Coding Around UAC's Security Limitations

← Back to Stories (view on slashdot.org)

Coding Around UAC's Security Limitations

Posted by kdawson on Sunday April 27, 2008 @09:02AM from the bounce-pass-out-of-bounds-while-the-ref-isn't-looking dept.

Mariam writes "Free software developers from the non-profit NeoSmart Technologies have published a report detailing their experience with coding around Windows Vista's UAC limitations, including the steps they took to make their software perform system actions without requiring admin approval or UAC elevation. Their conclusion? That Windows Vista's improved security model is nothing more than a series of obstacles that in reality only make it more difficult for honest ISVs to publish working code and not actually providing any true protection from malware authors. Quoting from the post: 'Perhaps most importantly though, is the fact that Windows Vista's newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.'"

26 of 334 comments (clear)

Min score:

Reason:

Sort:

Where have I heard this before? by fahrbot-bot · 2008-04-27 09:05 · Score: 4, Insightful

...Windows Vista's newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security...
Sounds like it was written by Homeland Security and the TSA.

--
It must have been something you assimilated. . . .
1. Re:Where have I heard this before? by dhavleak · 2008-04-27 09:30 · Score: 4, Insightful
  Sounds like it was written by Homeland Security and the TSA. That's BS and so is TFA. The part you quoted (which was in bold in TFA) is just an anti-UAC rant thrown in to get attention, and clearly it worked.
  
  The so-called work-around described in TFA:
  - Split iReboot in two parts, a background service and a userspace client
  - Background service runs as SYSTEM or LOCAL SERVICE
  - Userspace client runs unprivileged
  - Installing iReboot now requires an installer
  - The installer requires admin privileges (i.e. you will see a UAC prompt when installing)
  
  Gee, sounds to me like UAC is working exactly the way it should!
2. Re:Where have I heard this before? by Sique · 2008-04-27 09:47 · Score: 2, Insightful
  
  Yes, a ticket pointing out the error would be send back with "works as designed".
  But the design is flawed. The idea was that user interaction shouldn't be able to autostart a program which is able to modify system functions. But it is sufficient to have an autostart program remote control another autostart program to get exactly this behaviour.
  
  --
  .sig: Sique *sigh*
3. Re:Where have I heard this before? by Tony+Hoyle · 2008-04-27 09:48 · Score: 2, Insightful
  
  Except nearly all installers use admin privileges, because the Program Files directory (to name just one) isn't per-user. Windows really isn't structurally designed for per-user installation, although MS have tried it's still half finished. Users know this, and always click yes on installers when prompted.
  
  Any installer can stick a service in there that does privileged tasks, and that means UAC is a thin layer that's easy to work around.
4. Re:Where have I heard this before? by drsmithy · 2008-04-27 10:03 · Score: 2, Insightful
  
  Except nearly all installers use admin privileges, because the Program Files directory (to name just one) isn't per-user. Windows really isn't structurally designed for per-user installation, although MS have tried it's still half finished. Users know this, and always click yes on installers when prompted.
  So it's just like /bin, /usr/bin and /Applications, then ?
  Any installer can stick a service in there that does privileged tasks, and that means UAC is a thin layer that's easy to work around.
  How is this different to any other platform ?
5. Re:Where have I heard this before? by wwahammy · 2008-04-27 10:23 · Score: 4, Insightful
  
  No it is working as designed. To install software that will modify the system, you need to use elevated privileges. Once you have elevated privileges you can do anything you want, including installing services that autostart. This is no different than installing an additional daemon on Unix-y systems. If you feel that is a security vulnerability, how do you intend to get anything done? Just a list of some of the different services that autorun on my computer:
  -The base filtering engine used by the Windows Firewall
  -Computer Browser keeps track of other computers on the network
  -Plug and Play
  -Print spooler
  -Event log
  -Task scheduler
  -Firewall
  
  If these things didn't autorun, I'd have a pretty different system. That or everything would run as an administrator and we'd be right back to Windows XP with the same problems we had before.
6. Re:Where have I heard this before? by Anonymous Coward · 2008-04-27 10:27 · Score: 3, Insightful
  
  Slashdot loses a little relevance and credibility every time a stupid post like this one is green lighted. Submitter should read before submitting.
7. Re:Where have I heard this before? by drsmithy · 2008-04-27 10:30 · Score: 3, Insightful
  
  well /Applications is for everyone. your supposed to install it there. Any where else and your app is misbehaving anyways.
  Exactly. Just like %PROGRAMFILES%.
  MSFT has turned a single user OS and tacked on multi user support, and then multi user security. OS X, and every *nix are Multi-user OS's.
  False. Windows NT is, and always has been, a multiuser OS.
  I not only have applications but also user specific applications stuff that only I can run, and stuff that only I can see.
  And you can do exactly the same in Windows.
  You shouldn't have to be an admin to install a web browser, word processor , or spreadsheet. You should only be an admin if your installing it for everyone.
  So, just like Windows then ?
8. Re:Where have I heard this before? by IchBinEinPenguin · 2008-04-27 11:10 · Score: 5, Insightful
  
  > MSFT has turned a single user OS and tacked on multi user support, and then multi user security. OS X, and every *nix are Multi-user OS's.
  
