Slashdot Mirror
Security Hole In Windows 7 UAC
An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."
Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.
Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
This was discussed elsewhere (heise.de) earlier...
Short answer: this only works iff you are logged in as Administrator already...
Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning". Even adding captchas/moving the warning around/whatever will only be a fake-solution that will only work 'till there's a better script.
The beta worked perfectly!
Even the malware will be ready for Windows 7!
MS have already said that this flaw is "by design" to stop the appearance of too many UAC prompts when users alter their own system settings
http://www.istartedsomething.com/20090131/microsoft-dismisses-windows-7-uac-security-flaw-insists-by-design/
So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!
Hey, at least they found it early - this is what beta's are for - now they can build a lock for that door
re. MS's 'By Design' / 'Won't Fix' response, they basically say - 'This doesn't matter as if this happens you are already infected'.
You need the damn UAC setting prompt so you are ALERTED TO THE FACT THAT THIS HAS HAPPENED SOMEHOW ASAP.
Yes the user may have done something stupid to allow infection, but the UAC setting prompt would then protect them from further damage even before the malicious code check package was updated to find whatever was out there infecting systems.
The Highest UAC setting would prevent this but it is not default.
All they have to do to fix this entirely, and make the current default not effected by this flaw, is change the UAC settings security certificate.
But your settings have been altered for better net penetration, do you want to allow?
It's Still Beta... Why bother with the article
its a microsoft windows beta, are you really surprised at all that there is a security breach?!
Microsoft feel happy wnough with Windows Vista SP2
So much that they are not bothering with a second Beta
So what you have in your hands now is pretty much how it may ship
http://www.theregister.co.uk/2009/02/02/windows_7_no_second_beta/
correctly.
I mean, Linux and MacOSX (and others) have sudo for years, the original code dating back to 1980 according to Wikipedia.
The concept is not new : type your password to gain access to some privileges. That way bots and virus can't do everything while you can still administrative tasks easily.
My question is how hard is it to copy some 25 years old functionality (marketing it as brand new) and still don't get it right.
--- Bouh !!! ---
==============
"It look like you're trying to alter the UAC settings, Cancel or Allow?"
*click*
"It looks like you've confirmed the change in UAC settings, Cancel or Allow?"
*click*
"The UAC settings have been altered, Cancel or Allow?"
*click**click**click**click**click*-----INPUT DEVICE FAILURE
With Vista, there's no (official, at least) way to disable UAC except by a user actively going to Control Panel and disabling it.
This breaks a lot of things - particularly a lot of stuff concerning scripted/automated installers.
The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, a lot of the protection offered by UAC disappears.
Big deal, just use Vista where you'll get a UAC dialog for everything by default. That will 'fix' this issue.
Vista service pack 2 seems a rather apt way to describe windows 7. I seem to think rather vista may be a late alpha or early beta or Windows 7 (its not like the number actually has a real sequential meaning).
http://www.aaronrogier.net
all this talk of UAC makes me feel like playing some doom again.
The biggest security hole in Windows 7's UAC is the user.
but is certainly no security expert.
But... Who controls the user acces to the user access control?
While betas do help with testing, they're certainly not for such fundamental security testing. If they couldn't prove with hard math that their root access was limited properly, they should at least have had a bunch of unit tests for every variation from the tried and tested unix sudo model.
This is no different to me browsing the web as root in linux and running any shit that pops up
If you mod me down, I will become more powerful than you can imagine....
I wonder if Slashdot should allow anonymous article submissions? Isn't it useful information to know if the submitter is also the subject of the article or its reference source? Shouldn't we be allowed to know that, so we can better judge the credibility of the article and its source(s)? Transparency is ALWAYS good.
What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
Seems like an odd bit of "by design".
Unless i'm mistaken, I (as a user) could download an application and run it on the mistaken assumption that my UAC settings would alert me if anything suspicious is going to happen.
The application could then drop my security level to the lowest possible (without me knowing) and then start silently installing a bunch of other stuff with no UAC prompts. If it was particulary careful, it could then reset the UAC level back to the what it was before it started.
I'm now completely compromised without the slightest indication that anything suspicious happened.
Avantslash - View Slashdot cleanly on your mobile phone.
It should read, "Security Hole in Windows 7 BETA UAC". I know that it's hard to believe, but beta code is not the same as gold code, and consequently there may be a number of issues. Anyone who finds a bug or hole in a beta version of software and then trumpets it as proof of anything is clearly just trying to make sensationalist headlines.
