Slashdot Mirror
"Very Severe Hole" In Vista UAC Design
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.
Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.
The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.
After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.
Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.
Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!
If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.
As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.
Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.
Why bother.
Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model. Things like APT have other nightmare scenarios (what if someone compromises the repository?), but not having to run shitty little EXEs to install applications isn't something I miss from Windows.
...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.
When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.
The one thing Apple did that Microsoft really ought to copy, they don't. Figures.
Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.
I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.
"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."
This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.
Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)
These stories are free but worth money.
rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.
By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).
RTFM.
Video version of the above commentary here.
So let me get this straight... deleting a shortcut brings up a pile of popups, but installing something doesn't?! Who's trading security for annoyance here?
Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?
I guess MS didn't learn anything from id.
Beauty is in the eye of the beerholder.
That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.
If you are a standard user, you have to enter a password to elevate privileges. However Vista has a compromise mode of sorts. You can run as an administrator, but leave UAC on. This allows you to elevate without entering a password. You still have to elevate privilege, but it requires no password. Turning UAC off makes administrator accounts function as they did in XP where you have privilege at all times.
I'm sorry, but you are wrong.
A regular user without admin rights can't run any program with admin privileges, ever. Of course said user can use runas (or their graphical counterpart), and give the program U:PW for administrative privileges.
Now, the default user Vista creates at install time is an administrator - but the default token said user gets is the same of a regular user. Now, if you want to run a setup program, Vista will elevate the privileges of such administrator accounts to the administrator level.
It's really quite similar to sudo, except that it doesn't prompt for passwords. But, if you want, you can do even that, through group policies.
Your post is even funnier if you read it out loud in the Simpson's "Comic Book Guy" voice.
... particularly because Vista was supposed to address some of the problems Microsoft had when trying to balance security and ease of use in XP. We now live in a very dangerous time as far as digital stuff is concerned, and I think continuing to hide as much security from people as possible (while paying lip service to it in other ways like UAC) is foolish. End users are going to have to learn to be careful, and learn a little bit about security. Cars didn't used to have locks, either. Times change, and people have to adapt to it to some extent.
That said, I personally very much liked the Vista user experience (I'm back to XP for now, but I had the beta and RC1). But after the first couple of days, I turned off UAC (and besides, I like to manage my security myself). It did nothing but ask me if I wanted to do what I was doing. Like another early poster here, I almost immediately reverted to clicking any damn OK button I saw. And God knows, I turned the sound off almost immediately. Moreover, I turned it off because it seemed like a talented Bad Guy would simply bury his Evil Code in something that seemed benign, and Joe User would just click through it. But all of that has been covered at great length in these hallowed halls already.
My point is still this: the bad guys are out there now. That's just reality. Telling people not to worry and to go back to sleep doesn't serve anyone anymore. I don't think power user knowledge is necessary for the average person, but frank awareness of basic online safety puts it in the hands of the individual user to some extent, and eases some of the strain for the OS designers/engineers. Because while MS has made some dumb and dangerous mistakes in the past, I still think of it this way: when you're designing any piece of software, you can't completely anticipate the security issues that will come up a year down the road, and you can't reduce how hard a user will work to circumvent your attempts to protect them, no matter how inobtrusive they may be.
I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.
It is pitch black. You are likely to be eaten by a grue.
Microsoft has created a culture of choosing between security/good/whatever and 'ease of use'. Going all the way back to older versions of Windows in which there was no user permissions model.
Hearing that all frigging installers are going to want admin perms is a frigging joke. Part of the reason Windows is insecure is you can't do anything without being an admin. It's not like it even supports a model whereby you install the software into your own location. Every piece of software expects to be able to write registries, replace system DLLs, and generally crap into a few common folders.
I mean, well over a decade I could download any old UNIX software, untar it, set an environent variable, and just run the damned software. No root perms needed, just glorious, easy to run/trivial to uninstall software.
This means that people aren't going to install their animated cursors in a sandbox which only affects them. They'll do it as admin, and potentially bork the whole machine.
This just makes me laugh.
Cheers
Lost at C:>. Found at C.
The truth is out. Microsoft didn't kill clippy in MS Office, they just moved him upstairs to an entire operating system designed to ask unwieldy and confusing questions.
This link allegedly tells you how to turn the questions off , but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?
Reduce, reuse, cycle
NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.
Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.
There are 2 ways to install software.
1. Drag application folder where ever you want it
2. If application does need to install a control panel, kext, or any other system file, then you can create an installer. When the installer tries to install the files that need the elevated permissions, it then tells you what it is trying to do and asks for an admin user/password
How is that hard to grasp at MS? Assuming everything needs admin permissions is just insane, and insisting it isn't a security hole and is a "design choice" is just fucking retarded.
today is spelling optional day.
Any EXE with "setup" or "patch" in the name will be assumed to require elevation, because no programs to date have manifests which specify whether they need to be elevated or not; and so Windows has to guess. The filename is a perfectly good indicator, as most setups will need elevation (Program Files is not writable without elevation). Windows uses other factors too; it can detect Windows Installers, NSIS installers, and a couple of others regardless of the filename.
If you don't like this automatic detection you can turn it off via the Group Policy Editor. It's under the global Computer settings under Security Settings somewhere, with the rest of the UAC options. Remember you'll have to manually launch installers elevated now, although Windows does try to detect when installs fail and will offer to try elevation and XP compatibility mode automatically.
Myself, I actually made my computer less secure by turning off the secure desktop (the screen resolution change that happens every time a UAC prompt comes up). I don't want Windows yanking me away from whatever I'm doing because I got bored waiting for the UAC prompt to appear then all of a sudden it decides to finally show up and hog keyboard/mouse focus. Sometimes if your computer is busy the UAC prompt won't even appear for 5-10 seconds, and you're sitting at a useless but very secure desktop alone for that time. So I turned it off and now they appear on the normal desktop. Of course they could potentially be sent window messages now by any app; but I don't let just any app run on my computer. I was safe back when I used XP SP1 and I could turn UAC off if I wanted to and still be safe.
Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!
VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?
Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.
As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.
Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.
I'm sorry, exactly where did I say that it was acceptable in OS X or Linux? Seriously, point it out, because I honestly don't remember saying anything like that.
Since you brought it up, though, yes, Linux could definitely use some work in this area. I also get tired of sudo password prompts for doing some basic system configuration and maintenance tasks, especially stuff that only applies to my account, not the OS as a whole. If you want me to jump on the bandwagon of having less stuff requiring admin access in Linux, count me in. I can't speak for OS X because I've never used it.
However, in defense of Linux, Vista is much worse. I've never had a prompt pop up in Linux that expressed concern because I was copying text from my browser to the clipboard. In Vista, I did. It may sound petty and silly, but it was the proverbial straw that broke the camel's back. The truth is, though, that I was constantly being prompted to do stuff that had nothing even remotely to do with system configuration or administration. Stupid stuff like renaming a file that was nowhere near a system directory. Stupid stuff like running a program that doesn't even come close to touching kernel code. Stupid stuff like... Well, you get the idea, I'm not going to sit here and list every stupid prompt I got.
So am I Microsoft-bashing? Yeah, I suppose I am. But it's not because I have an ax to grind with the company or because I think the alternative is perfect, it's because this particular product truly sucks ass. Yes, I know that there are zealots out there who would complain no matter how well Vista might have worked, but if you think I'm one of them or that's why I posted my message, you're barking up the wrong tree.
(Have you tried Vista yet?)
In reality, the hardware is optimized for speed. That is, the core will execute the instructions it receives without any sort of bounds checking. If an instruction fails, then an error code is stored and the next instruction is fetched and executed. It's only during boot time that a kernel has the opportunity to install code at particular vectors to prevent other code from sitting there. That's the PC architecture -- it was designed years ago and for good or bad, we're stuck with it (Ironically, many people make the same argument about Microsoft). That's why the kernel is so important: if it fails to protect a particular interrupt vector or other system integration point, then a userland program can elevate itself to kernel-level privileges and walk all over both the running OS and the data on your hard drives.
The only way to implement your idea (and many others like it) would be to have the hardware recognize this "code source" (or whatever magic bullet you have defined) and act accordingly.
Long story short, people are looking for a technological solution to a lack of education. Like it or not, there's a lot of people on the Internet now that need education. Vista's UAC seems to be along those lines, though extremely insulting and inflexible to an advanced user. It's like it was designed to "raise awareness" of "potentially unsafe operations" so that someone who was previously a clueless idiot can now see that many operations are potentially unsafe. Of course, the prompts don't explain WHY to this person, which eliminates UAC even as an education tool.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
The problem is that security isn't simply relegated to actions affecting system files and program installations. If you've ever cleaned a Windows box that had been hit by some virus or malicious website (back when websites could affect IE bookmarks, etc.) you probably noticed a glut of shortcuts and bookmarks pointing to websites that the "attackers" wanted you to visit. This all takes place within the userspace yet it is undesirable behavior. Likewise, copy/pasting to-from the browser has been pointed out to be a security hole even though the actions take place entirely in the userspace. I'm not saying that the kernel shouldn't be protected, but that ignoring userspace interactions entirely is equally wrong.
It does not sound like MS has addressed the problem properly if UAC is instantly conditioning users to always click "ok", but to say that it should only be invoked when attempting "dangerous" operations belies the complexity of the issue. At the end of the day my kernel getting infected is not my primary concern - the integrity of my personal files is. Even if I had to purchase a brand new box with a new OS license off the shelf it's still easier/cheaper to do than trying to replace the accumulation of files I've created, downloaded, purchased, etc.
1) So, all Vista installers run with admin. priv.
2) Installing a downloaded Tetris game allows the game installer to change virtually anything in the system.
Why does a game need an installer at all ? Why not just unzip the game into your user account/home directory or better yet drag the game icon to the place you want it ? Why do Windows applications all seem to need an installer ?
On OS X and NeXTstep before it, application icons are actually covers for directories containing all of the support files including executables need by the application. Furthermore, applications are not supposed to assume that they can write to their own directory. This is convenient for running applications from servers without installing on the local machine or for running directly off a CD-ROM. If an application needs to store user data or write configuration files, there are standard places to put the files. When needed, the individual application copies files to standard places using the user's permissions and not admin permissions.
The first time any application is run, the user is asked if it is OK. If some crap is downloaded and executed unintentionally, the user is given a chance to say WTF and stop it. Any time any application needs privileges beyond the user's default privileges, an admin passwd is required.
No installers (except in crap-ware and unusual circumstances and even then they require an admin password for upgraded privileges!
Remarkable little user irritation.
Why can't Microsoft copy this behavior ? It has been for sale since 1988.
OS X isnt perfect, but sometimes it is better.
From the NSIS (Nullsoft Scriptable Install System) documentation:
RequestExecutionLevel none|user|highest|admin
Specifies the requested execution level for Windows Vista. The value is embedded in the installer and uninstaller's XML manifest and tells Vista, and probably future versions of Windows, what privileges level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows Vista automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin have virtually the same effect.
It's recommended, at least by Microsoft, that every application will be marked with the required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.
More information about this topic can be found at MSDN. Keywords include "UAC", "requested execution level", "vista manifest" and "vista security".
So it seems that there is an option, "user", which might cause NSIS to run in non-admin (depending on whether Vista's auto-handling is overriding), and that other installers might also be able to run non-admin.