Slashdot Mirror
Tricking Vista's UAC To Hide Malware
Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.
I love Microsoft's response:
Meh... the same users who show enough common sense to click on the "you've won a free ipod enter your credit card information here" will obviously be able to know the difference between a good system message and a bad system message
Hooray for apathy!
The original generic sig.
Basically its a way to get a green pop-up, which usually means safe applications. It relies on the user blindly saying "yes" to these green pop-ups
With every release of Windows, Microsoft seems to devise some new, overly-complicated scheme to try to protect Windows users. The scheme they came up with may sound great, but then it falls flat on its face because of some minor flaw or workaround.
So maybe what they need to do is to get back to the fundamentals. We only need to look as far as OpenBSD to see how keeping things simple and intelligent results in a very secure operating system. Instead of writing new (and probably buggy) code to try and prevent things like malware, they just repeatedly go over the code they already have, to try to ensure that it is exploit-free. And it works. OpenBSD is a damn secure system.
While it may be true that different colored borders are supposed to mean varying levels of "trust", as in what component is running, I don't think any user would know that. The text in the dialogs doesn't appear to be different (that I can tell), so why would a border color make me go "Oh, I should let that action happen, I bet that's some Control Panel action", especially when I wasn't working with the control panel.
To be honest, Vista's UAC saved my butt recently. I have no idea what application was vulnerable -- but it somehow tried to run exec.exe, which was downloaded into one of my temp folders. The file was deleted after it failed to run (because I said "no"), and then would appear back in a few seconds and try to run again. I'm happy that whatever application was vulnerable wasn't able to do anything to my system.
<tangent> Anyway, while some people may say it's annoying, I'm not sure exactly how many actions a typical user would take that would require UAC prompts. After the first few days of configuring, installing apps, etc..., I have little need to do anything that requires UAC prompts. Defrag is set up to run every night, anti virus is set up to download updates, my resolution settings don't change, etc... </tangent>
That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system.
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?
Sorry, this does not constitute a threat. Just one more indication that we need some form of licensure before letting people anywhere near a computer.
I'll gladly join in on the MS bashing - when appropriate. In this case, any blame rests solidly with users who have no idea what they should or shouldn't let run on their computers.
Better listen up; this is coming from Symantec, the guys that brought us Norton Internet Security. These guys KNOW how to really mess computers up.
Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
Just get it to vibrate around like those horrible "you're the 99999th visitor!" pop-ups, and anyone would click whatever to get rid of it. Furthermore, you could change it to one of those "are you stupid?" pop-ups, that the "no" button moves around. There are a zillion ways to get someone to click the button you want.
stuff |
I got binary nonsense when I followed the link to the article.
The Mirrordot link works: http://mirrordot.org/stories/bdc4f568dcc5c7b125832 2aec4d77944/index.html
This isn't security, this is a legal CYA.
These guys are pointing this out, because they want to sell symantec products. Thats the only reason why this article came out. It's the only reason why Symantec released this statement. They want to put the message out there that "You're not secure without Norton"
This is a corporate propaganda directive, possibly directly from the CEO him/herself. "Find something, and lets use it to make us money"
The old anti virus company making viruses, just to fuel sales... has come true. They dont have to release the viruses though, but simply they figured something out, and to tell the world that something.
Profit at all costs.
Uh there have been lots of systems available to the general public for the twenty years Windows has been around. People didn't get over it.
UAC prompts are NOT that common, and UAC prompts when copy and pasting is a myth. Please, let it die.
My sig can beat up your sig.
Sad scene. Symantect sinks to an all time low, after years of destroying countless Windows PCs and frustrating millions, all while being ineffective in detecting and removing viruses, but very effective in detecting and removing Windows kernel after flagging it as a deadly virus in your PC. The asking the user to REBOOT
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
The main problem I have seen with Vista since the first RCs is the monotonous regularity that these messages pop up with during regular system use. The old adage that practice makes perfect is incorrect; Practice makes permanent is the real outcome and microsoft is basically forcing their customers to practice hitting that continue button while still trying to concentrate on the tasks at hand.
I have found myself clicking continue at the same time my thought registers to *not* click because of something not looking quite right. Since I am no longer developing software for a living, the only OS on my system is Ubuntu! Thank God for Debian, Ubuntu, Red Hat, et al. for their tremendous efforts to give everyone a reasonable alternative; whether we choose to use it is certainly a choice, but we do have the choice.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
Personally, I haven't had much trouble with UAC, and I do a lot of copy/pasting. It did come up when Firfox wanted to upgrade, but that's no surprise.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Just to add the UAC prompt does NOT come up all the time and does NOT appear when copying or pasting.
