Slashdot Mirror
"Very Severe Hole" In Vista UAC Design
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.
Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.
The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.
After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.
Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.
Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!
If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.
As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.
I believe that even RPM on linux runs the install scripts with admin access...
Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.
Why bother.
Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model. Things like APT have other nightmare scenarios (what if someone compromises the repository?), but not having to run shitty little EXEs to install applications isn't something I miss from Windows.
While I'm at it, why does a printer (or other non-intrusive peripheral) driver have to have unfettered access to the life blood of the OS?
Does this mean that Vista does not allow users to install local copies of programs (eg, Tetris)?
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
...they're trying to install Tetris? Haven't they heard of Crack Attack?
...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.
When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.
The one thing Apple did that Microsoft really ought to copy, they don't. Figures.
I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.
"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."
This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.
Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)
These stories are free but worth money.
rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.
By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).
RTFM.
Video version of the above commentary here.
So let me get this straight... deleting a shortcut brings up a pile of popups, but installing something doesn't?! Who's trading security for annoyance here?
Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?
I guess MS didn't learn anything from id.
Beauty is in the eye of the beerholder.
That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.
If you are a standard user, you have to enter a password to elevate privileges. However Vista has a compromise mode of sorts. You can run as an administrator, but leave UAC on. This allows you to elevate without entering a password. You still have to elevate privilege, but it requires no password. Turning UAC off makes administrator accounts function as they did in XP where you have privilege at all times.
Your post is even funnier if you read it out loud in the Simpson's "Comic Book Guy" voice.
... particularly because Vista was supposed to address some of the problems Microsoft had when trying to balance security and ease of use in XP. We now live in a very dangerous time as far as digital stuff is concerned, and I think continuing to hide as much security from people as possible (while paying lip service to it in other ways like UAC) is foolish. End users are going to have to learn to be careful, and learn a little bit about security. Cars didn't used to have locks, either. Times change, and people have to adapt to it to some extent.
That said, I personally very much liked the Vista user experience (I'm back to XP for now, but I had the beta and RC1). But after the first couple of days, I turned off UAC (and besides, I like to manage my security myself). It did nothing but ask me if I wanted to do what I was doing. Like another early poster here, I almost immediately reverted to clicking any damn OK button I saw. And God knows, I turned the sound off almost immediately. Moreover, I turned it off because it seemed like a talented Bad Guy would simply bury his Evil Code in something that seemed benign, and Joe User would just click through it. But all of that has been covered at great length in these hallowed halls already.
My point is still this: the bad guys are out there now. That's just reality. Telling people not to worry and to go back to sleep doesn't serve anyone anymore. I don't think power user knowledge is necessary for the average person, but frank awareness of basic online safety puts it in the hands of the individual user to some extent, and eases some of the strain for the OS designers/engineers. Because while MS has made some dumb and dangerous mistakes in the past, I still think of it this way: when you're designing any piece of software, you can't completely anticipate the security issues that will come up a year down the road, and you can't reduce how hard a user will work to circumvent your attempts to protect them, no matter how inobtrusive they may be.
I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.
It is pitch black. You are likely to be eaten by a grue.
Microsoft has created a culture of choosing between security/good/whatever and 'ease of use'. Going all the way back to older versions of Windows in which there was no user permissions model.
Hearing that all frigging installers are going to want admin perms is a frigging joke. Part of the reason Windows is insecure is you can't do anything without being an admin. It's not like it even supports a model whereby you install the software into your own location. Every piece of software expects to be able to write registries, replace system DLLs, and generally crap into a few common folders.
I mean, well over a decade I could download any old UNIX software, untar it, set an environent variable, and just run the damned software. No root perms needed, just glorious, easy to run/trivial to uninstall software.
This means that people aren't going to install their animated cursors in a sandbox which only affects them. They'll do it as admin, and potentially bork the whole machine.
This just makes me laugh.
Cheers
Lost at C:>. Found at C.
The truth is out. Microsoft didn't kill clippy in MS Office, they just moved him upstairs to an entire operating system designed to ask unwieldy and confusing questions.
