Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Very Severe Hole" In Vista UAC Design

Posted by kdawson on from the she-said-he-said dept.

Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

9 of 813 comments (clear)

  1. An even bigger hole... by KingSkippus · · Score: 5, Insightful

    There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.

    Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.

    The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.

    After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.

    Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.

    Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!

    If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.

    As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.

  2. Further proof by Anonymous Coward · · Score: 5, Insightful

    ...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.

    When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.

    The one thing Apple did that Microsoft really ought to copy, they don't. Figures.

  3. Swinging a Blunt Object by CheeseburgerBrown · · Score: 5, Insightful

    I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.

    "What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."

    This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.

    Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)

    --
    These stories are free but worth money.
  4. You ought to watch those irrational beliefs . . . by mmell · · Score: 5, Insightful
    Let's say rather that you need root authority to install rpm packages for use by all users.

    rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.

    By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).

    RTFM.

  5. Re:It's not the software. by Paolo+DF · · Score: 5, Insightful

    So, this is *exactly* like the latest "get a Mac" ad. Maybe even funnier!

    --
    Pumbaa! I don't wonder; I know.
  6. People who complain about UAC don't understand UAC by RzUpAnmsCwrds · · Score: 5, Insightful

    Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!

    VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?

    Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.

    As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.

    Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.

  7. Re:It's not the software. by Stamen · · Score: 5, Insightful

    What you aren't understanding is: it isn't the concept of asking for permission when you need to do something that requires administrator rights, that Microsoft got right, it's the way they implemented this feature that is so bad. Microsoft often gets the general ideas right, but the details are so wrong.

    Higher up in the thread someone mentions what happens when you copy a file to a folder in Program Files. Because Program Files folders are protected you need elevated permissions to do that. The right thing to do is say that it requires elevated permissions, ask if you want to do it, then do it. But in some cases it asks you 3 times for one file (do you want to copy, do you want to elevate, do you want to overwrite, do you want to be admin, do you need help with writing your letter). Why can't they give you one box that says, "The file already exists and this copy requires administrator rights, do you want to allow this?", then when you say OK, you are done. Why, why, why can't they do this, are they short of money?

    And Mac and Linux do exactly the same thing, they ask your permission to do admin tasks, except they got the details right so they don't irritate the user to death. A guarantee people are just going to shut off UAC because it's annoying, defeating the whole purpose.

  8. Re:It's not the software. by PopeRatzo · · Score: 5, Insightful

    My few hours with Vista taught me something important about operating system design. That is, a good operating system should make you feel like you're in control of your computer. Like you're the one calling the shots and that the system will do exactly what you want it to do without fuss. Further, the experience of using a good OS should make you TRUST your computer and feel as if your computer TRUSTS you. You should not have to beg an OS to install an app or run an executable. Even if you do something that is possibly dangerous to security, the most it should do is ask "are you SURE?"

    I don't want to wonder if my computer is tattling on me if I'm downloading an mp3 without DRM or watching a copy of a video that a colleague gave me. I don't want to think my computer is a rat or a punk. I don't want to think my computer will rebel if I run a perfectly legal program like Alcohol or rip.net or want to install the k-lite mega codec pack.

    DirectX10? It's going to take more than DirectX10 for me to accept my computer as a spy in my home.

    --
    You are welcome on my lawn.
  9. Re:It's not the software. by mrchaotica · · Score: 5, Insightful

    And the worst part is, if you tell them the truth -- "it does that because Microsoft sucks at making software" -- they don't believe you and think you've got some kind of unfounded grudge against Microsoft!

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz