Security Hole In Windows 7 UAC

An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."

Short: Don't work as Administrator

This was discussed elsewhere (heise.de) earlier...

Short answer: this only works iff you are logged in as Administrator already...

Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning". Even adding captchas/moving the warning around/whatever will only be a fake-solution that will only work 'till there's a better script.

Re:Short: Don't work as Administrator

[nstlgc]

Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts.

Uh no. UAC's purpose is to make it possible (in practice) not to use administrator accounts. Pretty much the complete opposite.

Re:Short: Don't work as Administrator

[Darkon]

Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.

And only when Microsoft change this will Windows be half way towards being secure.

Re:Short: Don't work as Administrator

[drsmithy]

Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning".

You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?

Re:Short: Don't work as Administrator

[Darkon]

Which was done with Vista.

No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.

Re:Short: Don't work as Administrator

[Kjella]

The real problem, and one that doesn't have a good techincal or sociological fix, is that most windows users are doing administration duties that far exceed their skills. Users get confronted with all sorts of dialogs they don't understand but just want to get on with it. I bet you, that if you popped up a page to someone saying "This video needs a newer version of flash" and redirected them to some completely bogus page that gave them a plugin with a completely bogus signature most people would go ahead and install it anyway. What is the latest version anyway? Couldn't even remember who makes it, and those companies keep on merging and rebranding and whatnot. No amount of UAC, or running as an unprivilidged user could possibly fix that because they are the ones with the admin keys and they're handing them out too easily.

Most users don't understand trust, they want to see a nice little lock icon telling them this site is safe, this site is bad. Same goes for plugins. Same goes for software. If you try educating them they'll just go blank *bad thing* *bad thing* *REALLY bad thing* but they won't understand and just want the simple answer. There's some very professional looking sites out there that appear to give you good software. They often even look better than the real deal because the frauds are all about appearances while the real sites focus on delivering good software, no offence intended. While it does amount to some degree of security scissors, most users would be better of if they only downloaded from safe, verified sources of software and plugins. If only Linux would stop asking all the other technical questions, the repository model would be much better for these people. It's not the end-all and be-all of security but it concentrates 99% of the superuser tasks in one place and makes it that much harder for some random application to throw up a superuser prompt.

Re:Short: Don't work as Administrator

[rhsanborn]

Something they've been trained to do as a result of shortcuts and hacks used by applications written for Windows for years. I'm reasonably sure a check book balancing application shouldn't need administrator privileges to run, but so many applications are written that way, probably a little because it's easier, and a little because so many people use administrator accounts that it doesn't matter.

Microsoft is in a tough position with regards to this. A large portion of the annoyance with Vista was 1) compatibility, which stemmed from bad time frames and poor vendor interaction, admitted, but also from enforcing proper security and structure that they hadn't done, that broke poorly written code. 2) from UAC going off very frequently due to applications constantly trying to elevate their privileges which is in most cases unnecessary.

Re:Short: Don't work as Administrator

[denis-The-menace]

Easier said than done.
Many developers are lazy and create apps that only work if the USER is an administrator. Other times it will only work if the user that installed the app is the USER (Again, need administrator to install it in the first place!).

BTW: Fixing this is my bread and butter.

Re:Short: Don't work as Administrator

[ThaReetLad]

This is probably the real point of UAC. To get developers to write software that doesn't need admin rights

Re:Short: Don't work as Administrator

[Firehed]

UAC, believe it or not, can't be controlled by scripts or other software-based inputs - it only accepts input from physical hardware. Which is a good thing (assuming this bug is fixed which would get around the need to do so, anyways). I don't know the tech that's causing that to happen (a sibling poster explains it better), but I can say that it DOES work.

Or, at least, this was the case using a Vista admin account. Found it out the hard way when trying to click OK in a UAC prompt via peripherals being shared with Synergy. Can't speak for Windows 7, but I can't imagine they've intentionally made it less secure. It confused the hell out of me for a while, but when I finally figured out what was happening I was in fact glad that they'd done it that way (even if it still meant that I had to find a spare mouse to click OK in the prompt with actual hardware).

See- this is why we have betas. Stupid but non-obvious bug that somehow slipped through can now be fixed before it affects millions. I hate to give MS credit (especially as a Mac user), but they really seem to be getting a lot right with 7. Not to the point of switching back, but hopefully to the point where the whiny fanboys from both sides may take a couple moments to STFU.

