Security Hole In Windows 7 UAC

An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."

"Gerald"

[plasmacutter]

Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.

Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.

Re:"Gerald"

[MasterOfMagic]

He's getting very old, but he's a good mouse.

Re:"Gerald"

[tcolberg]

So, MSFT replaced the innards of Windows 7 and replaced them with the engine of a Fiat Panda, as per Jeremy Clarkson?

Re:"Gerald"

[DMUTPeregrine]

You're the kind of troll that fits in with my world.
I'd mod you anything, everything if you want thing.

Short: Don't work as Administrator

This was discussed elsewhere (heise.de) earlier...

Short answer: this only works iff you are logged in as Administrator already...

Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning". Even adding captchas/moving the warning around/whatever will only be a fake-solution that will only work 'till there's a better script.

Re:Short: Don't work as Administrator

[ta+bu+shi+da+yu]

Apparently Raymond Chen posted a response at http://blogs.msdn.com/oldnewthing/archive/2009/01/21/9353310.aspx

It appears that they are getting a "Service unavailable" prompt. Could it really be that they are running their blogs on an IIS server that is running Windows 7? Shock horror, it appears that someone has elevated privileges using vbscript to bypass UAC and has changed the IIS app pool to run under a guest account!

Re:Short: Don't work as Administrator

if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning"

That's completely wrong. The entire point of the UAC prompt is that it can't be automatically dismissed by simulated user input. The UAC prompt runs on a separate virtual desktop from everything else (which is why it flickers), and the kernel enforces that only real user input can touch it, and you can't run your own code in the kernel without going through a UAC prompt, so it's secure.

If this guy is right and UAC can be disabled without user input, then the entire UAC system instantly becomes pointless. Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts. If you can't do that, then UAC has failed. Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.

Re:Short: Don't work as Administrator

[Yvanhoe]

I wholeheartedly agree : don't work as administrator on windows systems.

Re:Short: Don't work as Administrator

[nstlgc]

Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts.

Uh no. UAC's purpose is to make it possible (in practice) not to use administrator accounts. Pretty much the complete opposite.

Re:Short: Don't work as Administrator

[Darkon]

Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.

And only when Microsoft change this will Windows be half way towards being secure.

Re:Short: Don't work as Administrator

I'm afraid you're wrong. When UAC is on programs you execute are run under your user account which is normally (by default) a member of the Administrators group. However, the programs are run in a special mode where they are prevented from actually using most of the administrative rights granted to your account. (You can read all about it in Wikipedia.) When a UAC prompt comes up you don't have to type a password because you're not logging in to a different account; you're just granting permission to use the full administrative rights your account already has.

It is also possible to use UAC from a non-administrator account. In this mode you must type a password every time a UAC prompt comes up, instead of just clicking "continue". Few people do this because it is not the default setup and it's even more annoying than regular UAC.

Re:Short: Don't work as Administrator

[drsmithy]

Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning".

You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?

Re:Short: Don't work as Administrator

[Darkon]

Which was done with Vista.

No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.

Re:Short: Don't work as Administrator

[Kjella]

The real problem, and one that doesn't have a good techincal or sociological fix, is that most windows users are doing administration duties that far exceed their skills. Users get confronted with all sorts of dialogs they don't understand but just want to get on with it. I bet you, that if you popped up a page to someone saying "This video needs a newer version of flash" and redirected them to some completely bogus page that gave them a plugin with a completely bogus signature most people would go ahead and install it anyway. What is the latest version anyway? Couldn't even remember who makes it, and those companies keep on merging and rebranding and whatnot. No amount of UAC, or running as an unprivilidged user could possibly fix that because they are the ones with the admin keys and they're handing them out too easily.

Most users don't understand trust, they want to see a nice little lock icon telling them this site is safe, this site is bad. Same goes for plugins. Same goes for software. If you try educating them they'll just go blank *bad thing* *bad thing* *REALLY bad thing* but they won't understand and just want the simple answer. There's some very professional looking sites out there that appear to give you good software. They often even look better than the real deal because the frauds are all about appearances while the real sites focus on delivering good software, no offence intended. While it does amount to some degree of security scissors, most users would be better of if they only downloaded from safe, verified sources of software and plugins. If only Linux would stop asking all the other technical questions, the repository model would be much better for these people. It's not the end-all and be-all of security but it concentrates 99% of the superuser tasks in one place and makes it that much harder for some random application to throw up a superuser prompt.

