Slashdot Mirror
"Very Severe Hole" In Vista UAC Design
Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."
There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.
Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.
The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.
After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.
Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.
Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!
If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.
As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.
...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.
When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.
The one thing Apple did that Microsoft really ought to copy, they don't. Figures.
Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.
I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.
"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."
This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.
Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)
These stories are free but worth money.
rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.
By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).
RTFM.
Video version of the above commentary here.
So let me get this straight... deleting a shortcut brings up a pile of popups, but installing something doesn't?! Who's trading security for annoyance here?
Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?
I guess MS didn't learn anything from id.
Beauty is in the eye of the beerholder.
I had probably the most frustrating ten minutes i have ever spent on a computer before.
.... .... ..... .... ... .... ... .... .... .... ...
Start, typed in regedit enter.
Vista:Are you sure you want to run this program?
Me: Yes. I went OUT of my way, hit start, run and typed in the pogram name I wanted. Thanks for checking though. (click)
Edit the registry, close it. That was easy.
double clicked on setup. Stupid shield on my icon, what does that mean?
Vista: are you sure you want to run this? it's a program, you know.
Me: Oh that must be what the shield is for. Vista feels like it should protect me from software!
Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click)
Install......that was easy.
Oops, there's a problem. Well, let's grab the correct file from the build server and copy it over
Open my computer, go to program files
Vista: Are you sure you want to go there?
Me:Yes (click)
open up the application folder
drag a file from a network share to the application folder....
Vista: Are you sure you want to overwrite this file?
Me: Yes (click)
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Yes (click)
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
Me: (Pounds head) (click)
Drag to Desktop.
Drag from desktop to application folder.
Vista:
Are you sure you want to overwrite this file?
me: for the love of god yes
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Die.Die.Die.Die.
Sounds like Clippy has been re-incarnated.
*shudder*
liqbase
NTFS partitions NOT created by Vista will cause these prompts for file operations on them, because you do not have access to them. #1: Your XP user account does but it is not recognized by Vista. #2: Administrators permissions is only granted after a UAC prompt. #3: Users permissions are normally low. Hence the need to prompt you to get the proper permissions.
Fortunately this is easy to fix. Simply go into the security settings in the property pages of a folder (or the whole drive if you wish) and add your personal account to the access list with full control. This will eliminate the prompts. Alternately on a multi-user computer you can adjust the permissions of the Users group for the same effect.
He did warn us that if we struck him down he would become more powerful than ever.
Maybe we should have listened.
No, it is completely different. For an MSI to run on windows, it needs to use the installer SERVICE which is running under the sytem account. This means that any installer inherently is running through a system user account. And if you had read the article, EVERY installer asks to be run as administrator in Vista, regardless of its intent. There is no exception made for a game, such as Tetris. RTFA yourself.
today is spelling optional day.
So, this is *exactly* like the latest "get a Mac" ad. Maybe even funnier!
Pumbaa! I don't wonder; I know.
Most of those prompts were redundant, either because they enforce things guaranteed by the underlying file permissions, or because the authorization could've been cached.
Vista:Are you sure you want to run this program?
Of course! It's got +X set!
Vista: are you sure you want to run this? it's a program, you know.
Ditto.
Vista: This is from AMD. Do you trust AMD?
Redundant. If I didn't trust them, I wouldn't have set +X.
Vista: Are you sure you want to go there?
Since Program Files shouldn't be world writable, this should prompt you for the administrator password. This authoriation should then be cached for Explorer.exe.
Vista: Are you sure you want to overwrite this file?
I'll let this slide, because even 'cp' prompts for that.
Vista:A program wants to write to the Program Files folder. Is this ok?
Should've grabbed cached authorization for Explorer.exe. Unless Explorer.exe was compromised in the 30 seconds between this action and the previous one, no security is lost here.
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
That's just idiotic.
Are you sure you want to overwrite this file?
Again, I'd let it slide depending on preference.
Vista:A program wants to write to the Program Files folder. Is this ok?
Cached authorization again.
It's really not that hard. UNIX/sudo got this right god knows how long ago. Apple did the right thing and just copied the sudo mechanism wholesale. Microsoft should to.
A deep unwavering belief is a sure sign you're missing something...