It IS damn annoying though!
I personally feel that most people won't turn it off because they won't realise that they can.
But in saying that most people won't read what it says anyway.
(The above is based on experience.)
Because you always need a smart fox!
Actually, I feel quite secure with my XP SP2 behind a well configured router, without any anti-virus. I don't think I've got any viruses on it, but if I do, it doesn't feel as slow as a computer running Norton.
Ok. Time for a question. So you've programmed a screen to mimic UAC. Good job. Now, to do any damage, your app must request elevation from Vista. Uh oh, guess what. Time for a REAL UAC prompt. Now what?
People have also speculated that this is so M$ can blame the user later. So they went through all the trouble to try and create a system which lets users know more about whats happening to tell them that in the end its all your fault if you get a virus? Why not just say in the EULA "Dont click anything, it could be a virus/worm/trojan/spy ware/ad ware. We wont help you then"? Furthermore, why does windows have so much support then? why are there updates? Its not "Deal with it yourself", its most likely "We cant protect you from it all, but we will try" As for a non free OS comment, People use non free OSes these days because they honestly dont know how things work, and wont spend the time to. Its the same reason why anyone can build a car, but noone really does.
This is what the other guy said, "Vista is designed to make you feel warm and fuzzy and happy while your machine is being rooted."
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The apathy demonstrated by M$ or thier sheer ignorance
:) }
meh...who knows?....who cares?
{so, is this joke beaten to death yet
A goal is a dream with a deadline
Lisa: We're from the MTV generation; We feel neither highs nor lows.
Homer: Wow! How does that feel?
Lisa: Meh...
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
These are the same guys that sell Mac OS antivirus through fear and can never have enough access to the Vista kernel.
Microsoft has some big problems with security, but Symantec is sickeningly desperate. I used to depend on Norton/Symantec to keep my computer from dying. Now I just want the company to die (as desperate companies sometimes do). They sound like one big Mad Money "sell-sell-sell" button, just wanting to sell something to the public for whatever they use.
You can hold down the "B" button for continuous firing.
The problem is that most WinXP apps need admin rights without any reason, and that's really insecure 'cause you need to be admin to do any serious work. So MS decided that running such apps should be a pain in the ass - at first it will be bad, but once developers rewrite things to works a standard user (and they will be forced to do it, or users will get mad), UAC warnings will appear when something does really need user attention.
Hey -- this is simply a setuid root shell, a potential security hole as old as Unix. Apparently programmers never learn from experience. When I administer a system, a program which runs other programs based on user input doesn't get to be setuid root.
I think your signature shows you to be the zealot that you are.
UAC is not that big of a deal.
I don't read or respond to AC posts
I don't use Vista so I don't fully understand. Do the colours of the popups provide security-related information? Seems pretty ridiculous and unfair, considering I'm not the only person in the world who is colourblind...
So basically Symantec is saying:
1) Sneak in a file with a virus payload
2) Execute that file, triggering the UAC
3) User blindly clicks "OK"
Of course, the point of UAC is to prompt the user when something is trying to run that requires admin privledges. Users know that when they see this box randomly pop up that something unusual is happening.
Unless they just said to install some software or tried to change a setting themselves, seeing this pop up when they visit MySpace or something shouldn't be a problem.
UAC is meant to provide users with an alert saying "something bad may be happening, stop it?" It's not meant to completely lock down your computer to the point where you have to log off and back on as an admin to do anything.
-David
Except that by default, whether it needs permission or not, installers ask for and run with admin permission. That means developers have no motivation to to stop writing installers that require administrative permissions and malware writers' trojans that ask for suck permission will not stand out even if developers did change their behavior for some other reason.
People use non free OSes these days because they honestly dont know how things work, and wont spend the time to. Its the same reason why anyone can build a car, but noone really does.
No.
People don't build their own cars for the same reason they don't write their own OS from scratch: it's too much work, and they don't need to.
People use free OSes for the same reason they don't buy cars with the hoods welded shut. The difference is that there's no auto manufacturer with sufficient monopoly that that they'd ever sell any cars with the hood welded shut.
-- Alastair
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?