Re:Short: Don't work as Administrator

[0100010001010011]

Why is it that I can run as an 'admin' account on both Linux and OS X with out this happening? If I need the power I have sudo from the command line or OS X gives me a prompt.

Re:Short: Don't work as Administrator

[drsmithy]

No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.

"Administrator" in Vista is not the same as "Administrator" in earlier versions. It is akin to be being an 'admin' in OS X or Ubuntu - it just means you can elevate your privileges if required, not that you can do whatever you please.

Re:Short: Don't work as Administrator

[techprophet]

Oh, there's a way. I've already done it. [Code Unavailable to prevent scriptkiddies from doing it too]

Re:Short: Don't work as Administrator

[Jeremy+Visser]

You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?

Right on the money.

I use Synergy 2, which lets me control my keyboard and mouse from another computer over the network. It's functionally no different to a keypress simulator like the G.P. mentioned.

When using Synergy, I cannot use the remote mouse and keyboard to accept UAC prompts. I have to move to the local machine and physically click the button locally for it to work. Same goes for administrative apps -- if an app is running with administrative privileges, Synergy cannot register clicks on the privileged window. Unless I run Synergy itself as an administrator.

Re:Short: Don't work as Administrator

[mpeskett]

When has a windows administrator account ever meant that you could do whatever you please?

I'm sat here right now, running an admin account on XP, and if I try to delete the "Desktop" folder in my own account, I can't. It tells me "Desktop is a Windows system folder and is required for Windows to run properly. It cannot be deleted". Never mind the fact that I've changed the location of that folder by fiddling with the registry to put it on a separate hard drive, the redundant copy on C:\ is still protected against deletion.

Contrast this against the stories about *nix systems where some fool runs rm -rf as admin and it only stops deleting things when it deletes the delete command itself... that is being allowed to do whatever you want.

Re:Short: Don't work as Administrator

[Spacezilla]

Is this really a problem? Can't the malware just install a mouse driver and get that to send the necessary mouse click so Windows thinks it's a physical mouse button being pressed?

Unless you need to click Accept when plugging in a mouse?

Re:Short: Don't work as Administrator

The short answer: Because you're not really running as an admin. On OS X, the "admin" accounts are not really admins. They are allowed to authenticate to use root privileges however. To put it simplified... for *nix, regular user accounts are a member of the "users" group. If you decided that user account should have access to the sudo command, you add them to the "wheel" group (at least that's how it's setup on my distro).

Now, let's compare to Windows Vista/Windows 7: Your "regular" user account is actually a member of the administrators group. The application in question is asking permission to use your full administrative permissions. You are not inputting a password to authenticate higher privileges. You already have them, you just saying "sure, go ahead" to the application/installer/whathaveyou.

Re:Short: Don't work as Administrator

[drsmithy]

Is this really a problem? Can't the malware just install a mouse driver and get that to send the necessary mouse click so Windows thinks it's a physical mouse button being pressed?

If the malware already has access high enough to install hardware drivers, a need to click on UAC prompts seems a bit superfluous, no ?

Re:Short: Don't work as Administrator

[rhsanborn]

Something they've been trained to do as a result of shortcuts and hacks used by applications written for Windows for years. I'm reasonably sure a check book balancing application shouldn't need administrator privileges to run, but so many applications are written that way, probably a little because it's easier, and a little because so many people use administrator accounts that it doesn't matter.

Microsoft is in a tough position with regards to this. A large portion of the annoyance with Vista was 1) compatibility, which stemmed from bad time frames and poor vendor interaction, admitted, but also from enforcing proper security and structure that they hadn't done, that broke poorly written code. 2) from UAC going off very frequently due to applications constantly trying to elevate their privileges which is in most cases unnecessary.

Re:Short: Don't work as Administrator

[mario_grgic]

Well it's not that simple. On OS X for example you can be an administrator and you still can't delete system files. You need to be root to do that. Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do. On Linux you can.

So for that hypothetical admin user to delete everything he would have to first become root (either by doing sudo, or starting a root shell, being authenticated first) and then executing rm -rf /

So, to recap, being an Administrator and just executing rm -rf / will not delete system files.

