Slashdot Mirror
Tricking Vista's UAC To Hide Malware
Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.
I love Microsoft's response:
Meh... the same users who show enough common sense to click on the "you've won a free ipod enter your credit card information here" will obviously be able to know the difference between a good system message and a bad system message
Hooray for apathy!
The original generic sig.
Basically its a way to get a green pop-up, which usually means safe applications. It relies on the user blindly saying "yes" to these green pop-ups
With every release of Windows, Microsoft seems to devise some new, overly-complicated scheme to try to protect Windows users. The scheme they came up with may sound great, but then it falls flat on its face because of some minor flaw or workaround.
So maybe what they need to do is to get back to the fundamentals. We only need to look as far as OpenBSD to see how keeping things simple and intelligent results in a very secure operating system. Instead of writing new (and probably buggy) code to try and prevent things like malware, they just repeatedly go over the code they already have, to try to ensure that it is exploit-free. And it works. OpenBSD is a damn secure system.
While it may be true that different colored borders are supposed to mean varying levels of "trust", as in what component is running, I don't think any user would know that. The text in the dialogs doesn't appear to be different (that I can tell), so why would a border color make me go "Oh, I should let that action happen, I bet that's some Control Panel action", especially when I wasn't working with the control panel.
To be honest, Vista's UAC saved my butt recently. I have no idea what application was vulnerable -- but it somehow tried to run exec.exe, which was downloaded into one of my temp folders. The file was deleted after it failed to run (because I said "no"), and then would appear back in a few seconds and try to run again. I'm happy that whatever application was vulnerable wasn't able to do anything to my system.
<tangent> Anyway, while some people may say it's annoying, I'm not sure exactly how many actions a typical user would take that would require UAC prompts. After the first few days of configuring, installing apps, etc..., I have little need to do anything that requires UAC prompts. Defrag is set up to run every night, anti virus is set up to download updates, my resolution settings don't change, etc... </tangent>
That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system.
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?
Sorry, this does not constitute a threat. Just one more indication that we need some form of licensure before letting people anywhere near a computer.
I'll gladly join in on the MS bashing - when appropriate. In this case, any blame rests solidly with users who have no idea what they should or shouldn't let run on their computers.
Better listen up; this is coming from Symantec, the guys that brought us Norton Internet Security. These guys KNOW how to really mess computers up.
Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
Just get it to vibrate around like those horrible "you're the 99999th visitor!" pop-ups, and anyone would click whatever to get rid of it. Furthermore, you could change it to one of those "are you stupid?" pop-ups, that the "no" button moves around. There are a zillion ways to get someone to click the button you want.
stuff |
From what I understand, the UAC thing comes up all the time (even copying and pasting?!?!), so people just will ignore it and say allow all the time. Also, I read here on slashdot that UAC didn't ask anything when installing software, so there is the best backdoor already put into the OS as a design decision.
Its really sad that people believe that Windows == computers. It will take a decade for people to get over the PTSD once another system becomes available to the general public.
I got binary nonsense when I followed the link to the article.
The Mirrordot link works: http://mirrordot.org/stories/bdc4f568dcc5c7b125832 2aec4d77944/index.html
This isn't security, this is a legal CYA.
Why is Peter Norton always standing there with his arms folded?
He's waiting for Norton Desktop to load.
Fallout 3 will suck.
These guys are pointing this out, because they want to sell symantec products. Thats the only reason why this article came out. It's the only reason why Symantec released this statement. They want to put the message out there that "You're not secure without Norton"
This is a corporate propaganda directive, possibly directly from the CEO him/herself. "Find something, and lets use it to make us money"
The old anti virus company making viruses, just to fuel sales... has come true. They dont have to release the viruses though, but simply they figured something out, and to tell the world that something.
Profit at all costs.
why bother writing a story about a story when you can just link to the original
n se/weblog/2007/02/an_example_of_why_uac_prompts.ht ml
http://www.symantec.com/enterprise/security_respo
Sad scene. Symantect sinks to an all time low, after years of destroying countless Windows PCs and frustrating millions, all while being ineffective in detecting and removing viruses, but very effective in detecting and removing Windows kernel after flagging it as a deadly virus in your PC. The asking the user to REBOOT
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
The main problem I have seen with Vista since the first RCs is the monotonous regularity that these messages pop up with during regular system use. The old adage that practice makes perfect is incorrect; Practice makes permanent is the real outcome and microsoft is basically forcing their customers to practice hitting that continue button while still trying to concentrate on the tasks at hand.
I have found myself clicking continue at the same time my thought registers to *not* click because of something not looking quite right. Since I am no longer developing software for a living, the only OS on my system is Ubuntu! Thank God for Debian, Ubuntu, Red Hat, et al. for their tremendous efforts to give everyone a reasonable alternative; whether we choose to use it is certainly a choice, but we do have the choice.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
I've been using Vista for a month. There were color differences?
As people have noticed, M$ has made UAC such a psychotic pain that no one is going to use it. They are all going to be running as root all the time. People have also speculated that this is so M$ can blame the user later. Vista is going to have the same kind of four minute half life on any network as XP did, regardless of market share, and no user action will be required.
The problems the current article points out are just icing on the cake and will always exist for a non free OS. Users are forced to trust software companies that don't trust each other and despise the user. These companies refuse to co-operate and frequently sabotage each other to gratify themselves. The net result is systems crawling with easily exploited ad, spy and malware. Community inspected free software, like Debian, is the only kind of software users will ever be able to trust.
Friends don't help friends install M$ junk.
Actually, I feel quite secure with my XP SP2 behind a well configured router, without any anti-virus. I don't think I've got any viruses on it, but if I do, it doesn't feel as slow as a computer running Norton.
Ok. Time for a question. So you've programmed a screen to mimic UAC. Good job. Now, to do any damage, your app must request elevation from Vista. Uh oh, guess what. Time for a REAL UAC prompt. Now what?
This is what the other guy said, "Vista is designed to make you feel warm and fuzzy and happy while your machine is being rooted."
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The apathy demonstrated by M$ or thier sheer ignorance
:) }
meh...who knows?....who cares?
{so, is this joke beaten to death yet
A goal is a dream with a deadline
Lisa: We're from the MTV generation; We feel neither highs nor lows.
Homer: Wow! How does that feel?
Lisa: Meh...
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
These are the same guys that sell Mac OS antivirus through fear and can never have enough access to the Vista kernel.
Microsoft has some big problems with security, but Symantec is sickeningly desperate. I used to depend on Norton/Symantec to keep my computer from dying. Now I just want the company to die (as desperate companies sometimes do). They sound like one big Mad Money "sell-sell-sell" button, just wanting to sell something to the public for whatever they use.
You can hold down the "B" button for continuous firing.
Am I the only one who sees UAC and thinks "Union Aerospace Corporation".
Too much gaming and not enough Windows I guess.....
Hey -- this is simply a setuid root shell, a potential security hole as old as Unix. Apparently programmers never learn from experience. When I administer a system, a program which runs other programs based on user input doesn't get to be setuid root.
The big issue I see with both the KDE/Gnome/Windows popup boxes is that you regularly click on software and it says something like "This operation requires admin permissions, please enter your password" - at which point the user enters the password into the next box which appears. ...So simply code a box which *looks* like the system popup and capture the users password... OK, perhaps windows pops up some additional boxes subsequently, but I doubt that's a major barrier and I would suspect even a completely different style of popup box asking for a password (to the normal system one), would still fool about 30%+ of computer users...
Seems like a really simple way to blow open this whole silly "click to authenticate" thing...?
I don't use Vista so I don't fully understand. Do the colours of the popups provide security-related information? Seems pretty ridiculous and unfair, considering I'm not the only person in the world who is colourblind...
So basically Symantec is saying:
1) Sneak in a file with a virus payload
2) Execute that file, triggering the UAC
3) User blindly clicks "OK"
Of course, the point of UAC is to prompt the user when something is trying to run that requires admin privledges. Users know that when they see this box randomly pop up that something unusual is happening.