Early

[TehPhoenux]

Hey, at least they found it early - this is what beta's are for - now they can build a lock for that door

Re:Microsoft already replied

[jamesmcm]

That's the problem with UAC. Too many prompts and users will just get frustrated and either disable it or blindly hit Ok.

Really, they should make it just notify the user when any software changes any vital settings, it's just too slow otherwise (Try moving Admin, read-only files on Vista, it took ages messing about with permissions and hundreds of UAC windows before it'd move - slowing file management horribly).

Re:Fix it FFS.

[jamesmcm]

Well really there's a compromise between security and usability with the UAC. Given Windows' diverse user base, it must be very accessible and so they lower the security of UAC to stop it interfering.

Of course they should fix this bug, but having too much UAC makes it frustrating and useless as people disable it, and too little obviously doesn't do enough. It's a very hard compromise.

How hard is it to copy something...

[51M02]

correctly.

I mean, Linux and MacOSX (and others) have sudo for years, the original code dating back to 1980 according to Wikipedia.

The concept is not new : type your password to gain access to some privileges. That way bots and virus can't do everything while you can still administrative tasks easily.

My question is how hard is it to copy some 25 years old functionality (marketing it as brand new) and still don't get it right.

It's a double-edged sword

[jimicus]

With Vista, there's no (official, at least) way to disable UAC except by a user actively going to Control Panel and disabling it.

This breaks a lot of things - particularly a lot of stuff concerning scripted/automated installers.

The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, a lot of the protection offered by UAC disappears.

Re:It's a double-edged sword

[yakumo.unr]

The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, ALL of the protection offered by UAC disappears.

Fixed.

Re:It's a double-edged sword

[Seth+Kriticos]

Wait a sec. When did the UAC ever provide protection for the system? Even before it appeared, nobody read the waring dialogs. The design failure was to try improving the security by prompting even more dialogs which led to the phenomenon that even less of those dialogs were ever read.

I still think it would be a better way to teach the user about security than to prompt him messages he/she does not understand anyway.

How about including a security and basic computer usage tutorial in the OS? Put in some porn and computer security will rise at once!

Re:Microsoft already replied

[Jurily]

That's the problem with UAC. Too many prompts and users will just get frustrated and either disable it or blindly hit Ok.

I disagree. I used Vista exclusively for 5 months, and I only ever got a UAC question when I was trying to change some system settings, and that one time when I didn't, it turned out to be a trojan.

It's not that hard to anticipate a UAC question, really. Just ask yourself: "Would Linux require root for this?"
Actually, UAC is much more permissive.

And the people who get frustrated with it, shouldn't have admin rights in the first place.
Sure, the initial setup and configuration is packed with these, but it's worth it.

Security in UAC

[SeaFox]

The biggest security hole in Windows 7's UAC is the user.

Re:Security in UAC

[mrapps]

The biggest hole in ANY system is the user. Not particularly a Windows 7 user..

Re:Microsoft already replied

[Yvanhoe]

defectivebydesign, then ?

Re:Microsoft already replied

they should really make the user account non admin by default, and fuck up all programs written by twelve years old kids each assuming to be the god of the machine. I did tried to use a non admin account, but almost no game worked correctly, even most of the non Microsoft applications tried to write garbage everywhere in the system; no really, the log file in the program folder or windows directory, the savegame in a profile stored beneath the installation directory....

Re:Microsoft already replied

[The+New+Andy]

From Microsoft's reply:

* The only way this could be changed without the userâ(TM)s knowledge is by malicious code already running on the box.

* In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)

What exactly is UAC then trying to protect people against? If protecting against malicious code isn't in the requirements, then it seems pretty useless.

"A prolific blogger ..."

[timmarhy]

people if that's not a big big warning sign i don't know what is. you know what this guy has discovered? if you login as administrator, attackers can do the same things you can.

This is no different to me browsing the web as root in linux and running any shit that pops up

Re:Microsoft already replied

[mwlewis]

Isn't that exactly what you quoted? If it's possible for malware to do this on your machine, then somehow it's already gotten past UAC, whether by some other hole, or by the user allowing it. What, exactly, do you suppose UAC is supposed to do in that case?