Re:Short: Don't work as Administrator

[GooberToo]

Uh no. UAC's purpose is to make it possible (in practice) not to use administrator accounts. Pretty much the complete opposite.

So how is one to use an administrator account without using an administrator account. You've completely missed the boat here. The gp is correct and you are wrong. The point is to allow secure access to administrator accounts without having to actually, explicitly log in as a desktop user as an administrator. So in that sense, you are right, but it does not change the fact the entire point, as the gp stated, it so allowed secure access to administrator accounts.

Re:Short: Don't work as Administrator

[silent_artichoke]

Generic mouse drivers are already installed. I have plugged in at least 5 mice to my laptop and have never once been prompted by UAC.

Re:Short: Don't work as Administrator

[Golddess]

What if there was some sort of "UAC Settings Last Changed X Days HH:MM Ago" message that always displayed somewhere (on the login screen? or within the start menu maybe?), with the ability to view side-by-side what the settings used to be before then, and what they are now?

Re:Short: Don't work as Administrator

[denis-The-menace]

Easier said than done.
Many developers are lazy and create apps that only work if the USER is an administrator. Other times it will only work if the user that installed the app is the USER (Again, need administrator to install it in the first place!).

BTW: Fixing this is my bread and butter.

Re:Short: Don't work as Administrator

[drsmithy]

Generic mouse drivers are already installed. I have plugged in at least 5 mice to my laptop and have never once been prompted by UAC.

I'm not quite sure I see your point. The automatic installation of drivers (eg: for plug & play of mice) is handled by system-level processes that are already running. Again, if you can manipulate these in some fashion, you've already attained a high enough privilege level that faking user input to UAC prompts is unnecessary.

Re:Short: Don't work as Administrator

[TyIzaeL]

This doesn't apply to just Windows users. Its referred to as the dancing bunnies problem. It doesn't matter what OS the user is on. If they think they want what the particular malware claims to offer, they'll go through all the administrator prompts you can come up with to get what they want.

Re:Short: Don't work as Administrator

[ThaReetLad]

Not true. UAC uses a "secure desktop", which is when the screen dims, which effectively runs on a separate session precisely to prevent messages being sent to it from other apps

Re:Short: Don't work as Administrator

[ThaReetLad]

This is probably the real point of UAC. To get developers to write software that doesn't need admin rights

Re:Short: Don't work as Administrator

[ThaReetLad]

As Raymond Chen would put it, "It rather involved being on the other side of this airtight hatchway"

Re:Short: Don't work as Administrator

[afidel]

Um, it's easy for MS to block software that simulates keypresses, they already do it for UAC and the login dialog extending this to the warning screen (or more likely adding that to UAC) would be fairly trivial.

Re:Short: Don't work as Administrator

[afidel]

Actually the GP was right, your account does not have the admin bits set in the token when using UAC. Responding to the dialog adds those pieces to the token for that app on a temporary basis.

Re:Short: Don't work as Administrator

[drsmithy]

Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do.

sudo su -

Congratulations, you're logged in as root.

sudo passwd

Even more congratulations are due, you now have the ability to login from the login window as root.

So, to recap, being an Administrator and just executing rm -rf / will not delete system files.

Actually, on an OS X system there are (or were, I haven't looked for a while) a lot of system-level files (including a lot of stuff in /Applications, like Installer.app) that are writable by any 'admin' user. So even without elevating, an 'admin' user could do a lot of damage to an OS X machine.

Re:Short: Don't work as Administrator

[SBrach]

With UAC you can install a program as a non-privileged user and the installer will ask for credentials for escalation. You can also set the compatibility settings of the program to run as administrator and that specific program will run as admin. The point of UAC is to either A) allow you to run a program as admin or preform admin tasks from a non-admin account or B) to allow you to run as admin and be prompted whenever a program tries to use those admin privileges.

Re:Short: Don't work as Administrator

[jpmorgan]

Yes, because if you don't run Synergy as an administrator it's running at a lower integrity level than administrator apps. Vista enforces integrity level isolation and prevents lower integrity level software from fiddling with higher integrity.

What's pretty cool is it runs IE in an even lower integrity level than usual, so if your browser gets hijacked it can't do anything other than write to its own temp directory.

Re:Short: Don't work as Administrator

[The+MAZZTer]

You can interact with UAC prompts remotely with Remote Desktop.