  False. Windows NT is, and always has been, a multiuser OS.
  
  I've long thought that the single vs multi-user nature of Windows NT and Unix has more to do with user expectations than technical limitations.
  Unix users were brought up on multi-user envoronments. root had to do stuff like install system-wide apps, printers etc.
  Users never expected to be able to do this, and aplications developers coded knowing these limitations.
  
  Windows users, on the other hand, evolved out of DOS users (please note that I'm talking about users not the underlying codebase). DOS users have always had unrestricted access to their system, and this expectation was inherited by modern-day Windows users.
  Equally importantly, application programmers did not code with these limitations in mind.
  
  What you end up with is a platform that's technically perfectly capable of being multi-user, but hamstrung by user expecteations and badly designed applicaitions.
9. Re:Where have I heard this before? by darkpixel2k · 2008-04-27 12:33 · Score: 3, Insightful
  
  and we'd be right back to Windows XP with the same problems we had before.
  
  What problems? I run a network of about 80 XP machines. They all run fairly well--aside from the occasional failed Windows Update. Recently someone introduced a Vista laptop to the network. It can't print because the print spooler constantly crashes (with all 5 of the variety of printers on the network), if you plug it in to the network at one site it flat out refuses to talk to anything--even after trying for 45 minutes to get the network center to work, and none of the vbscript scripts I wrote to help automate a few routine admin tasks work--they constantly halt the system and ask if I want to allow the script to do something. Yeah--I logged in as administrator and ran the f*cking script--I really want it to run...in an automated fashion.
  
  Come to think of it--I'd rather be right back to Windows XP with the same 'problems' I had before. The occasional need to wipe and reinstall a system after a year of heavy use.
  
  I'm no Microsoft fan--I'll take some *nix system any day--but when you compare XP to Vista it's like comparing eating dry dog food to having your leg sawed off by a bandsaw. Yeah dry dogfood probably tastes like crap--but I'll take it over having my leg sawed off with a bandsaw.
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
10. Re:Where have I heard this before? by jedidiah · 2008-04-27 13:56 · Score: 3, Insightful
  
  ...except a proper Unix can install into /home/user.
  
  A number of applications do this by default and will complain or
  just plain bail out if you try to install them as root.
  
  Also, something like /Applications can be set up so that multiple
  users can create new directories in it but not necessarily stomp
  on each other.
  
  On other platforms, services tend to not be installed as superuser.
  
  The fact that none of this occurs to you just shows how ingrained
  the whole "run everything root" idea is in Windows user culture.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
11. Re:Where have I heard this before? by Dolda2000 · 2008-04-27 13:59 · Score: 5, Insightful
  
  False. Windows NT is, and always has been, a multiuser OS. Indeed -- the NT kernel is, and always has been, a multiuser kernel. That does not, however, make Windows a multiuser operating system, if I may say so. I, too, would think that the GP doesn't really know what he's talking about, but when put into another perspective, his argument that "multiuser support has been tacked onto Windows" isn't unfair in any way.
  If Microsoft had indeed taken the NT kernel and built a sensible operating system above it, it would have been a multiuser system, but they didn't. Instead, they took the entire DOS and Windows 3.x world and put the NT kernel underneath it. Technically speaking, they rather tacked a single-user mindset and framework on top a multiuser kernel, making a single-user operating system. Since the NT kernel basically was written to supplant Windows anyway, it isn't entirely biased to argue that multiuser support was tacked onto Windows.
  Of course, I am still not arguing against the NT kernel. Microsoft could just as well have done the same thing with the Linux kernel as well, and the result would have sucked as badly. In fact, I don't know very much about the NT kernel internals (since the documentation isn't quite as easy to get at as it is in Unix), but I would guess that it isn't an entirely bad idea at an operating system kernel. Unfortunately, the kernel alone doesn't make an operating system, and Microsoft decided to build a basically single-user system on top of the kernel.
12. Re:Where have I heard this before? by MidnightBrewer · 2008-04-27 18:26 · Score: 2, Insightful
  
  Yeah, I have to agree that this sounds like Vista is actually doing its job. You can argue that malware can take advantage of this system, but such malware would require social engineering to get itself installed, rather than doing it on the sly.
  
  The author of the article basically lauds XP's "everybody runs as an administrator" scenario as if it was a good thing, then goes on to complain that Microsoft forcing him to play by their rules rather than by his own is somehow a bad thing.
  
  In other words, system hacks now take twelve times the effort to implement. That's a good thing. Sounds like Microsoft is finally in a position to clean up the sloppy "do whatever you like" developer culture that they've been burdened with for so long.
  
