Slashdot Mirror
Tricking Vista's UAC To Hide Malware
Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.
I love Microsoft's response:
Meh... the same users who show enough common sense to click on the "you've won a free ipod enter your credit card information here" will obviously be able to know the difference between a good system message and a bad system message
Hooray for apathy!
The original generic sig.
Basically its a way to get a green pop-up, which usually means safe applications. It relies on the user blindly saying "yes" to these green pop-ups
With every release of Windows, Microsoft seems to devise some new, overly-complicated scheme to try to protect Windows users. The scheme they came up with may sound great, but then it falls flat on its face because of some minor flaw or workaround.
So maybe what they need to do is to get back to the fundamentals. We only need to look as far as OpenBSD to see how keeping things simple and intelligent results in a very secure operating system. Instead of writing new (and probably buggy) code to try and prevent things like malware, they just repeatedly go over the code they already have, to try to ensure that it is exploit-free. And it works. OpenBSD is a damn secure system.
While it may be true that different colored borders are supposed to mean varying levels of "trust", as in what component is running, I don't think any user would know that. The text in the dialogs doesn't appear to be different (that I can tell), so why would a border color make me go "Oh, I should let that action happen, I bet that's some Control Panel action", especially when I wasn't working with the control panel.
To be honest, Vista's UAC saved my butt recently. I have no idea what application was vulnerable -- but it somehow tried to run exec.exe, which was downloaded into one of my temp folders. The file was deleted after it failed to run (because I said "no"), and then would appear back in a few seconds and try to run again. I'm happy that whatever application was vulnerable wasn't able to do anything to my system.
<tangent> Anyway, while some people may say it's annoying, I'm not sure exactly how many actions a typical user would take that would require UAC prompts. After the first few days of configuring, installing apps, etc..., I have little need to do anything that requires UAC prompts. Defrag is set up to run every night, anti virus is set up to download updates, my resolution settings don't change, etc... </tangent>
That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system.
So we make fun of Homeland Security for their meaningless color-coded threat levels, but take the colored borders of confirmation dialogs on Vista as gospel?
Sorry, this does not constitute a threat. Just one more indication that we need some form of licensure before letting people anywhere near a computer.
I'll gladly join in on the MS bashing - when appropriate. In this case, any blame rests solidly with users who have no idea what they should or shouldn't let run on their computers.
Better listen up; this is coming from Symantec, the guys that brought us Norton Internet Security. These guys KNOW how to really mess computers up.
Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
Just get it to vibrate around like those horrible "you're the 99999th visitor!" pop-ups, and anyone would click whatever to get rid of it. Furthermore, you could change it to one of those "are you stupid?" pop-ups, that the "no" button moves around. There are a zillion ways to get someone to click the button you want.
stuff |
These guys are pointing this out, because they want to sell symantec products. Thats the only reason why this article came out. It's the only reason why Symantec released this statement. They want to put the message out there that "You're not secure without Norton"
This is a corporate propaganda directive, possibly directly from the CEO him/herself. "Find something, and lets use it to make us money"
The old anti virus company making viruses, just to fuel sales... has come true. They dont have to release the viruses though, but simply they figured something out, and to tell the world that something.
Profit at all costs.
UAC prompts are NOT that common, and UAC prompts when copy and pasting is a myth. Please, let it die.
My sig can beat up your sig.
I would be interested in what you consider would protect the user. You have three options here.
1/ No-one decides what goes on your computer. It's an open free-for-all.
2/ Microsoft decides what goes on your computer. Corporate lock-down.
3/ You decide what goes on your computer. You're the boss.
We've already seen what happens with option 1. It's a security nightmare for everyone. I can imagine just how popular the second option there would be, people already have plenty to bitch about the controlling nature of Microsoft without adding to it.
So it's got to be option number 3. The only other thing Microsoft can do then is to warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide.
Which is pretty much what is happening here. And still people complain.
The main problem I have seen with Vista since the first RCs is the monotonous regularity that these messages pop up with during regular system use. The old adage that practice makes perfect is incorrect; Practice makes permanent is the real outcome and microsoft is basically forcing their customers to practice hitting that continue button while still trying to concentrate on the tasks at hand.
I have found myself clicking continue at the same time my thought registers to *not* click because of something not looking quite right. Since I am no longer developing software for a living, the only OS on my system is Ubuntu! Thank God for Debian, Ubuntu, Red Hat, et al. for their tremendous efforts to give everyone a reasonable alternative; whether we choose to use it is certainly a choice, but we do have the choice.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
Actually, I feel quite secure with my XP SP2 behind a well configured router, without any anti-virus. I don't think I've got any viruses on it, but if I do, it doesn't feel as slow as a computer running Norton.