Unless they just said to install some software or tried to change a setting themselves, seeing this pop up when they visit MySpace or something shouldn't be a problem.
UAC is meant to provide users with an alert saying "something bad may be happening, stop it?" It's not meant to completely lock down your computer to the point where you have to log off and back on as an admin to do anything.
-David
People use non free OSes these days because they honestly dont know how things work, and wont spend the time to. Its the same reason why anyone can build a car, but noone really does.
No.
People don't build their own cars for the same reason they don't write their own OS from scratch: it's too much work, and they don't need to.
People use free OSes for the same reason they don't buy cars with the hoods welded shut. The difference is that there's no auto manufacturer with sufficient monopoly that that they'd ever sell any cars with the hood welded shut.
-- Alastair
What, you mean Vista's security model relies on users not being colorblind?!
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?
I know, red isn't the color of danger, heck if they watched Dr Who they'd know that
Mauve is the color of danger.
Sheesh, how unprofessional can you get?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Since you've never actually used it but rely solely on the "opinion" of people who think exactly like you, I think it's safe to dismiss your opinion here? Oh, especially when you link to something you did with your sockpuppet account.
BTW, I find it hilarious that the author of that "OMFG Microshaft Winblows SUXX" wankfest complained about Vista obscuring the background. Isn't that rich? GNOME does that as well, although inconsistently. I'll let you figure out why.
I love your little zealot bullet points, twitter. "Microsoft sues schoolchildren" and "four minute half-life". Wasn't that twelve minutes though? Heh. BTW, Vista has been out for more than a year for all practical purposes, and probably has a market share that is bigger than Linux and Mac combined. Your predictions simply don't pan out, do they?
twitter, you are so good with weasel words it's not even funny. Have you ever thought about running for office? You'd make a great politician. The ability to compress so much bullshit negativity and FUD into such small a paragraph is just astounding. You should seriously consider it.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Wow...
If I can infect your system with a trojan and drop files onto your hard drive and then remotely run code, I can get you to click OK to a box that could infect your system.
Truly groundbreaking work here. Seriously, I mean, if all I have to do to possibly infect your system, is infect your system... well hell, Vista will probably be recalled!
As usual, TFA doesn't live up to the summary hype. But that won't stop the MS haters from jumping on board with a "See! It's broken!"
Really, the story for me here is "Someone infects your Vista with a bug and tries to elevate the program to Admin, and even though you're infected Vista STILL pops up a warning box... it just happens to be green instead of orange."
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
My problem with UAC is that I bought a new computer recently, with Vista pre-installed and during the initial setup it prompted me to create a user account. The user account had full admin privileges. I immediately set up a lower privilege account for general webbrowsing etc, and when using that account not only do I have UAC confirmation messages, but I also have to enter a password. That is a good thing - rather like 'su' in Unix like operating systems or Ubuntu's locked screed admin method. Users just aren't going to realise the importance of what they're doing with just binary yes or no security questions. If anything with the initial account defaulting to admin, Pavlov's dog like, they're going to be conditioned to hit yes without thinking. People aren't paranoid even though people are out to get them.
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode.
- Making sure the heap is in a different place on each computer.
- UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good.
- Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.
Come on, we've all played Doom. Are you honestly going to trust something named UAC?
Should an operating system handle normal and predictable events without data loss or incriminating the customer?
Let's jail the malware authors no matter what, but let's face it, attacks on Internet-connected machines are as predictable as rain in Seattle. Seattle homebuilders aren't allowed to leave off a roof and then say "what, you expect me to control the weather?".
A computer is a software player, its value comes from being able to install and run software. If it runs a web browser, it runs Javascript software without even asking the user.
A company with thousands of engineers and a large research department should have figured out, somewhere around 199x at the latest, that giving every program all the rights of the logged-in user (and compelling a root login at that) was an obsolete idea.