  --
  "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life
Much as I like seeing Microsoft humbled... by argent · 2008-04-27 09:10 · Score: 4, Insightful

Much as I like seeing Microsoft humbled, the comments on the original article seem to exonerate Microsoft of being as stupid as the article makes them sound. Lazy, perhaps, but not that stupid.
1. Re:Much as I like seeing Microsoft humbled... by cheater512 · 2008-04-27 10:05 · Score: 2, Insightful
  
  Having a bigger marketing department than a programming department for a software company sounds pretty stupid to me. ;)
2. Re:Much as I like seeing Microsoft humbled... by shutdown+-p+now · 2008-04-27 15:42 · Score: 2, Insightful
  
  Does having bigger $$$ than anyone else around precisely because of that also sound stupid?
3. Re:Much as I like seeing Microsoft humbled... by swillden · 2008-04-27 16:57 · Score: 4, Insightful
  
  Having a bigger marketing department than a programming department for a software company sounds pretty stupid to me. ;)
  Really? I've worked for over a dozen software companies in my career and the only two that didn't have more people in sales and marketing than in engineering and product development are also the only two that are out of business.
  There are exceptions, I'm sure, but I think it's pretty normal that it takes more salespeople to sell a product than it takes engineers to design it.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Easy, but it's Not, but it is? by Anonymous Coward · 2008-04-27 09:12 · Score: 5, Insightful

The "bottom line" starts off saying it wasn't easy, took much additional code, and many man hours of work. Then the next paragraph tells you it's "easy to code around".

This is the problem with Blogs. It looks like journalism, but it isn't.
1. Re:Easy, but it's Not, but it is? by Sique · 2008-04-27 09:38 · Score: 2, Insightful
  
  This is the problem with Blogs. It looks like journalism, but it isn't. You saying, a journalist would provide a counter point from Microsoft? Because glaring logical gaps are nothing new for journalism.
  
  --
  .sig: Sique *sigh*
Re:Must do better... by Yvan256 · 2008-04-27 09:13 · Score: 2, Insightful

Negotiating contracts with ATI and nVidia for a share of videocard sales does take time, you know.
A privileged service is not a "hack." by w3woody · 2008-04-27 09:17 · Score: 5, Insightful

So he created a service that runs with the necessary privileges to do what it needs, which communicates with a non-privileged front-end, and which requires privileges to install.

How is this a "hack"?

Perhaps the author of iReboot didn't see the rational for isolating a piece of code that needs to do something privileged and having it install and run in a user account which has sufficient permissions to allow it to run--but from a security standpoint this is no different than in Linux, where privileged code runs in a separate account from the user, and where IPC is used to communicate with that process.
1. Re:A privileged service is not a "hack." by drsmithy · 2008-04-27 10:15 · Score: 2, Insightful
  
  No, because MSI runs privileged and is able to install such processes at the command of normal users - that's the hole. You get one prompt, at installation time.. but I've never seen a windows installer that *didn't* prompt for elevation.
  Nothing to do with the OS, everything to do with the application developer.
  Contrast with Unix based systems where installing apps as a normal user is the norm and installing as root is an exception (indeed with OSX each user has a full set of directories for this by default, and it's rare for something to require elevation.. when it does you definately think because it's unusual).
  Bullshit.
  If you think the vast majority of UNIX applications aren't installed by root, to a system-wide location, or that the vast majority of OS X apps aren't installed to /Applications (also by root), then you're either a fool or delusional.
  *Especially* today. You might just have had a point, ~20 years ago, when multiuser UNIX systems with technically competent users were at least relatively common, but today when most people interact with what are essentially (if not technically) single-user PCs, such a claim doesn't even pass the laugh test.
More fud by ryan_hurst · 2008-04-27 09:22 · Score: 5, Insightful

So they created a service (daemon) that exposed a interface that had no ACL on it that allowed the caller to perform privliged opperations, they had the administrator (root) install the service and grant it administrative permissions (again, root) and then had a unprivliged application call that interface. Sounds exactly like unix to me, more over short of not having ACLs on the interface, Microsoft has white papers telling folks how to do just this. In fact a CS major would know this as "least-privliged-design" oh-no mr. bill. Only on Slashdot would this qualify as news.
Re:A Service... by Dogun · 2008-04-27 09:51 · Score: 2, Insightful

Which is fine, provided the interfaces exposed by the daemon aren't themselves insecure.
Re:Weird logical disconnect in the article by IchBinEinPenguin · 2008-04-27 11:25 · Score: 3, Insightful

>This creates a whole culture that is very vulnerable to social engineering---simple games are being run at the same permission level as complex drive-recovery utilities and keyboard loggers.

There is _nothing_ in Windows's "security model" that requires - or even encourages - this. The problem of apps needlessly requiring Administrator-level privileges is 100% the fault of the developers of said apps and has been for nigh-on a decade.

Ironically Microsoft themselves have a proud history of producing such apps...

There's nothing "weak" about Windows NT's security model. Never has been. There were, arguably, weaknesses in the *default configuration in some environments*, ...

I agree, only I'd change *default configuration in some environments* to out-of-the-box defaults which are unchanged in most environments.
Re:A terrible idea. by Allador · 2008-04-27 19:03 · Score: 2, Insightful

If and when Microsoft closes those loopholes, any software that abuses them will break. They're not loopholes. They're one of the well known ways of solving the problem the neosmart devs created for themselves.

The NeoSmart folks just were being lazy and assuming everyone was an admin, and that someone was always logged into the OS.