This link allegedly tells you how to turn the questions off , but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?
Reduce, reuse, cycle
I knew that reply was coming. Yes, the expert user can force synaptic into running without root privileges. However the new Ubuntu user who tries to start it up is simply going to hit a "enter your password" prompt at the get-go.
The expert Vista user can get around running installation programs as the Administrative user as well. It's the same issue.
NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.
Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.
There are 2 ways to install software.
1. Drag application folder where ever you want it
2. If application does need to install a control panel, kext, or any other system file, then you can create an installer. When the installer tries to install the files that need the elevated permissions, it then tells you what it is trying to do and asks for an admin user/password
How is that hard to grasp at MS? Assuming everything needs admin permissions is just insane, and insisting it isn't a security hole and is a "design choice" is just fucking retarded.
today is spelling optional day.
Any EXE with "setup" or "patch" in the name will be assumed to require elevation, because no programs to date have manifests which specify whether they need to be elevated or not; and so Windows has to guess. The filename is a perfectly good indicator, as most setups will need elevation (Program Files is not writable without elevation). Windows uses other factors too; it can detect Windows Installers, NSIS installers, and a couple of others regardless of the filename.
If you don't like this automatic detection you can turn it off via the Group Policy Editor. It's under the global Computer settings under Security Settings somewhere, with the rest of the UAC options. Remember you'll have to manually launch installers elevated now, although Windows does try to detect when installs fail and will offer to try elevation and XP compatibility mode automatically.
Myself, I actually made my computer less secure by turning off the secure desktop (the screen resolution change that happens every time a UAC prompt comes up). I don't want Windows yanking me away from whatever I'm doing because I got bored waiting for the UAC prompt to appear then all of a sudden it decides to finally show up and hog keyboard/mouse focus. Sometimes if your computer is busy the UAC prompt won't even appear for 5-10 seconds, and you're sitting at a useless but very secure desktop alone for that time. So I turned it off and now they appear on the normal desktop. Of course they could potentially be sent window messages now by any app; but I don't let just any app run on my computer. I was safe back when I used XP SP1 and I could turn UAC off if I wanted to and still be safe.
UAC only kicks in when I try to do something to a file or system resource that I don't have permission to access. Period. End of story.
In the unix world, if I want to modify a file that I don't own I must elevate my permissions using something like su root. And that's somehow *less* annoying than Vista's UAC prompt?
The only time I can see this being more annoying is when I'm doing lots of actions that require admin privs. Microsoft did their best to group operations in such a way that you only get one prompt. If I try and delete 20 files, all of which I don't have access to, I'll get 1 UAC prompt.
But sometimes they can't group these operations together, such as when I'm installing several applications when I'm first setting up my machine. In these scenarios, su root is superior in the sense that I su root once and that's it. With UAC, I'll get a prompt for each install.
But if you know you're going to be installing lots of applications and you don't want to be bothered with multiple UAC prompts, then just turn off UAC while you're doing those installations. Simple as that. And not harder that su root.
So what's the big deal? The vast majority of users don't install new applications every day. In fact, the vast majority of users don't do anything that requires admin privs on a daily basis. This is a non-issue.
I've been using Vista since late November. During the first few days of use I got a lot of UAC prompts, but I really didn't find them all that annoying. One extra click just wasn't a big deal. After getting my machine setup the way I wanted it, I rarely got any UAC prompts. Just doesn't happen all that often.
Since almost everybody who will run Vista will get it on a new machine with most of the software they will use pre-installed, this is even more of a non-issue.
But the biggest point is that the way that unix does it, with a session-based elevation, is no less time consuming (in fact, it's usually more time consuming), and it's FAR more dangerous for a "dumb" user because they will tend to just leave their session elevated.