You can also deactivate the "secure desktop" if you're finding its more trouble than its worth (just be sure you understand the risks in doing so). Google around for the Group Policy setting (for "expensive" Vistas) or the direct registry hack (for every Vista).

Re:Short: Don't work as Administrator

[wastedlife]

Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do. On Linux you can.

Linux is an OS kernel, just like the UNIX one powering OS X. You are making an apples to oranges comparison. You need to look at the complete package. In most Linux distros that I have worked with, you are either not allowed to log in as root, or you are given ample warnings that you really shouldn't do that. Then, the only way for the hypothetical linux admin user to delete everything is to become root in the exact same manner you describe for OS X.

If you are worried about a foolish admin deleting everything on a *nix box, you need to pick a *nix distribution that limits root access intelligently, such as OS X or Ubuntu (SUSE and Red Hat may behave the same way, but I haven't used them in years).

Re:Short: Don't work as Administrator

[mario_grgic]

That's not what I'm talking about. Of course you can become root (or have a root shell). What I'm saying is you can not boot the computer and have root account as one of the options for you to log in as and run everything as root.

Also, one could argue that contents of /Applications are not system.

"System" lives in /System and in /Library and important parts in /usr

Of course you could go through this procedure to enable root account logins:

http://support.apple.com/kb/HT1528

But most OS X users do not do that. I certainly have not, I do all my limited admin tasks by temporarily becoming root with sudo (and very very rarely with root shell).

Re:Short: Don't work as Administrator

[kimvette]

In Linux (and OS X if you enable the root login) when you're root, it's assumed you know to not shoot yourself in the foot. In OS X, an admin isn't root. To actuall be root, you need to edit a config file (I forget which one) to enable the root login, then you can log in as root. However, OS X 10.2 and later make the admin process so friendly there is little to no need to ever log in to the desktop environment as root. If you need root in OS X, it's generally only for custom configurations of apache or samba, for which sudo will generally work fine, or you can just su - root. No need to log in to root via the GUI. Really.

As a regular user (even a wheel member) most distributions (and OS X) are smart enough to prompt you for the root password if you're requesting changes which require root to do so, and those credentials are either cached for that app and its children (in the case of YaST on SUSE), or, like sudo, you're authenticated for a period of time (some versions of OS X, I don't know if the current operates this way since my Mac is too old for leopard).

The problem is Windows' security model is hopelessly broken due to the shortcomings that come with backwards compatibility all the way to Windows 2.x and 3.x - on the old 16-bit environments it was never designed for networking to begin with (the network modules are fugly hacks) and are certainly not multiuser, so security was not even a consideration. This line of thinking continued even through Windows for Workgroups (which did have native networking) where security was only considered on the server side, and even Windows 95 which was fully networkable security was hardly considered because it was not considered a multiuser system and one of the selling points was near-100% backwards compatibility with all your favorite desktop applications - unfortunately including the ones which love to litter %windir%\*

Windows 2000 and Windows XP came from a grown-up OS called NT, but brought with it the backwards compatibility promised by Windows 95. This is due to applications like Quicken, Quickbooks, etc. - essentials for the continued success of Windows as a desktop operating system. Unfortunately those applications require administrator access because they were developed on Win16 and ported to Win32 with NO consideration for following best practices, especially for the install process. (note: when I've developed installers, all the way back to 16-bit, I've always followed best practices to avoid those issues on the client side even though my employer at the time would never pay the dough for the Windows logo certficiation process. My installers would have passed though! It doesn't take much effort to do so, and it makes maintainability easier and eases the load on support by avoiding DLL hell).

So, security has been broken by design. Vista and Windows X64 attempt to limit the problem through limited sandboxing and Windows File Protection, and Windows XP (x86) through Windows File Protection, but running older apps incur so many UAC prompts (or just plain won't work) that one is better off just turning off UAC and relying on antivirus and antispyware software. The only reasonable way to have backwards compatibility with previous Windows versions without broken security is through a compatibility layer like wine (but do you think M$ will really contribute to wine?!) or through virtualization, probably breaking directx components in those apps in the process.

