Coding Around UAC's Security Limitations

Mariam writes "Free software developers from the non-profit NeoSmart Technologies have published a report detailing their experience with coding around Windows Vista's UAC limitations, including the steps they took to make their software perform system actions without requiring admin approval or UAC elevation. Their conclusion? That Windows Vista's improved security model is nothing more than a series of obstacles that in reality only make it more difficult for honest ISVs to publish working code and not actually providing any true protection from malware authors. Quoting from the post: 'Perhaps most importantly though, is the fact that Windows Vista's newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.'"

This certainly fits with my experience

[JMZero]

One of our recent projects involved hosting a .NET control in Internet Explorer as part of an Intranet page for editing and uploading photos. The control worked fine, and we were able to manage security permissions such that it could access the files it needed to (and even delete them after as desired - it has full trust).

The problem was that we wanted the page to refresh after the upload was complete. This seems like it should be fairly simple, but with how the security works, there's not a simple way to communicate between the .NET control and the surrounding page (you can't, for example, just call a function on the page, despite the fact that you have full trust).

With that being the case, I tried editing a property on the control once it was finished uploading, but that too didn't work as the page couldn't read them (even properties like "height" that it could infer couldn't be read directly). I thought about some fairly complicated solutions involving polling using XMLHTTP, partial refreshes or scripting or something - but what I ended up doing was this:

1. When the page loads, take note of the position of two elements on the page.
2. Poll the position of these elements a few times each second.
3. When the upload control finishes, it increases its height by 4 or 5 pixels.
4. This displaces the other elements on the page, and this can be used as a signal that an upload is complete and a refresh should be done.

This ended up working fine, but I felt ridiculous for having done it this way. There's no security being added here - the control and the page can communicate all they want via the server or scripting (or 100 other ways), it just means that using the controls is much more difficult and obscure than it needs to be.

Stinging criticism, indeed.

[ScrewMaster]

The "architectural redesign" of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.

Ouch.

Re:More fud

[Tony+Hoyle]

Except that on Vista *anyone* can install that application. On Unix you would need the root password to do such a thing.

Re:UAC is shite

[syousef]

Disabling UAC completely is probably not a great idea. At the very least it warns you that something naughty is going to happen. That would be a nice thing, if it weren't buried in a 100,000 false positives with clusters of warnings around each action.