I am far from an RPM guru... but I have written a few in my day. Basically the way that an RPM works is you write a spec file which is just a script that tells RPM what actions to perform to install the actual binary. For example, put this file here, change its permissions, restart the running daemon associated with this package, etc. AFAIK the set of commands that you can give to RPM is limited, and I believe that you are not able to tell it to do things like load kernel modules. So sure, if you install an untrusted RPM it can do all kinds of nasty things like clobber your files, but there are limitations to what RPM can do. If you're really paranoid you can also run rpm with SELinux, which obviously has no analog in the Windows world.
#include ".signature"
Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!
VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?
Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.
As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.
Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.
I'm sorry, exactly where did I say that it was acceptable in OS X or Linux? Seriously, point it out, because I honestly don't remember saying anything like that.
Since you brought it up, though, yes, Linux could definitely use some work in this area. I also get tired of sudo password prompts for doing some basic system configuration and maintenance tasks, especially stuff that only applies to my account, not the OS as a whole. If you want me to jump on the bandwagon of having less stuff requiring admin access in Linux, count me in. I can't speak for OS X because I've never used it.
However, in defense of Linux, Vista is much worse. I've never had a prompt pop up in Linux that expressed concern because I was copying text from my browser to the clipboard. In Vista, I did. It may sound petty and silly, but it was the proverbial straw that broke the camel's back. The truth is, though, that I was constantly being prompted to do stuff that had nothing even remotely to do with system configuration or administration. Stupid stuff like renaming a file that was nowhere near a system directory. Stupid stuff like running a program that doesn't even come close to touching kernel code. Stupid stuff like... Well, you get the idea, I'm not going to sit here and list every stupid prompt I got.
So am I Microsoft-bashing? Yeah, I suppose I am. But it's not because I have an ax to grind with the company or because I think the alternative is perfect, it's because this particular product truly sucks ass. Yes, I know that there are zealots out there who would complain no matter how well Vista might have worked, but if you think I'm one of them or that's why I posted my message, you're barking up the wrong tree.
(Have you tried Vista yet?)
In reality, the hardware is optimized for speed. That is, the core will execute the instructions it receives without any sort of bounds checking. If an instruction fails, then an error code is stored and the next instruction is fetched and executed. It's only during boot time that a kernel has the opportunity to install code at particular vectors to prevent other code from sitting there. That's the PC architecture -- it was designed years ago and for good or bad, we're stuck with it (Ironically, many people make the same argument about Microsoft). That's why the kernel is so important: if it fails to protect a particular interrupt vector or other system integration point, then a userland program can elevate itself to kernel-level privileges and walk all over both the running OS and the data on your hard drives.
The only way to implement your idea (and many others like it) would be to have the hardware recognize this "code source" (or whatever magic bullet you have defined) and act accordingly.
Long story short, people are looking for a technological solution to a lack of education. Like it or not, there's a lot of people on the Internet now that need education. Vista's UAC seems to be along those lines, though extremely insulting and inflexible to an advanced user. It's like it was designed to "raise awareness" of "potentially unsafe operations" so that someone who was previously a clueless idiot can now see that many operations are potentially unsafe. Of course, the prompts don't explain WHY to this person, which eliminates UAC even as an education tool.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
The problem is that security isn't simply relegated to actions affecting system files and program installations. If you've ever cleaned a Windows box that had been hit by some virus or malicious website (back when websites could affect IE bookmarks, etc.) you probably noticed a glut of shortcuts and bookmarks pointing to websites that the "attackers" wanted you to visit. This all takes place within the userspace yet it is undesirable behavior. Likewise, copy/pasting to-from the browser has been pointed out to be a security hole even though the actions take place entirely in the userspace. I'm not saying that the kernel shouldn't be protected, but that ignoring userspace interactions entirely is equally wrong.
It does not sound like MS has addressed the problem properly if UAC is instantly conditioning users to always click "ok", but to say that it should only be invoked when attempting "dangerous" operations belies the complexity of the issue. At the end of the day my kernel getting infected is not my primary concern - the integrity of my personal files is. Even if I had to purchase a brand new box with a new OS license off the shelf it's still easier/cheaper to do than trying to replace the accumulation of files I've created, downloaded, purchased, etc.
1) So, all Vista installers run with admin. priv.