Re:Short: Don't work as Administrator

[wastedlife]

This is why better computer education is the only truly viable solution. Anti-Virus (aside from worms getting into system vulnerabilities) is only a stop-gap until users are better educated in computer administration. Moving the "low-hanging fruit" to UNIX and Linux-based OSes is another stop-gap until those users start getting targeted by malware writers also. While I don't contest that these OSes are far more secure than Windows architecturally, most malware out there preys on the user's ignorance.

Re:Short: Don't work as Administrator

[plague3106]

You assume that MS is really braindead. They're not. UAC runs on a private desktop that only the Consent.exe program can access. This security feature is the same that the Windows CardSpace control panel item uses to protect you from programs trying to get you Card.

Here's a post with links that explains: http://channel9.msdn.com/forums/Coffeehouse/252090-Windows-Cardspace-Control-Panel-WTF/?CommentID=295064

Re:Short: Don't work as Administrator

[plague3106]

Um, that's what they've done. User programs that are causing UAC prompts are built wrong; they're trying to write to \Program Files, and that's been a no-no since Win2k. That's why many programs require Admin access. UAC was SUPPOSED to be annoying so that developers were forced to fix their badly implemented applications. That was the idea anyway, whehter or not it had the intended affect I don't know. Probably not, since people bitch about UAC (and many of these same who run Linux have no problem supplying the root password when they run an X admin tool from a normal user account).

Re:Short: Don't work as Administrator

[plague3106]

Don't buy it. If it can be done, you're not the only one that has, and it's likely script kiddies have the code anyway. More than likly, you're just some guy on a message board claiming to have done something he hasn't.

Re:Short: Don't work as Administrator

[msuarezalvarez]

Running rm -rf / as root will not be stopped when it deletes the command itself. Try it in a VM.

Re:Short: Don't work as Administrator

[Jurily]

Contrast this against the stories about *nix systems where some fool runs rm -rf as admin and it only stops deleting things when it deletes the delete command itself... that is being allowed to do whatever you want.

No, it doesn't stop, it's already in memory. It only stops when you realize it's taking too long and press Ctrl+C.

I yanked a system drive out once. It was a mobile rack, and I was in a hurry... When I got home it was still running, I could still chat with Valknut (it was maximized). It only crashed when I pressed alt+tab.

Re:Short: Don't work as Administrator

[techprophet]

Good point. But how do I know you're not a script kiddie trying to get me to hand over the code?

Re:Short: Don't work as Administrator

[Phoenixhawk]

Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.

And only when Microsoft change this will Windows be half way towards being secure.

Correct me if I'm wrong, but the default IS limited user account when creating a account.

Now the account created during install is an admin account, but I believe it safe to say if your the one installing the operating system, your responsible for the administration of that computer.

Still it could be better, but you have to have a admin account before you can really have anything else.

But what alternative is there other than admin account named root with a general knowledge password of Microsoft, that the average user will never change?

Re:Short: Don't work as Administrator

[jamstar7]

Last time I looked, Redhat (Fedora, actually) wants you to make a root account at install. That was with FC7, the last time I ran Fedora on one of my machines. Ubuntu adds the first user account created in a fresh install to the sudo list.

There is a way to get a shell with root access so you can do a bunch of things without bothering with sudo, but I'm not gonna tell ya how.

Re:Short: Don't work as Administrator

[tknd]

It is also possible to use UAC from a non-administrator account. In this mode you must type a password every time a UAC prompt comes up, instead of just clicking "continue". Few people do this because it is not the default setup and it's even more annoying than regular UAC.

I think that was what the GP was trying to say. I run as a normal user and never touch the admin account unless I need to install software. I also configure other windows systems in this manner so that the user doesn't just click away. The only software that has issues are some old apps that do stupid things like write to their programs directory during normal use. Some older games would do this but you can prevent the UAC prompts by changing the game's directory to have write permissions for regular users.

Re:Short: Don't work as Administrator

[Firehed]

UAC, believe it or not, can't be controlled by scripts or other software-based inputs - it only accepts input from physical hardware. Which is a good thing (assuming this bug is fixed which would get around the need to do so, anyways). I don't know the tech that's causing that to happen (a sibling poster explains it better), but I can say that it DOES work.

Or, at least, this was the case using a Vista admin account. Found it out the hard way when trying to click OK in a UAC prompt via peripherals being shared with Synergy. Can't speak for Windows 7, but I can't imagine they've intentionally made it less secure. It confused the hell out of me for a while, but when I finally figured out what was happening I was in fact glad that they'd done it that way (even if it still meant that I had to find a spare mouse to click OK in the prompt with actual hardware).

