gates was right: Wow.
the funniest (or sadest) is still to come: when some malware will start installing automatically on hundreds of thousands of Vista boxes. It will happen. I know it, you know it... World + dog knows it.
.rpm's are build in a way that makes it mandatory to be root to install it. Technically it should be possible to make .rpm installable as non-root, but in practice you never see that. Just why the f**k do I need to be admin on a Red Hat system to install, say, a browser, using a .rpm?
.tar.gz installed using a normal user account but most users find it normal to download and install third party .rpm being root, which sucks big time.
;)
Regarding admin privileges mandatory to install stuff, I'd like to point out that a major fucktardiness in Red Hat based Linux distro is that all
Of course for me it's the
I'll end my random ramblings by pointing that I can't help but smile every time someone mentions that Windows ACLs are way more advanced than what Un*x has to offer. It sure as helped to keep Windows server running IIS safer than Un*x ones running Apache right? (I'm not talking about the hundreds of millions of rooted Windows desktop or those f**ktard will invoke the monocrop argument
Believing that "user education" will fix things is like believing intensive driver training will stop people from running their cars into things on accident. The trick is that accidents are just that, a happenstance that results in a bad result. Even with solid training the formula 1 driver who is an expert of driving their car on their favorite track will occasionally crash.
"User Education" on its own simply doesn't work. If "user education" was the solution, after 30 years of desktop computing and teaching people how to use their computers we should have seen results right? It isn't so much a user problem but an engineering problem. Windows is frankly not engineered correctly where Vista's behavior is just another symptom of it. Wagging our finger at users saying "you should know better!" is silly.
A successful ME boot *would* be cause for celebration... if it ever actually happened. ;-)
So that I'm not accused of exaggerating, my definition of "successful" in this case would include no error messages to click through during boot.
Boundless Expansion, Self-Transformation, Dynamic Optimism, Intelligent Technology, Spontaneous Order- BEST DO IT SO!
So, all of a sudden Joe Sixpack is starting to feel slightly uncomfortable because he bought Vista and all of a sudden he can't run "Waste-a-raghead with Extreme Prejudice III" at a decent frame rate and his Dixie Chicks CDs have started to sound like Celine Dion.
You've all started to notice that MS has been palming you off with expensive cruft for years and all the upgrades and fixes do is change the direction you get shafted from.
Well, all I can say is "Live with it".
It's your fault. You made MS a monopoly. Yes, you, by not thinking or being at all discriminating over the years. You just went with the crowd. So what if some of the things MS did weren't quite, shall we say, gentlemanly? It was just easier to go with the flow and buy the Kool-Aid.
So put up with it. It's part of the price you have to pay. And don't come begging to me for help with installing Linux.
Linux "isn't ready for the desktop", remember? It's "for geeks", remember? It's "not intuitive", remember? It's "not compatible", remember?
What's that you say? It works, and Vista doesn't?
Well, whoopty-doo.
Go Vista! You deserve it.