2) Installing a downloaded Tetris game allows the game installer to change virtually anything in the system.
Why does a game need an installer at all ? Why not just unzip the game into your user account/home directory or better yet drag the game icon to the place you want it ? Why do Windows applications all seem to need an installer ?
On OS X and NeXTstep before it, application icons are actually covers for directories containing all of the support files including executables need by the application. Furthermore, applications are not supposed to assume that they can write to their own directory. This is convenient for running applications from servers without installing on the local machine or for running directly off a CD-ROM. If an application needs to store user data or write configuration files, there are standard places to put the files. When needed, the individual application copies files to standard places using the user's permissions and not admin permissions.
The first time any application is run, the user is asked if it is OK. If some crap is downloaded and executed unintentionally, the user is given a chance to say WTF and stop it. Any time any application needs privileges beyond the user's default privileges, an admin passwd is required.
No installers (except in crap-ware and unusual circumstances and even then they require an admin password for upgraded privileges!
Remarkable little user irritation.
Why can't Microsoft copy this behavior ? It has been for sale since 1988.
OS X isnt perfect, but sometimes it is better.
As for the article - installers pretty much have to elevate.
/bin, but instead install a local bin directory.
I would argue this notion is fundamentally wrong.
An installer should only have to elevate if it has to modify the system, or possibly existing applications in some way.
I don't have to elevate for all Linux installations for example if I am not going to install something in
In OS X you can install an application just fine without elevation, unless again it requires system access - but most software is self-contained and has no need to add system files. Thus when an installer asks you for a password you have a better feel if whatever app your installing should really have that level of access.
In Vista you cannot have any installer do any setup things (like prepping directories or checking to upgrade a program) without running as admin. This is madness, because you are going to always be telling vista it's OK for even the most trivial installer to go ahead and elevate.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
in our concept of a personal computer.
Yes, this is a specific flaw in response to the problem, but why do we have the problem? Why is it that when you browse to a web page, you are endangering an accounting database you have on your machine?
What I am leading up to is this: there is too much coupling between computer applications via the personal computer operating system. It isn't just that MS put installers into God mode -- although that is bad.
Imagine you ran your computer as an X terminal or Citrix client, and you connected to applications running on remote servers. Installing or upgrading one piece of software could do very little to affect another. Now imagine a variation on this: what if we never created installers. What if we distrbuted software in virtual machines that you simply dragged onto your disk, and the operating system provided window management, clipboard integration, and file service? Furthermore the virtual machine would have no access to system files, anymore than a network client has access.
Your browser should at the very least run in some kind of a sandbox.
There was some possibility, a decade ago, of a change in the nature of applications. The OpenDoc idea was that the user experience would be document centric, and vendors would provide various capabilities users could employ on the documents. This was a beautiful idea: instead of builing lots of boiler plate capabilities, you as a developer would create only the bit you wanted to add to the software universe. OpenDoc never got past beta, and the OLE model, based on heavyweight applications, won. Well, if you're going to go that way, why not package each application with its own complete, but lightweight, runtime system? If you need to install an active X, why install it for every application on the system?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
From the NSIS (Nullsoft Scriptable Install System) documentation:
RequestExecutionLevel none|user|highest|admin
Specifies the requested execution level for Windows Vista. The value is embedded in the installer and uninstaller's XML manifest and tells Vista, and probably future versions of Windows, what privileges level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows Vista automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin have virtually the same effect.
It's recommended, at least by Microsoft, that every application will be marked with the required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.
More information about this topic can be found at MSDN. Keywords include "UAC", "requested execution level", "vista manifest" and "vista security".
So it seems that there is an option, "user", which might cause NSIS to run in non-admin (depending on whether Vista's auto-handling is overriding), and that other installers might also be able to run non-admin.As far as I can see Joanna Rutkowska's original criticism was that you need to be admin to install software. How is this different from Linux or any other OS?
Mark Russinovich then revealed that a non-admin process could cause an admin process to run arbitrary code. That sounds like more of a real problem.