You missed the gratuitous goatse link ;^)
Even the anonymous submitter can't muster up a more flattering adjective for the author than "prolific" - I'm sure I am about to enjoy a quality article.
sic transit gloria mundi
This?
http://www.youtube.com/watch?v=1JMuJ6Wy1j0
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Another UAC prompt...Yes, by all means, not like there isn't enough of them already!
When all is said and done, nothing changes...
Ubuntu won't ask for the password for sudo if it has already been asked in the last few minutes.
In theory, a malicious site(Say a botnet master in n00buntuforums) could get you to run a script that uses sudo to gain control of the machine and it would have a high chance of success.
The instructions could even coerce you into using sudo in a safe-looking command such as sudo apt-get youtube-dl after which you would run dancing_bunnies.vbs^H^H^H.sh.
It wouldn't fool you nor me, but it is a serious security concern for the kind of user that would run the vbs in Win7.
Does this mean Ubuntu is vulnerable? At least as much as windows 7.
I don't use Windows much so perhaps I'm missing something obvious, but why is it so hard for MS to implement this sort of system? Unix has managed it with root, groups since the 70s and with ACLs, su, sudo etc since the 80s so why can't MS manage to get right something so simple and so fundamental to a multi user OS in 2009?? And why would you need it much anyway? If you're simply installing an app (as opposed to an OS/library update) why would you need administrator/root type access anyway?
If you look at the computer as a whole, it is incredibly stupid that after the user selects some option, the computer will pop up a dialog asking the user if he is indeed the one who selected this option.
I realize the series of historic accidents that led to this absurd situation - but couldn't they figure out a better way that does not make the computer behave so incredibly stupidly?
Really? I have no problem with a black man in the White House. I have a problem with him trying to distract us with petty bullshit like Rush Limbaugh while the people who propped him up during the election try to steal another $1.2 Trillion (after interest is factored in) from future Americans. The most appropriate term for that kind of distraction in the face of such malfeasance is "shuckin' and jivin.'" Nice smokescreen, but fuck you, you mindless shill. People like you keep re-electing the same fucktards for Congress year after year, not realizing that they have more control over the economy than the President does.
ANOTHER prompt! I have a great idea, why doesn't MS prompt the user telling them they are about to be prompted? Wouldn't that be just grand?
'You have hit the A on the keyboard. Continue (Y/N)?'
Genius.
Pax Vobiscum
Viol8:
UAC mimics much of the functionality present in a lot of Linux applications. You need root to install the application, but you don't need root to launch the application.
At least, this is exactly how Microsoft has it designed. And anything that requires administrative privileges should have a service that starts as admin/root and then the client side process should be low privileged.
This is exactly how Microsoft has it setup. The problem is that a lot of application developers are lazy. They don't want to write software for how Microsoft wants it to be written. This has, essentially been how Microsoft has intended software to be written for years. C:\Documents and Settings\User\Application Data has only been around since the Windows 2000 days.
The aforementioned design, however, has never been enforced by Microsoft.
And the worst part about it is that users themselves are asking for software to be written poorly. All you have to do is to take a quick look over at the ZSNES forums where the developers openly asked its users how they should store configurations now that UAC gets in the way, and the users tell them "We want it to be more portable!"
That's fine and all, if you want to install all applications to C:\Users\. But like Linux, there are folder conventions.
It's all there, everything. The environment for writing secure products that don't get exploited that run within the context of a limited user are all built into the OS already.
Microsoft even went out of their way to "virtualize" Program Files for applications that fail to follow the proper format.
You're a racist piece of shit.
Don't feed the trolls, please. Trust me, responding because of outrage is exactly what they want you to do.
Why are we talking about a bug in beta software? This is code that is still 6-12 months from release.
I'm no MS fan boy that's for sure. But this story is just flame material.
1. The writer just wants to be seen. I'm screaming I'm screaming I need attention and my diapers changed.
2. Big deal the change is a feature. A change in a product every clued person on the planet is still going to shut off. As the UAC nag is still a nag in better cloths.
3. The title is catchy. "Security hole UAC." So clueless types on the net are jumping all over it a linking it.
THIS IS NOT A SECURITY HOLE. IT'S I'M A MORON USER THAT IS DESPERATE TO KICK THE DOOR OPEN TO HACKERS AND I'M STILL FAILING AT IT, PROBLEM.
UAC is a hack to deal with the problem that the Win32 API is full of inherent security holes that would require changing lots third-party software to fix. So they put a prompt up if a program is about to use one of the features that contain or implement part of one of these security holes.