See- this is why we have betas. Stupid but non-obvious bug that somehow slipped through can now be fixed before it affects millions. I hate to give MS credit (especially as a Mac user), but they really seem to be getting a lot right with 7. Not to the point of switching back, but hopefully to the point where the whiny fanboys from both sides may take a couple moments to STFU.

Re:Short: Don't work as Administrator

[wastedlife]

There is a way to get a shell with root access so you can do a bunch of things without bothering with sudo, but I'm not gonna tell ya how.

Don't worry, I know about "sudo su", which will change the shell to root without having to know or change the default(random?) root password in Ubuntu. You can also go into a "recovery mode" during bootup that brings you to a bash prompt as root. If you are talking about getting into Gnome, KDE, or whatever your poison as root, I know there are workarounds. However, I'm not talking about what is possible, I'm talking about how these distributions are designed so someone doesn't accidentally "rm -rf /", or something equally stupid, when running as an Administrator level account.

Re:Short: Don't work as Administrator

[ciggieposeur]

where some fool runs rm -rf as admin and it only stops deleting things when it deletes the delete command itself...

No it doesn't. Once 'rm' is executing it won't stop until all files it can delete are deleted.

You can also do "cat /dev/zero > /dev/hda" and watch the various daemons start dying and even some kernel oopses, yet 'cat' keep going.

Re:Short: Don't work as Administrator

[Helldesk+Hound]

> If this guy is right and UAC can be disabled without user input, then the entire
> UAC system instantly becomes pointless. Saying that you shouldn't be running as
> administrator is stupid; UAC's purpose was to make it safe to use administrator
> accounts. If you can't do that, then UAC has failed. Anyway, Administrator
> accounts are the default and therefore what 99% of users are going to be using.

I agree, that people should not be logged into Windows boxes as if they were the Administrator of that system (This, of course, is well understood and practised by the vast majority of people who have access to Unix boxes)

User Access Control is utterly pointless. People should only be using the Admin account if they want to administer their system, such as applying updates, installing software... oh wait. - where did they get that software from in the first place!!!

Essentially if you're talking about ordinary people using MS Windows in their home, there is no way you can protect those PCs from malware or viruses. They will just download more of that crap from another source.

The enterprise, however, that permits untested software to go onto ANY desktop computer should have their CIO's testicles removed so that sort of stupidity can't spread further in the gene pool.

Re:Short: Don't work as Administrator

[PeterBrett]

Contrast this against the stories about *nix systems where some fool runs rm -rf as admin and it only stops deleting things when it deletes the delete command itself... that is being allowed to do whatever you want.

Actually, this is a myth. Because the file isn't actually deleted until all open file pointers to it are closed, and running a program keeps a file pointer open... rm -rf /* will happily keep running *after* deleting the rm executable.

Re:Short: Don't work as Administrator

[nedlohs]

Start->Run->cmd

cd "C:\Documents and Settings\Administrator"
rmdir /S Desktop

Deletes it just fine for me...

Re:Short: Don't work as Administrator

[causality]

Last time I looked, Redhat (Fedora, actually) wants you to make a root account at install. That was with FC7, the last time I ran Fedora on one of my machines. Ubuntu adds the first user account created in a fresh install to the sudo list.

There is a way to get a shell with root access so you can do a bunch of things without bothering with sudo, but I'm not gonna tell ya how.

Ubuntu's setup is just a simple matter of configuration (as you know). There's a few ways to get an unfettered root shell in Ubuntu. You could use "su" (installing it if need be), you could do "sudo bash", or you could unlock the root account so that you can simply login as root. This sort of management of user accounts and privileges is one of the most basic system administration tasks imaginable.

I just mention that not to tell you anything you don't know (I really doubt I'm doing that) or to antagonize you, but that I think "not gonna tell ya how" creates a mystique that could be replaced with an understanding of both how to do these things and when not to do these things. Ubuntu gets one thing right, which is that a user knowledgable enough about the basics to modify their setup is probably also knowledgable enough to understand why the limited use of root is a good thing. I feel like proper privilege separation is one thing that Unix got right, from the beginning, and that the severity of many of the security issues on Windows are because it is still playing catch-up (UAC is a step in that direction but not a real substitute). I think the Ubuntu setup is a pretty good default but I think that because of Ubuntu's target audience, which could be contrasted with LFS's target audience or Gentoo's target audience.