I know, red isn't the color of danger, heck if they watched Dr Who they'd know that
Mauve is the color of danger.
Sheesh, how unprofessional can you get?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Since you've never actually used it but rely solely on the "opinion" of people who think exactly like you, I think it's safe to dismiss your opinion here? Oh, especially when you link to something you did with your sockpuppet account.
BTW, I find it hilarious that the author of that "OMFG Microshaft Winblows SUXX" wankfest complained about Vista obscuring the background. Isn't that rich? GNOME does that as well, although inconsistently. I'll let you figure out why.
I love your little zealot bullet points, twitter. "Microsoft sues schoolchildren" and "four minute half-life". Wasn't that twelve minutes though? Heh. BTW, Vista has been out for more than a year for all practical purposes, and probably has a market share that is bigger than Linux and Mac combined. Your predictions simply don't pan out, do they?
twitter, you are so good with weasel words it's not even funny. Have you ever thought about running for office? You'd make a great politician. The ability to compress so much bullshit negativity and FUD into such small a paragraph is just astounding. You should seriously consider it.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Wow...
If I can infect your system with a trojan and drop files onto your hard drive and then remotely run code, I can get you to click OK to a box that could infect your system.
Truly groundbreaking work here. Seriously, I mean, if all I have to do to possibly infect your system, is infect your system... well hell, Vista will probably be recalled!
As usual, TFA doesn't live up to the summary hype. But that won't stop the MS haters from jumping on board with a "See! It's broken!"
Really, the story for me here is "Someone infects your Vista with a bug and tries to elevate the program to Admin, and even though you're infected Vista STILL pops up a warning box... it just happens to be green instead of orange."
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
My problem with UAC is that I bought a new computer recently, with Vista pre-installed and during the initial setup it prompted me to create a user account. The user account had full admin privileges. I immediately set up a lower privilege account for general webbrowsing etc, and when using that account not only do I have UAC confirmation messages, but I also have to enter a password. That is a good thing - rather like 'su' in Unix like operating systems or Ubuntu's locked screed admin method. Users just aren't going to realise the importance of what they're doing with just binary yes or no security questions. If anything with the initial account defaulting to admin, Pavlov's dog like, they're going to be conditioned to hit yes without thinking. People aren't paranoid even though people are out to get them.
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode.
- Making sure the heap is in a different place on each computer.
- UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good.
- Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.
Come on, we've all played Doom. Are you honestly going to trust something named UAC?
From what I understand, the UAC thing comes up all the time
It does not.
I'm rather amazed at the number of posters who criticize Vista without having used it. Many people make good points about the all-or-nothing permission granting of the UAC, but it is better than having people run as Admin. My guess is that the typical user will still run as admin most of the time, since it's convenient. Microsoft should guide people through the simple steps of setting up a user account when the OS first comes up. It's less hassle than typing in the license key. Then again, I don't have a boxed version of Vista, so maybe they say something about that in the retail version.
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
"Dude, how can you say HIV is bad if you haven't ever had it? Why would you listen to other people who do have it?"
My blog. Good stuff (when I remember to update it). Read it.
Should an operating system handle normal and predictable events without data loss or incriminating the customer?
Let's jail the malware authors no matter what, but let's face it, attacks on Internet-connected machines are as predictable as rain in Seattle. Seattle homebuilders aren't allowed to leave off a roof and then say "what, you expect me to control the weather?".
A computer is a software player, its value comes from being able to install and run software. If it runs a web browser, it runs Javascript software without even asking the user.
A company with thousands of engineers and a large research department should have figured out, somewhere around 199x at the latest, that giving every program all the rights of the logged-in user (and compelling a root login at that) was an obsolete idea.
I think what is most unfortunate is some businesses will disallow the ignore setting and make you endure these popup warnings until hell freezes over.
Either I don't know anything about computer segurity (odd as I get paid for that) or these guys don't know anything about security (odd as THEY get paid for that). In order for this "hack" to work the user has to download malicious code from the Internet, run it and accept a warning that indicates there's a dangerous elevated operation going on. How is this a hack in any way? Normally, if the user ran malicious code on Vista and it tried an elevated operation, it would trigger a warning. If the user accepts the warning, the code is run elevated and the computer becomes damaged. That's how it is designed to be, and that's even more than most platforms do in this respect. In this situation, exactly the same applies. The user has to download the code, run it, and accept a security warning. So where's the hack? A real hack would be to prevent a security warning from raising, not to raise a security warning when one is granted (or not).