The only real way to fix it is to implement a designed-for-security API and designate Win32 and everything based on it "legacy", only run in a sandbox.
Which is what Windows 7 was rumored to be, a couple years ago.
I've been installing Foxit on new machines for about nine months now, and have a lot of love for it. It was the retarded reboot-on-upgrade policy of Adobe that particularly ticked me off (load times notwithstanding).
I noticed earlier today that V3 is out, will be giving this a trial run sometime over the next couple of weeks. Only thing I'm hoping for is that they've improved the process for unattended setups, as this is the only thing that bugs me at the moment.
they had "changed" ???
HA HA !
I don't see this as a security hole. The first thing I did after installing was disable UAC. All it does is protect users from themselves...
Also, it using sendkeys in a script would be rendered completely useless if it was executed while the user was typing something, so this would only work assuming the user executed the script, and then immediately afterward went to take a piss...
Because, in Unix terms, the applications are all horribly written and want to store your personal settings in /etc
maugle:
pretty much.
This is exactly how Microsoft has it setup. The problem is that a lot of application developers are lazy. They don't want to write software for how Microsoft wants it to be written. This has, essentially been how Microsoft has intended software to be written for years. C:\Documents and Settings\User\Application Data has only been around since the Windows 2000 days.
Actually, per-user Registry Hives and filesystem locations were introduced in one of the last versions of Windows 95, IIRC - and they were _definitely_ in Windows 98 (and all versions of NT).
It's been a decade since a Windows developer has had any excuse whatsoever (let alone a good one) for releasing software that wasn't "multiuser friendly".
from my understanding UAC is designed to prevent execution of malicious code, or at least warn the user of the potential threat that they may be launching a virus instead of "top40.mp3" they just pirated from limewire.
As a repair tech at a small computer shop, I service *plenty* of infected Vista machines with UAC enabled. At least 1 in 3 have rogues like Antivirus 2009 installed.
So IMHO this "security hole" in UAC is moot because the PEBKAC.
Comment removed based on user account deletion
First off, there's a difference between logging in as Administrator and using an account which is part of the Administrators Group. A HUGE difference, which anyone knowledgeable (experienced and/or certified) would know.
Second, anyone who has any knowledge about networking security (Windows or not) should already understand the reasons one does not want to run an elevated privilege account as their default. You raise your privelege level when you need to, that's how it's done. I don't need an admin account to write documentation, surf the web, or check my email, and neither does anyone else.
You may impress your know-nothing friends and family, and get flagged "+1 insightful" on Slashdot, but that is not, and never will be, an adequate substitute for knowing what you are talking about. Stop telling people they are wrong when they completely correct.
UAC mimics much of the functionality present in a lot of Linux applications. You need root to install the application, but you don't need root to launch the application.
Actually very very few Linux applications need root to be installed and run.
What you may be referring is broken Linux distro (most of them I agree) that still didn't grasp how to allow Linux users to install application without needing to be root. Note that even on these broken .rpm/.deb distro you can still grab the .tar.gz version or the source or whatever non-root-installer (there are several), etc. to alleviate that distro security issue.
On Linux you can even install, say, the whole Sun Java VM / JRE without needing to be root (something that is impossible on Windows XP for example, let alone Vista).
But, yeah, Debian and RedHat based distro mandates root to install the packages (the fault being clueless package creators for RPM allows non-root install AFAIK) and this is my major (and only?) gripe with mainstream Linux distro since 10 years ;)
Am I the only one that find this concern stupid?
Is not for finding bugs that BETAS are released in the first place?
One of this days people start complaining because some alpha release has not all the features announced.
What I'm saying is you can not boot the computer and have root account as one of the options for you to log in as and run everything as root.
Are you using the same Mac OS X that I am?
In Mac OS X, the root user is disabled by default, and it is not obvious how to enable it. But it is certainly possible to enable it.
Once the root account has been enabled, one can do exactly what you say is impossible: reboot and login as root. In fact, you don't even have to reboot: you can log out and then log back in as root; or you can use fast user switching to log in as root (no logout required).
Well, I know that it's "technically" possible to install applications as non-root. The problem comes in that there are certain conventions that each distribution wants to follow to allow a unified experience for application developers.
There's a little give and take there.
I don't use Windows much so perhaps I'm missing something obvious, but why is it so hard for MS to implement this sort of system?
Because Windows tries to accommodate incompetent developers and ignorant users, rather than telling them to "RTFM or GTFO !".
I dont want my government telling me how to live my life; I dont want my operating system provider to tell me how to use my OS.