You were lucky. Try logging into Vista using a domain account. Then try copying a file from a restricted share to which the local machine users are not automatically authenticated but to which the logged in domain user is. Try to copy the file to a restricted destination like C:\. You go to do the copy, get all of the prompts you listed and then guess what: when you authenticated to the remote share by logging into the machine you authenticated as the domain user, but the local administrator under whose context the elevated copy is being performed never authenticated to the remote share and you get prompted yet again for credentials.
This is an annoyance for an end user but a major pain in the neck for software. I develop software that does not run elevated that accesses a remote file and the passes the file path into an out-of-process server that is running elevated. We either had to make the server no longer run elevated or prompt the user for credentials they already used to log into the machine (and which they don't think they need because they can get to the files just fine themselves) and then pass these credentials to the server with the path. Fortunately our architecture allowed us to have our server to not run elevated and get some other server to do the tasks that needed to be done elevated.
Vista is really a pain in the neck. What's funny about it is that I was at a Vista iterop event at Microsoft last November (yes I sometimes have to fraternize with the enemy) and every MS developer I worked with had to tell me how much they loved working on Vista and that they had been using Vista on their development machines for months. I asked them if they had disabled UAC and they said "no, why would you want to do that?" I then asked them if it wasn't annoying to be prompted all the time and they said "no." I can only assume that they must have been brainwashed.
Everyone who complains that UAC is annoying doesn't understand that the purpose of UAC is to be annoying. UAC makes elevation a pain, in the hope that software creators will write software which doesn't need to elevate!
VMWare 6, for example, constantly elevates on Vista. What do you want to bet that VMWare 7 won't?
Well behaved programs elevate only when and where they have to. Even if 50% of Vista users turn UAC off, that's still 50% of your client base who is being constantly bombarded by elevation dialogs. The solution? Write your software so it doesn't need to elevate.
As for the article - installers pretty much have to elevate. This is true on Windows and with Linux packages (when was the last time you ran apt-get without using sudo or running as root?). Some have pointed out that you can install most packages in Linux to be specific to your user account, using special flags. This, of course, is possible in Vista as well, if MSI packages are used.
Note that I do agree that it's a problem that you can't override UAC detection. There needs to be a "don't run as administrator" option.
Classic windows security. You can either do anything, or you can't even change the background picture.
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
Sounds like Clippy has been re-incarnated.
The sad thing is that I've seen Clippy like once or twice years ago, and that is what I thought this dialog reminded me of, but worse because from what I remember Clippy would start yelling at you when you did anything, and you could just tell him to go away, but now its worse because the operating system blocks and asks you to click a bozo box every time you do anything?
* smashes head on desk *
Let me be clear, I don't use MS software because it is not designed for a computer professional like myself. To be honest, I don't know who its designed for, or if its even designed at all.
The first time I heard Windows was having this UAC thing, I knew that it would suck as only Microsoft could make it suck. I knew it would annoy the hell out of the user so bad that it would do one of two things. 1) annoy them to the point that they just turn it off (I understand this is allowed in Vista) 2) annoy the user and they don't turn it off, they just bend over and take it, and the 1 out of a million clicks when your supposed to say No, you click Yes because that is what you ALWAYS HAVE TO DO TO GET ANYTHING DONE.
* smashes head on desk again *
Microsoft can't even rip off existing security models that work like the elevated priveledges in OS X. Microsoft embarasses me as a computer professional, and I don't even use their stuff, because people associate MS with computers.
Thanks for the grandparent post for sharing their experience, and thank you Apple, Linux, and Sun for making computers usable.
Oh, and I almost forgot.
Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges.
Isn't this the case where 99.9% of the time YOU WANT TO BE ASKED? Didn't Microsoft invent the term "driveby install"?
* smashes head on desk again *
Then the article is wrong. You can manifest an installer or exe to default to admin and UAC prompts, or AsInvoker if you know you can install without special access (installing to a user directory only for example). You can see more information here: http://channel9.msdn.com/Showpost.aspx?postid=2112 71
What you aren't understanding is: it isn't the concept of asking for permission when you need to do something that requires administrator rights, that Microsoft got right, it's the way they implemented this feature that is so bad. Microsoft often gets the general ideas right, but the details are so wrong.
Higher up in the thread someone mentions what happens when you copy a file to a folder in Program Files. Because Program Files folders are protected you need elevated permissions to do that. The right thing to do is say that it requires elevated permissions, ask if you want to do it, then do it. But in some cases it asks you 3 times for one file (do you want to copy, do you want to elevate, do you want to overwrite, do you want to be admin, do you need help with writing your letter). Why can't they give you one box that says, "The file already exists and this copy requires administrator rights, do you want to allow this?", then when you say OK, you are done. Why, why, why can't they do this, are they short of money?
