"Very Severe Hole" In Vista UAC Design

Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

Re:So what's new?

[DoofusOfDeath]

I believe that even RPM on linux runs the install scripts with admin access...

Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.

It's not the software.

[KingSkippus]

That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.

Re:It's not the software.

[ThinkFr33ly]

Not OS files, but my own documents in my user directory. I find that hard to believe, unless you're talking about pre-RC2 Vista. Operations on files which you own or have normal permissions to, such as all the files in your user directory, do *not* cause a UAC prompt. Simple as that. Think of it this way, if you were on Unix, it would simply deny you access to the file in question. You would then have to su root to get the job done. In Vista, it makes that elevation a lot faster and easier.

For repeated, but seperate operations (like installing a lot of applications when you're setting up your machine), you can disable UAC. This is basically the same thing as su root if your account is an admin account. Once you're done, re-enable it. It's really not that hard.

Stuff like changing the layout of my Start menu. You'll only get a UAC prompt when modify start menu folders that are shown to all users. Why? Because these aren't folders you own. See my previous point. Also, why bother rearranging start menu folders in Vista? If you want to find something, type in the first couple of letters and it appears. It's MUCH faster than drilling down through folders.

Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document. You're either making this up, or you were using something that was even pre-pre RC1. This simply does not happen with Vista post-RC1.

Re:It's not the software.

[Durandal64]

At the command line, Apple simply uses sudo. At the GUI layer, the security architecture is more complex than sudo. It borrows some concepts, but only in a very limited sense. When you authenticate, you don't necessarily become root. Sometimes, you are just given permission to make modificaitons within a program, where root privileges aren't strictly required for anything, but the app's author wanted to restrict certain capabilities to admin users on the machine. Apple's security model is designed around requesting rights (like "com.apple.installer.installSoftware") from the security server, and those rights have certain properties that you can set, like a timeout, whether root privileges are actually required for this right, etc ... In many cases, you're authenticating for permission to run a SetUID command-line tool that's been factored out of the GUI app you're working in. For example, when you authenticate in Installer.app, Installer.app does not elevate to being run with root privileges. It launches a SetUID binary called "runner", which runs with as root.

Apple copied sudo's idea of "least required privileges" as the basis of its GUI security model, but I don't know if sudo was the first example of LRP. Maybe it was. But the GUI security model is definitely more complex than sudo, and apparently, it's a hell of a lot better than what Microsoft came up with for Vista. Using heuristics to identify which executables should get admin rights just seems like a horrendously stupid idea. Microsoft should've put its foot down on this one and forced developers of installer applications to properly request credentials. But they chose backwards-compatibility, as always, and now they're basically guessing who needs admin rights and who doesn't.

Re:It's not the software.

[greed]

Apple didn't copy the sudo mechanism. They copied sudo itself, shipped it with the operating system, and used it from the GUI.

So changing /etc/sudoers can affect the GUI. This can be important, because the default behavior is to cache credentials for 5 minutes, which can leave your system exposed to the next thing that wants Administrator privs. Changing the cache timeout to 0 fixes that, nicely.

Re:It's not the software.

[Chris+Burke]

cause then there will be a story on here going on about how Microsoft stole from Unix, then we get 800 comments about how microsoft is evil for doing it, yet no one will mention that Apple did the same thing cause they aren't the evil microsoft.

Whatever. For starters, Apple didn't just steal from Unix, they build their OS on top of Unix. And you can't read any article on OSX around here without a dozen posts pointing that out, so the "no one will mention" part is just crap. Of course Apple never hid the fact that they were "stealing" Unix by building their OS on top of BSD. The whole point being to start with a solid OS with all these great Unixy concepts built in and add their Apply interface on top. Whereas when Microsoft steals these features after another five years, they'll act like they were struck by inspiration out of the blue and done something that nobody's done before, like they have with every other idea they've stolen. So the "did the same thing" part is crap too.

It may be fun and easy to take a poke at the "/. doublestandard", but it only reveals that you don't understand that it isn't a double standard at all. Microsoft has a bad rep for a reason among those who have been paying attention, and hey, maybe you don't know or understand why but don't think Apple would get a pass if they truly did the same things Microsoft does.

Next up: Why viewing Halliburton in a harsher light than Bob's General Contracting is also not an unfair double standard.

Re:An even bigger hole...

I've been running Vista RTM since release and I hardly see any UAC prompts. The only times are when I run VMware or install a program.

You want to run an application, is that okay? That's the applications fault. Most applications shouldn't need administrative rights to run, and if they've been written properly they won't prompt. WinRAR 3.61 never prompts for me, but 3.62 has UAC prompts for everything. AFAIK "Windows XP Certified" programs require programs to be written so that they can run without elevated privileges so this is nothing new. People just assumed that everyone would run in an Administrator account and ignored those guidelines.