Hmmm

[Mr_Silver]

Seems like an odd bit of "by design".

Unless i'm mistaken, I (as a user) could download an application and run it on the mistaken assumption that my UAC settings would alert me if anything suspicious is going to happen.

The application could then drop my security level to the lowest possible (without me knowing) and then start silently installing a bunch of other stuff with no UAC prompts. If it was particulary careful, it could then reset the UAC level back to the what it was before it started.

I'm now completely compromised without the slightest indication that anything suspicious happened.

Re:Anonymous submitters

Slashdot's readership seem to be very pro-privacy, and your highly rated comment is contradicting that philosophy. Governments would like every byte on the Internet to be traceable, is that transparent? If they got their wish, and then shared all traces, would that be transparent?

This is an intellectual site, and the articles posted are (ideally) meant to be interpreted objectively -- Slashvertising, astro turfing, and shameless self-promotion are not to be combated with transparency, but with the strength of logic.

My opinion is that Slashdot's article submitters should continue to have the choice to remain anonymous. If a story is crap, the identity of the submitter shouldn't be necessary to detail the ways the story is crap.

This argument is also simply ideological, technically speaking a submitter can create a Wikipedia-style sock puppet and submit the story via an unsecured proxy.

Posting this anonymously for the irony.

Re:Microsoft already replied

[MrNaz]

There is no way to properly prevent further attacks once a box is compromised. That's the nature of being compromised.

UAC is a stupid idea

[Peaker]

If you look at the computer as a whole, it is incredibly stupid that after the user selects some option, the computer will pop up a dialog asking the user if he is indeed the one who selected this option.

I realize the series of historic accidents that led to this absurd situation - but couldn't they figure out a better way that does not make the computer behave so incredibly stupidly?

Re:UAC is a stupid idea

[JasterBobaMereel]

The problem is there is in Windows no difference between an interactive task and an interactive task that presents no interface, this means that UAC has to prompt for the very very obvious like "did you really press the button marked install" because it has no idea if the user did something or it was done for them ...

Because Microsoft does not have a proper installer interface that installs programs for you.. instead each program has it's own installer/updater Windows has no control over the process and does not know if the user has been asked or not ... Unix style package management systems are one solution where the install is managed by one system which asks the users permission then monitors the installation process ...

Re:Microsoft already replied

[macs4all]

"There's no good reason for writing there,"

Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.

Um, isn't that exactly what happens in OS X with Preferences?

In OS X (and *NIX???), USER preferences are stored in the USER's "Home" directory. That way, permissions to write the "Applications" directory can be more tightly controlled, AND the USER can be granted permission to write in a relatively safe place (safe "system-wise", that is).

Far be it for me to laud anything MacroSuck does; but, to me, this "symlink" just appears to be MS's attempt to provide a modicum of security for system and application files, while not breaking backward compatibility for every-single-bullshit-written-app that required Admin privileges just because the DEVELOPER was TOO LAZY to put USER settings in the PER USER "Documents and Settings" Directory(ies), and instead wanted to spray files all over the SYSTEM and APPLICATION directories (which are NOT USER-SPECIFIC, of course). And before you cite the meme that "Windows Vista7 doesn't care about backward compatibility.", keep in mind just HOW stupid and suicidal such a move would be for MS if it were TRULY the case...

With OS X's Package approach, you get the best of both worlds: Dependencies are grouped together for easy maintenance, copying, and REMOVAL; but things like Preferences are not only PER USER, but they are in a place that can be written WITHOUT FEAR OF SYSTEM COMPROMISE!!!

Sheesh! Is it REALLY so hard???

Re:Microsoft already replied

[PopeRatzo]

A hole's a hole.

And a beta's a beta.

That's why they make disclaimers.

Bugs in Beta?

[Lord+Byron+II]

Why are we talking about a bug in beta software? This is code that is still 6-12 months from release.

Anonymous Coward

I don't see this as a security hole. The first thing I did after installing was disable UAC. All it does is protect users from themselves...

Also, it using sendkeys in a script would be rendered completely useless if it was executed while the user was typing something, so this would only work assuming the user executed the script, and then immediately afterward went to take a piss...

Re:Ubuntu is vulnerable!