And Mac and Linux do exactly the same thing, they ask your permission to do admin tasks, except they got the details right so they don't irritate the user to death. A guarantee people are just going to shut off UAC because it's annoying, defeating the whole purpose.
cause then there will be a story on here going on about how Microsoft stole from Unix, then we get 800 comments about how microsoft is evil for doing it, yet no one will mention that Apple did the same thing cause they aren't the evil microsoft.
Whatever. For starters, Apple didn't just steal from Unix, they build their OS on top of Unix. And you can't read any article on OSX around here without a dozen posts pointing that out, so the "no one will mention" part is just crap. Of course Apple never hid the fact that they were "stealing" Unix by building their OS on top of BSD. The whole point being to start with a solid OS with all these great Unixy concepts built in and add their Apply interface on top. Whereas when Microsoft steals these features after another five years, they'll act like they were struck by inspiration out of the blue and done something that nobody's done before, like they have with every other idea they've stolen. So the "did the same thing" part is crap too.
It may be fun and easy to take a poke at the "/. doublestandard", but it only reveals that you don't understand that it isn't a double standard at all. Microsoft has a bad rep for a reason among those who have been paying attention, and hey, maybe you don't know or understand why but don't think Apple would get a pass if they truly did the same things Microsoft does.
Next up: Why viewing Halliburton in a harsher light than Bob's General Contracting is also not an unfair double standard.
The enemies of Democracy are
Microsoft embarasses me as a computer professional
Wow, I had never heard anyone said it so succinctly, but that's it, baby. I always felt an unrecognized sense of shame for the state of computers today, and I never quite realized why. This is it. Things should be *soooo* much further along today, if it weren't for the predatory monopolistic effects of MS. Throughout so much of the short PC history, there were rays of sunshine (Quarterdeck's multitasking DOS thing, many IP stacks, etc., etc), that were quashed by their monopoly. To see this happen, and realize their mediocracy, and not have done anything about it, definitely brings a sense of shame.
Love many, trust a few, do harm to none.
You have just clicked yes. Did you really want to click yes?
The Tao of math: The numbers you can count are not the real numbers.
My few hours with Vista taught me something important about operating system design. That is, a good operating system should make you feel like you're in control of your computer. Like you're the one calling the shots and that the system will do exactly what you want it to do without fuss. Further, the experience of using a good OS should make you TRUST your computer and feel as if your computer TRUSTS you. You should not have to beg an OS to install an app or run an executable. Even if you do something that is possibly dangerous to security, the most it should do is ask "are you SURE?"
I don't want to wonder if my computer is tattling on me if I'm downloading an mp3 without DRM or watching a copy of a video that a colleague gave me. I don't want to think my computer is a rat or a punk. I don't want to think my computer will rebel if I run a perfectly legal program like Alcohol or rip.net or want to install the k-lite mega codec pack.
DirectX10? It's going to take more than DirectX10 for me to accept my computer as a spy in my home.
You are welcome on my lawn.
Whose gonna do it? You? You, Slashdotter? Windows has a greater responsibility than you could possibly fathom.
You weep for Tux, and you curse the DRM. You have that luxury. You have the luxury of not knowing what Windows knows.
That Tux's death, while tragic, probably saved lives. And Window's existence, while grotesque and incomprehensible to you, saves lives.
You don't want the truth because deep down in places you don't talk about on Slashdot, you want Windows on that firewall, you need Windows on that firewall.
Windows use words like honor, code, loyalty. Windows uses these words as the backbone of a codebase spent defending something.
You use them as a punchline. Windows has neither the time nor the inclination to explain itself to a Slashdotter who rises and sleeps under the blanket of the very freedom that Windows provides, and then questions the manner in which Windows provides it.
Windows would rather you just said thank you, and bought copies for your entire extended family. Otherwise, Windows suggests you pick up a browser, and send a POST.
Either way, Windows doesn't give a damn what you think you are entitled to.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
And the worst part is, if you tell them the truth -- "it does that because Microsoft sucks at making software" -- they don't believe you and think you've got some kind of unfounded grudge against Microsoft!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Are you sure you want to cancel the operation?
[ OK ] [Cancel]