Either I don't know anything about computer segurity (odd as I get paid for that) or these guys don't know anything about security (odd as THEY get paid for that). In order for this "hack" to work the user has to download malicious code from the Internet, run it and accept a warning that indicates there's a dangerous elevated operation going on. How is this a hack in any way? Normally, if the user ran malicious code on Vista and it tried an elevated operation, it would trigger a warning. If the user accepts the warning, the code is run elevated and the computer becomes damaged. That's how it is designed to be, and that's even more than most platforms do in this respect. In this situation, exactly the same applies. The user has to download the code, run it, and accept a security warning. So where's the hack? A real hack would be to prevent a security warning from raising, not to raise a security warning when one is granted (or not).
I think it's more a case of a hack that allows misrepresentation, after all it doesn't escalate privileges or straight out compromise the system. But in combination with the standard social engineering as seen on most malware sites it should be classified as a hack.
Since when do restricted users get to delegate administrative privlidges ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I would say that the number of kitchen fires every year contradict your point.
On a more serious note, we already have computers that are appliances. They are call DVD players, CD players, TVs, Alarm Clocks, Coffee makers, and yes, sometimes toasters. The reason that computers will never be built like appliances is that when it is, it is no longer called a computer. Just look at the mythical "Video Game Crash". People will argue all day long that all the people shifting to full fledged personal computers don't count as video games because a console is not a computer. Now a rational person knows that it is. The Atari 2600 had computer right on the box. It even had a retail programming language available. Unfortunately, rational people are in the minority, and don't necessarily get to pick the definitions of words. So, until you can convince most people to consider their TV that has a more powerful CPU than any PC of the early to mid 80's, a computer, it will be physically impossible to make the PC into an appliance. Heck, you could start by just convincing people to consider their game console a computer.
Always back up, never back down. ---- Think you're cool 'cos your uid is prime? Take mine, modulo the one digit integers
My Point Still Stands You guys will see in the coming months you will agree with me.
...because Parent deserves far worse than a -1. Cap us at "+5, Insightful", but let us mod people "-12835, Flamebait"
Don't thank God, thank a doctor!
But presumably that also has some sort of UAC when you try and run it?
Who cares about this if you've already compromised the security? anyone else think that Symantec are getting nervous?
Their security guides for Vista are among the best Microsoft has ever produced.
That's sort of like saying that the Yugo GVX is the best car that Zastava ever produced. Yes, it may be true, but...
This ain't rocket surgery.
Actually, I think that this is either a) Proof of Concept or b) something that a trojan would do...
The secure desktop, as used by the UAC, doesn't require Ctrl-Alt-Delete. That was removed somewhere during Vista's testing process. In fact pressing control alt-delete stops the UAC process, and takes you to a screen that allows you to switch user/launch the taskmanager etc. so a spoof program would present exactly the same behaviour except it wouldn't exit after pressing Ctrl-Alt-Delete. That's not a distinction most users are going appreciate.
The problem with the UAC prompts is that people are going end up pressing yes as a reflex action. In part because most applications are currently not entirely very Vista friendly, which means they invoke UAC (sometimes unnecessarily) an awful lot. This is not entirely Microsoft's fault.
But, you're right, preventing spoofed authentication dialogues is something most current desktop OSes suffer from. It's just that Vista currently liberally displays the dialogue, which I believe will have a counter-productive effect. Crying wolf.
The (whole) problem is that Peter isn't with the company any more. Kinda went down the crapper when he left.
Isn't there an option to be utterly disinterested due to the unlikihood of seeing it for years to come?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I thought it was only red/green though in fact it can cover a whole bunch of colors, and apparently at least 1% of the population has color blindness of some type.
It strikes me that Vista's use of green, red, orange, gray, etc. are totally underminded by colorblindness which can confuse colors, dim them or render them conceptually meaningless if I understand the article correctly. Seems like the dialogs should include a mode name too.
To be more specific than the other replies:
Vista's UAC display has four different colors that warns a user how dangerous the action is. The hack is that the malicious code should display a yellow-orange - unsigned/unknown source - but instead displays green-teal - Vista. By displaying an elevated level of trust it makes social engineering easier.
chown -R us