I think it's more a case of a hack that allows misrepresentation, after all it doesn't escalate privileges or straight out compromise the system. But in combination with the standard social engineering as seen on most malware sites it should be classified as a hack.
Since when do restricted users get to delegate administrative privlidges ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I would say that the number of kitchen fires every year contradict your point.
On a more serious note, we already have computers that are appliances. They are call DVD players, CD players, TVs, Alarm Clocks, Coffee makers, and yes, sometimes toasters. The reason that computers will never be built like appliances is that when it is, it is no longer called a computer. Just look at the mythical "Video Game Crash". People will argue all day long that all the people shifting to full fledged personal computers don't count as video games because a console is not a computer. Now a rational person knows that it is. The Atari 2600 had computer right on the box. It even had a retail programming language available. Unfortunately, rational people are in the minority, and don't necessarily get to pick the definitions of words. So, until you can convince most people to consider their TV that has a more powerful CPU than any PC of the early to mid 80's, a computer, it will be physically impossible to make the PC into an appliance. Heck, you could start by just convincing people to consider their game console a computer.
It does seem appropriate -- they both are directly responsible for all Hell breaking loose.
Don't thank God, thank a doctor!
...because Parent deserves far worse than a -1. Cap us at "+5, Insightful", but let us mod people "-12835, Flamebait"
Don't thank God, thank a doctor!
Correct. You *MUST* be an admin to install an application system-wide. This is completely logical and I wouldn't expect any less.
If, on the other hand, you write a user-space application for Vista it will install quite happily just for you. Try it.
How many people can read hex if only you and dead people can read hex?
But presumably that also has some sort of UAC when you try and run it?
Who cares about this if you've already compromised the security? anyone else think that Symantec are getting nervous?
Their security guides for Vista are among the best Microsoft has ever produced.
That's sort of like saying that the Yugo GVX is the best car that Zastava ever produced. Yes, it may be true, but...
This ain't rocket surgery.
Except I believe that you have overlooked the fact that many people who package and distribute their software use only one of a few installers, such as the nullsoft installer. So actually only a few groups have to change their installer behaviours and then the developers and distributors need to migrate over to the new system.
So yes, developers will have to have some motivation, but that should be nothing that a few successful slashvertisements and diggs wouldn't be able to handle
2^3 * 31 * 647
Actually, I think that this is either a) Proof of Concept or b) something that a trojan would do...
The secure desktop, as used by the UAC, doesn't require Ctrl-Alt-Delete. That was removed somewhere during Vista's testing process. In fact pressing control alt-delete stops the UAC process, and takes you to a screen that allows you to switch user/launch the taskmanager etc. so a spoof program would present exactly the same behaviour except it wouldn't exit after pressing Ctrl-Alt-Delete. That's not a distinction most users are going appreciate.
The problem with the UAC prompts is that people are going end up pressing yes as a reflex action. In part because most applications are currently not entirely very Vista friendly, which means they invoke UAC (sometimes unnecessarily) an awful lot. This is not entirely Microsoft's fault.
But, you're right, preventing spoofed authentication dialogues is something most current desktop OSes suffer from. It's just that Vista currently liberally displays the dialogue, which I believe will have a counter-productive effect. Crying wolf.
Isn't there an option to be utterly disinterested due to the unlikihood of seeing it for years to come?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I thought it was only red/green though in fact it can cover a whole bunch of colors, and apparently at least 1% of the population has color blindness of some type.
It strikes me that Vista's use of green, red, orange, gray, etc. are totally underminded by colorblindness which can confuse colors, dim them or render them conceptually meaningless if I understand the article correctly. Seems like the dialogs should include a mode name too.
You're missing the point. By default all installers ask for admin permission and run as admin. If you download an installer, you have to go out of your way to run it as a normal user, which people simply aren't going to do. Thus, there is basically no motivation for developers to write installers that do that. Further, since MS has not provided an official non-admin service for handling licensing of software, developers have a lot of motivation to keep doing the same thing they have been.
To be more specific than the other replies:
Vista's UAC display has four different colors that warns a user how dangerous the action is. The hack is that the malicious code should display a yellow-orange - unsigned/unknown source - but instead displays green-teal - Vista. By displaying an elevated level of trust it makes social engineering easier.
chown -R us