Re:Short: Don't work as Administrator

[denis-The-menace]

This is useless if the install program sets up ONLY the profile of the user that installed it. Any other user account could get Admin credentials but the registry tweaks and Application data folder changes would not magically appear unless the package uses Active Setup or have MSI do a CPU-intensive Per-user self-heal.

Most of the time you don't need (or want) to give the user Admin credentials. They could do things like launch explorer.exe with those Admin credentials and your workstation security goes out the window.

Re:Short: Don't work as Administrator

[canajin56]

You can delete any file you want when logged in as Administrator. The GUI won't let you, but who cares. You can't compare the Windows GUI to bash. Now, maybe the Gnome File Browser will let you delete /boot or /bin. Windows Explorer won't let you though. That's not fascist, that's a legitimate design decision, prevents "whoops" moments. Plus, you can turn off the "Protect System Files" option under folder options or preferences or wherever it is, thus allowing you to use Explorer to add and remove binaries/sym links from %WINDIR%\SYSTEM32 (The Equivilent of /bin), or do whatever else it is you want to do...

The only difference is on *nix, you can delete a file that's open, and it'll be completely deleted once any file handles are closed. Under Windows it doesn't defer deletion if there are open handles still, it just refuses to delete. Which is why you can't update system libraries without a reboot, unless you can terminate all processes using that library.

Re:Short: Don't work as Administrator

[plague3106]

If I were a script kiddie, I'd already have the source from another location..

Re:Short: Don't work as Administrator

[MobyDisk]

You are incorrect. *ix functions exactly the same way as Windows in this case.

I'm sat here right now, running an admin account on XP, and if I try to delete the "Desktop" folder in my own account, I can't. It tells me "Desktop is a Windows system folder and is required for Windows to run properly. It cannot be deleted"

Do that from the command-line and Windows will not stop you.

Contrast this against the stories about *nix systems where some fool runs rm -rf as

The equivalent command in Windows is del /s C:\, and it will delete anything that is not in use, that you have permission to delete.

Re:Short: Don't work as Administrator

[innocent_white_lamb]

No user would understand what that meant, or why he should care if it changed.

Re:Short: Don't work as Administrator

[nedlohs]

Well more than that, there was some magic already applied to the windows machine, but that undermines my post completely so best forget I mentioned it.

Re:Short: Don't work as Administrator

[glitch23]

Another case is when you try to delete/rename explorer.exe in XP. First you have to kill explorer.exe using Task Manager so that you don't get an access denied message. Then when you have a My Computer window open you rename/delete explorer.exe. It will let you do it however if you refresh the directory you will see that Windows automatically puts it back so now you have 2 (if renamed) or 1 (if you deleted the first one). Pretty clever although annoying if you have a corrupted explorer.exe that you are trying to fix. I'm still not sure where Windows grabs the explorer.exe in order to bring it back.

Re:Short: Don't work as Administrator

[shutdown+-p+now]

No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group.

With UAC in effect, this has essentially the same security as being a member of sudoers on a default Ubuntu install (which the auto-created user account is) - you still have to explicitly confirm any action that requires admin privileges. The only difference is that in Ubuntu, you are asked for the password to your own account; in Vista, you just click "Allow". Password in Ubuntu is there so that another app cannot hijack your system by simulating user input. Vista protects against that differently, by making UAC prompts secure from such simulation. Otherwise, they are functionally the same. So, no, you don't really run as an admin in Vista by default.

Re:Short: Don't work as Administrator

[jim_v2000]

UAC on all systems is irrelevant anyway. Users who know what they are doing don't need UAC, and users who don't know what they're doing are just going to click OK/put in their password to get the alert out of their face. There's only so much a OS can do to protect users from themselves while still allowing them to have control of their systems. Trust me, if the masses ever take up Linux, it'll be just as bad as Windows.

Re:Short: Don't work as Administrator

[coryking]

that people should not be logged into Windows boxes as if they were the Administrator of that system

Good, because Vista and Windows 7 agree with you. Nobody runs as Admin (aka "root") on Vista or Windows 7. They only elevate individual programs to "root" through a UAC dialog. The only time this isn't true is when some fool disables UAC, in which case their account runs as root.