You want to copy a file, is that okay?

That never happens unless you're copying files into protected directories such as Program Files or the Windows directory. I copy files around all the time without UAC prompts because I keep them in my User directories or an external hard drive.

You want to change your desktop background, is that okay? This is just FUD. That never happens. If you right click on an image in IE7 and set it to background a regular IE prompt will appear, but no UAC.

You want to copy text from IE7, is that okay? I can copy text just fine, doesn't seem to prompt for me.

You want to delete an old text file, is that okay? See above, only in restricted directories.

You want to paste text into a form field in IE7, is that okay? I just tried copy and pasting info into the login page at Bank of America and I get no prompts. Even copy and pasting into sensitive fields such as "Social Security Number" on a Citibank credit card application resulted in zero prompts.

UAC prompts are annoying and frequent when you first do a complete reinstall because you'll be installing applications and drivers that need elevated privileges. After that you should not encounter it in your day to day activities. I see a UAC prompt once a day and that's only because I use VMware. If I used Virtual PC I could avoid it completely.

MOST computer users buy their PCs from Dell, HP, etc and they are preloaded with drivers and some basic software. The regular user won't be seeing as many UAC prompts because they'll be installing only a few programs (music player, possible word processing, games).

The cause of your problems and the solution

[The+MAZZTer]

NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.

Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.

Re:Another approach.

[TheRaven64]

Actually, the concept was on the original Mac before NeXT existed. Mac applications would have the executable in the data fork, and any supporting 'files' in the resource fork. NeXT didn't want to implement forks, so they used folders instead. This let them store applications on filesystems that didn't support forks (e.g. FAT, UFS, etc), and so was probably a better solution.

Re:An even bigger hole...

[Chokolad]

I still don't understand where the supposed security gain is. Since when is malware unable to click ok itself?

UAC prompt opens in separate logical desktop. Applications from main desktop can not send windows messages to it which means malware will be unable to click ok itself.

Re:Apple got it right

[ruiner13]

No, it is completely different. For an MSI to run on windows, it needs to use the installer SERVICE which is running under the sytem account. This means that any installer inherently is running through a system user account. And if you had read the article, EVERY installer asks to be run as administrator in Vista, regardless of its intent. There is no exception made for a game, such as Tetris. RTFA yourself.

Re:An even bigger hole...

[Doctor+Crumb]

Sorry, but linux and OSX only ask you for your password when doing potentially dangerous things. You are not prompted when moving files from one of your own folders to another of your own folders. You are not prompted when editing your own menus. You ARE prompted when doing something that will affect other users of the system, such as installing software site-wide. If you want to install a warez server under your own home folder, go nuts, you already explicitly have permission to do so.

Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program. If I wanted to install openoffice as my cousin vinnie, I could do so. Vista's all-or-nothing UAC is nothing more than an attempt to shift blame to the users, so that MS can claim to provide better security than ever before.

Re:Apple got it right

[choseph]

Then the article is wrong. You can manifest an installer or exe to default to admin and UAC prompts, or AsInvoker if you know you can install without special access (installing to a user directory only for example). You can see more information here: http://channel9.msdn.com/Showpost.aspx?postid=2112 71

Re:An even bigger hole...

[RzUpAnmsCwrds]

You ARE prompted when doing something that will affect other users of the system

You mean like modifying files that you don't have ownership of?

UAC does not, and has never, prompted users when they move files that they have permissions to. It does, however, prompt when you move files that are in the common desktop or in the common start menu folders.

Of course, linux and OSX have fine-grained mechanisms to grant/revoke permissions for any file, folder, or program.

Clearly, you don't understand anything about how Windows works. Windows has had access control lists practically everywhere in the OS since Windows NT.

Oh, and the ACLs in Windows are far, far more "fine-grained" than the usable-but-primitive permission bits in Linux.

Re:An even bigger hole...

[Combuchan]

I could spend a lot of time beriding your ignorance, but instead, you can google three words--linux extended attributes--and you will understand for yourself.

Re:An even bigger hole...

[WWWWolf]

Oh, and the ACLs in Windows are far, far more "fine-grained" than the usable-but-primitive permission bits in Linux.

Uh, Linux has supported POSIX Access Control Lists and Extended Attributes for quite a while now.

Heck, it dates from the days when ext2 was the king of filesystems, and that's a long way back. (Granted, at least on ext3, you have to specifically turn them on in mount options or with tune2fs, but on XFS, JFS and (to my knowledge) Reiser3 and 4, they're supported out of box.)

And when people say POSIX, they mean "real *nixes have had these features for, like, centuries". =)

What you're saying next? "Active Directory is so much more better authentication system than /etc/passwd, which is also a security risk that exposes encrypted passwords to users"? =)