UAC doesn't actually protect the user, but it enables Microsoft, in response to any virus/worm/trojan/botnet/class action lawsuit to say "well, you clicked allow. It wasn't our fault."
It wouldn't be their fault. Nor should it be their fault.
Microsoft shouldn't be required to take the blame for harm that results to their installation or data because of third party programs that they themselves didn't supply. You allowed the program to run, you deal with the consequences; it isn't Microsoft's fault at all that you decided to allow NastyShitware.exe to run. Why should it be? If you shoot yourself, are Smith and Wesson liable?
If Microsoft was held liable for the actions of third party applications, it would open up the way for lawsuits against pretty much every other OS provider that gave their customers a chance to run nasty programs on their OS. Imagine the lunacy that would result from that. Imagine the ass-covering lockdown that would most likely result. Not very nice at all...
By summer it was all gone...now shesmovedon. --
People have also speculated that this is so M$ can blame the user later. So they went through all the trouble to try and create a system which lets users know more about whats happening to tell them that in the end its all your fault if you get a virus? Why not just say in the EULA "Dont click anything, it could be a virus/worm/trojan/spy ware/ad ware. We wont help you then"? Furthermore, why does windows have so much support then? why are there updates? Its not "Deal with it yourself", its most likely "We cant protect you from it all, but we will try" As for a non free OS comment, People use non free OSes these days because they honestly dont know how things work, and wont spend the time to. Its the same reason why anyone can build a car, but noone really does.
The basic problem is the assumptions behind your classification. You assume that "something on your computer" equates to "your computer is compromised." I agree that the user needs to be the one determining what is installed an further, I agree that the OS should, "warn the user what's happening to their computer, provide as much useful information as possible (in as much a user-friendly manner as possible) and then let the user decide." You're still missing a piece of the puzzle here. The OS needs to let the user what is going on, very specifically and the OS needs to let the user allow and deny behaviors very specifically. That is how UAC fails.
Which is pretty much what is happening here. And still people complain.The Register described UAC as "too little too late." That about sums up my opinion. It is a baby step in the right direction, but no where near enough to actually solve the problem users have and because of the implementation of certain elements may lead to long term greater insecurity because of the way it trains users.
Here's a simple example of how UAC fails and why. A user downloads a trojan installer and double clicks on it. Installers, by default, run as admin and require the user to click "Allow" in a UAC prompt. This means a trojan installer and a freeware game installer appear, to the user, to be exactly the same. Worse, the user has been asked to click "Allow" many times for other procedures where there was very little risk. What would make any reasonable security person assume the user will not click "Allow?"
My assertion is that by default the user should be allowed to install anything they want, but that all software should run in an ACL sandbox, by default, and should be restricted from certain behaviors by default and that the user should be prompted not when installing software, but when the software actually tries to do something most legitimate software does not need to do, and then they should be given well crafted dialogue boxes with unique actions for buttons to avoid conditioning.
This is entirely doable, it just requires that MS take security seriously and actually looks at the problem and the behaviors of users and creates a technological solution designed to solve that problem. UAC is a "me too" solution that tries to bring security up to par with common Linux and OS X desktops, but it ignores that those desktops are not under constant attack by malware while Windows is. Windows needs to be better than the average Linux desktop in order to provide users with the same risk of infection. UAC is nowhere near the level of security needed and the poor UI design exacerbates exisiting security problems brought on by previous poor UI designs in Windows.
If you read the article, you would have seen that they are not mimicing the UAC screen but actually causing Vista to prompt the user a real UAC dialog that grants Admin priveledges.
From the Article:
-- Jason
I don't use Vista so I don't fully understand. Do the colours of the popups provide security-related information? Seems pretty ridiculous and unfair, considering I'm not the only person in the world who is colourblind...
People use non free OSes these days because they honestly dont know how things work, and wont spend the time to. Its the same reason why anyone can build a car, but noone really does.
No.
People don't build their own cars for the same reason they don't write their own OS from scratch: it's too much work, and they don't need to.
People use free OSes for the same reason they don't buy cars with the hoods welded shut. The difference is that there's no auto manufacturer with sufficient monopoly that that they'd ever sell any cars with the hood welded shut.
-- Alastair
And if you are just blindly clicking "Allow" without ever reading or thinking about what you are doing, how is it anyone else's fault but your own?
"But this one goes to 11!"
My problem with UAC is that I bought a new computer recently, with Vista pre-installed and during the initial setup it prompted me to create a user account. The user account had full admin privileges. I immediately set up a lower privilege account for general webbrowsing etc, and when using that account not only do I have UAC confirmation messages, but I also have to enter a password. That is a good thing - rather like 'su' in Unix like operating systems or Ubuntu's locked screed admin method. Users just aren't going to realise the importance of what they're doing with just binary yes or no security questions. If anything with the initial account defaulting to admin, Pavlov's dog like, they're going to be conditioned to hit yes without thinking. People aren't paranoid even though people are out to get them.