If the UAC can be 100% disabled, then awesome!!!
Seriously.... how is this news???? SOP (Standard Operating Procedure) should not be news.
2 cents,
QueenB.
HDGary secures my bank
sudo bash is clumsy. Use sudo -i instead :)
I'm always a little irked by this supposition that the developer for an app that has nothing to do with security has to be aware of the details of the security subsystem.
Going back to the check book software example, we can probably agree there is nothing about such a software system that needs Admin privileges but we should also agree such a system shouldn't need to take any special consideration for the permission or security beyond the defaults. The data itself may need to be kept locked and private from other users but you don't do that by switching to Admin/elevating permissions.
So how did we end up with a situation where the check book balancing application has to be "aware" of roles and security? It is really all the fault of Windows design. Parts of the installer need to access other parts of the system that require elevation in privileges. Parts of the application often sit in restricted parts of the file system (C:\Program Files). Depending on what other facilities are being used working with Windows may restrict you. Add to this the system is tied up with AV and other security software which may interfere as well. At every level there may or may not be documentation on how to gain access. All of this is a PITA handle to program let alone support the user when it shouldn't have been an issue in the first place! Since Microsoft didn't see it fit to provide elegant systems to the developer to handle these case, developers came up with their own with the system available.
The people trying to sell a check book balancing software should be focused on writing the best damn check book balancing software instead of worrying about how to get the right "permission token" to run their app or cataloging thousands of possible error coming from outside of their application.
No. UAC is meant to have people run as unprivileged accounts without having the people who MUST RUN AS ADMIN OR ELSE!!! cry -too- much.
Its just impossible to get a balance between making people aware of admin-account requirements, and having people not bitch too much.
You have no business writing to Program Files. Do you still modify win.ini and system.ini and drop DLL's into system32 as well? Writing to Program Files is about as bad and obsolete a practice as writing to win.ini.
Yes it is frustrating to have it redirected and maybe they should have put something in your event log to help make it obvious, but dammit, writing to Program Files was discouraged even in Windows XP. The only reason it redirects instead of totally fails is because there are gobs of badly written programs that still exist (try to write to Program Files as a normal user) and Microsoft didn't want to break all of them.
There are API's to get a proper place to write system-wide settings. Even then, you probably will need to get your program to elevate itself via UAC because you are modifying global stuff. I bet if you elevated your app before writing to Program Files, it wouldn't redirect (check MSDN). Remember that "admin user" doesn't mean you are running as an admin in vista, your program has to request a UAC dialog before you run as root otherwise you run as a regular joe.
Seriously though, try running your program as Administrator (right click on the exe and go "Run as Administrator). See if it still redirects, I bet it doesnt.
Making it harder to install "Stupid Mouse Jumps Around the Screen and Installs Spyware.exe" is a feature, not a bug.
Well, for one I'd stop supporting her machine. Can't do that though because, you know, she is my mother and all. I can't just tell her to FOAD seeing as how she gave birth to me.
In other words, you want everybody to run as root all the time, right? Because the only way to avoid having a prompt of some kind or other is to always run as root.
How can you make a system both secure, "prompt free" *and* not have it run as root? Or is your solution to run as root 24/7? If so, sorry, been there done that, got the botnet.
That is 100% not true. Your user account *is running as a regular user* no matter what group it is in. It doesn't matter if you are in the admin group (unless you stupidly disable UAC, in which case you basically run as root).
"UAC" = "sudo [program name]"
"Vista, Administrator Group" = "your account is in
"Vista, non admin group" = "sudo [program name] with password, but that depends on the group policy... "
Your highly moderated post is 100% mis-information and is *not true*. YOU ARE NOT RUNNING AS ROOT UNTIL YOU ELEVATE VIA UAC!!
I don't use Windows much so perhaps I'm missing something obvious, but why is it so hard for MS to implement this sort of system?
Because people expect to still be able to use their horribly-written apps that assume they can scribble freely all over the C: drive.
Words have specific meanings and "You are not inputting a password to authenticate higher privileges. You already have them" means one doesn't know what they are talking about. That statement is *not* true. You do *not* have higher privileges no matter who you are. You need to go through a UAC dialog to elevate the privileges of a program.
If AC knew what he was talking about, he'd draw a line between the wheel group and the Vista admin group. They are somewhat alike, though on many unix systems a person in "wheel" can do all kinds of root-like things without the use of sudo--this is not true on Vista.
The fact that the AC says "input your password" says he is either a very good troll or has never used Vista in his life. People in the admin group never have to input their password.