[redxxx]

Note that most distributions don't enable sudo for the user account per default (not even Ubuntu's parent distro, Debian), it would be interesting what the Ubuntu folks would say if you suggested turning off sudo per default.

Then users will need to know their administrator password, and will end up using it as an account.

Sudo prevents a certain large segment of the potential Ubuntu population from being retarded. It's a calculated risk, but I don't think they would change their position. It is not one they arrived at by chance.

Re:Microsoft already replied

[Nursie]

"not breaking backward compatibility for every-single-bullshit-written-app that required Admin privileges just because the DEVELOPER was TOO LAZY to put USER settings in the PER USER "Documents and Settings" Directory(ies),"

Who said ANYTHING about user settings?

You know MS push their OS's for corporate and server use, right? And that they've got this UAC bullshit in 2k8 as well?

and instead wanted to spray files all over the SYSTEM and APPLICATION directories (which are NOT USER-SPECIFIC, of course).

Which is precisely the FUCKING point for a SYSTEMWIDE SERVER APPLICATION. Users with the correct permissions should be able to edit the file, and the process (running as a different user) should be able to read the file. NOT have it SILENTLY squirreled away somewhere else.

Spring up another warning, log an error, do whatever, but don't silently pull this shit.

Re:Microsoft already replied

[Foolhardy]

The preference files in the Windows user directories are hidden in arcane locations.

It took me 5 seconds to google some docs for user profile paths: User Data and Settings Management

Makes sense that the Outlook data would be in C:\Documents and Settings\\Program Data\Microsoft\Outlook but it's not.

Instead, the roaming stuff goes into:
C:\Documents and Settings\USERNAME\Application Data\Microsoft\Outlook
And the non-roaming stuff goes into
C:\Documents and Settings\USERNAME\Local Settings\Application Data\Microsoft\Outlook
Doesn't seem so awful.

The only way to ehfin find it is to back the stuff up! What if the computer crashed and I can't RUN outlook???? I'm hosed (this actually happened)

Copy the user profile over?

Re:UAC isn't "security"

[rsmith-mac]

At some point this tripe gets ridiculous, particularly when Vista has been out there for over 2 years now. The Win32 API has its flaws, but security issues are due to problems with the underlying OS, not the API.

If there are security flaws in the Win32 API as implemented by Vista, please by all means point them out. But I'm going to be surprised if you can point out anything that doesn't fall under "It's a system level change, you need admin credentials moron" school of thought. Most people don't understand security nearly as well as they think they do, and Slashdot is no different.

Re:UAC isn't "security"

[argent]

Since everything in the OS is exposed via the Win32 API... you can't even see the NT kernel API unless you're someone like Softway Systems... the difference is academic. So is "it's a system level change", when it's a system level change that thousands of applications (for many of which the source is no longer available) depend on.

"There are APIs in Windows that applications have been written to use, that should not be exposed to untrusted applications. These APIs can not be blocked without breaking too many legacy applications, so UAC makes the user responsible for deciding when they should be allowed." Better?

The fact that these APIs were made available for general use was a security flaw, but one that didn't much matter when there was no security. Now they make security impossible.

This is the same logic as the stupid security dialogs in IE and other applications that use the Microsoft HTML control. It's not "security", it's "we're afraid to make the OS/libraries/COM objects/APIs secure, so we're putting it on you, the user".

Re:UAC isn't "security"

[rsmith-mac]

Should the user not be free to run software as they please then? Because there are plenty of complaints just in this article that are people bitching about just that - how Vista is somehow preventing them from doing what they want. Should "untrusted applications" be everything other than a select few applications that only Microsoft gets to define?

And if not, how should users tell the OS that an application is trusted? Perhaps they could indicate that in some kind of dialog box...

At the end of the day the user is the only one responsible for their system. If they want to run an application that will wipe their hard drives, drink all their beer, and knock up their wife, then that is their right, and their responsibility. Sadly too few people seem to understand the latter part of that.

Re:Microsoft already replied

[techprophet]

Google was unavailable at the time. If you have to google to find where your application data is, it is arcane.

Funny, if you have to google it in Linux, it's hard to use, but if you have to google it in Windows, it's obvious.

Re:You dont know what you are talking about

Well, don't keep us in suspense here, Mr. MCSE. What's the difference?