To rectify this problem Microsoft should make it clear during installation that the initial admin account shouldn't be used as the main account. This is not clear during the installation.
Good things:
- Internet Explorer's protected mode.
- Making sure the heap is in a different place on each computer.
- UAC is good for experienced or computer literate users (nobody else.
Bad things:
- UAC, in its present form, is just training computer illiterate people to click yes. There is an emphasis with a consumer operating system to educate the user. Not necessarily enforce (that would restrict freedom) but it should educate. All or nothing is not good.
- Idiot reviewers thinking that an operating system is the largest contributory factor in the speed of a computer. Saying Vista is faster than XP when it's been run on a new, much faster computer, is a little like trading a saloon car for an Aston Martin and saying that the Aston Martin is faster because of the upholstery.
From what I understand, the UAC thing comes up all the time
It does not.
I'm rather amazed at the number of posters who criticize Vista without having used it. Many people make good points about the all-or-nothing permission granting of the UAC, but it is better than having people run as Admin. My guess is that the typical user will still run as admin most of the time, since it's convenient. Microsoft should guide people through the simple steps of setting up a user account when the OS first comes up. It's less hassle than typing in the license key. Then again, I don't have a boxed version of Vista, so maybe they say something about that in the retail version.
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
That sort of depends upon how high the false positive rate is in general.
The UAC is not a magic bullet, but it is a far better solution than anything we have today. Do you have a better idea? Don't let these programs run at all?I'm not saying UAC is worthless, just that it is far from ideal, or even sufficient to provide the security needed by the average user. As for having a better idea, I sure as hell do. I think any reasonable security engineer who looked at Windows with the goal of solving the malware problem would conclude several things. First, Windows is attacked so much more often due to its dominance that the security mechanisms on more secure desktops, like Linux, are still insufficient to solve the problem. Second, if you look at the most secure OS's available today, they've all gone the same route, mandatory access controls. That is to say, locking down security on an application by application basis with restrictions for all resources, not just files or network ports.
Moreover, MS already started to implement a signing framework needed to bring MAC to a desktop user in a usable way and the NT kernel has built in support for the kind of ACLs needed. The answer is pretty obvious at that point. The assumption that users will know if they can trust a given application and are not going to run software that they don't expressly trust is an incorrect assumption.
MS engineers, however apparently look at things a little differently. Instead of innovating a solution to the problem or even copying the really secure systems on the market, they looked at their closest competitors and tried to come up with something that would be "close enough" to what Linux and OS X have implemented that people would not see them as way behind anymore. They seem to have been trying to solve the problem that people perceive them as insecure, rather than the problem that users cannot do what they need to do securely. UAC addresses the perception by being very visible, while not really getting there for actual security.
As for their application signing solution (a needed tool for both users and the OS to determine trust) MS's normal self seems to have undermined it by building a framework designed around lock-in, rather than one that fosters competition among certifiers of trust that would lead to really useful information. At this point, I basically have no faith that MS has the ability to engineer a truly secure solution and the only hope for MS's customers is that someone else will do it so MS can copy it.
I don't know what world YOU live in, but ignoring security recommendations, not researching anything, and just clicking "Allow" without a clue to what you are allowing is not Microsoft's fault.
Will it happen all the time? Absolutely. Are a significant number of computer operators basically shaved apes without a clue about security? Absolutely. Does that make it Microsoft's fault? Absolutuely not.
How do you suggest Microsoft cures the world of dumb computer users who won't do what they are told, and what go against what common sense would dictate? Say someone bought a car, drove it until it died and then brought it to a repair shop where it was discovered there was no oil or engine coolant in it. ("Well, I saw some lights go on, but there are so many lights on the dashboard I just ignored them and kept driving.") Would it be the fault of Chevrolet because the operator couldn't be bothered to RTFM or understand how to properly operate a car before doing so?
"But this one goes to 11!"
Either I don't know anything about computer segurity (odd as I get paid for that) or these guys don't know anything about security (odd as THEY get paid for that). In order for this "hack" to work the user has to download malicious code from the Internet, run it and accept a warning that indicates there's a dangerous elevated operation going on. How is this a hack in any way? Normally, if the user ran malicious code on Vista and it tried an elevated operation, it would trigger a warning. If the user accepts the warning, the code is run elevated and the computer becomes damaged. That's how it is designed to be, and that's even more than most platforms do in this respect. In this situation, exactly the same applies. The user has to download the code, run it, and accept a security warning. So where's the hack? A real hack would be to prevent a security warning from raising, not to raise a security warning when one is granted (or not).