The admin group in Vista/Windows 7 basically says "You can display a UAC dialog without a password on it".

Re:Short: Don't work as Administrator

[Larryish]

Probably not, since people bitch about UAC (and many of these same who run Linux have no problem supplying the root password when they run an X admin tool from a normal user account).

The key words here are admin tool.

When a userspace app requires root to run, "Houston, we have a problem."

Re:Short: Don't work as Administrator

[Helldesk+Hound]

MS Windows assumes that the Administrator is an idiot.

That sort of [apply][OK][Are you sure][OK] mentality is insanity that assumes the Administrator is an incompetent moron.

The administrator should be a highly competent analyst well capable of administering the machine to a high level of efficiency and excellence.

Are you sure?[click-yes] Are you Really Sure?[click-yes] You've been asked this twice before, but to be trebbly sure that you want this click "yes"[hurls MS Windows machine at effigy of Bill Gates _YES I'M SURE!!!_]

Re:Short: Don't work as Administrator

[mjwx]

I'm sat here right now, running an admin account on XP, and if I try to delete the "Desktop" folder in my own account, I can't. It tells me "Desktop is a Windows system folder and is required for Windows to run properly. It cannot be deleted". Never mind the fact that I've changed the location of that folder by fiddling with the registry to put it on a separate hard drive, the redundant copy on C:\ is still protected against deletion.

Its worse on Vista, MS went the apple route and is actively hiding files and folders from the user. For example the CSC (Client Side Cache, used for offline folders) normally found in C:\Windows\CSC is hidden and even when found registers as 0 files using up 0 Bytes nor will Windows let you navigate to it. This is when Vista recognised 6 GB free on a 40 GB drive with only 15 GB of data recognised. where did the extra 20 GB go. I only found out when I booted a Ubuntu Live CD that 19 GB of hidden data was stored in the CSC Folder. Even after turning off "Off-line Folders" I didn't get the 19 GB of free space back, I had to go back into Ubuntu to delete it.

Why are we running Vista off a 40 GB drive, because this idiot of a manager wanted to run Vista on his Mac Book Air. Stupid enough to by a MacBook Air, dumb enough to like Vista and wonders why nothing works in his world.

Re:Short: Don't work as Administrator

[Splintax]

Not really. UAC is useful because it makes it immediately obvious when a program requires administrative privileges. This should reduce the prevalence of software that requires administrative privileges to run. Hopefully, that will then make people more suspicious of software which requires administrative privileges - part of the reason people just blindly click "OK" is because there are a lot of tasks out there that require you to do so when it shouldn't be necessary.

Re:Short: Don't work as Administrator

[Splintax]

You don't need to know that. You've made an extraordinary claim. The burden of proof lies on you.

Re:Short: Don't work as Administrator

[Fri13]

The UAC was build just to allow users to run non-administrator account.

Earlier than Windows Vista, you ran your system as administrator that you could use your computer.

On *nix systems (different Linux-distributions, BSD-distributions, Mac OS X etc) you were by default a normal user.

All applications were designed to work as normal user. On Windows-systems, you did not need to know anything about admin user situation.

Now on Vista, you got UAC what allows (or it should if first user would not be again a admin, even on the Windows 7!) user to be a normal user. Because all software makers need to make applications work like on *nix systems, work for normal users without needing a IT-degree to tweak system.

With UAC, you can use normal accounts. But when needed, you can get admin rights to maintaint system, when you are tweaking something what is outside of your user rights. What shouldn't happen often!

On *nix systems (I use Linux OS) like Mandriva, I need root password only a 1-2 times a month. When I install new software. All system updates goes by my password. On Windows 7, I need to click more often "Allow" button every day. And now I need to give admin password because I turned my account to normal user because it was by default a administrator. very stupid from MS. But hey, I am normal user and not administrator and I can actually use my computer that way.

Re:Short: Don't work as Administrator

[Fri13]

sudo su -

What? why not just "su" and give the damn root password.

sudo passwd

What? When you are logged in as root, you do not need sudo to change password.

Is this somekind "Ubuntu" logic that you need to run everything as sudo? For Ubuntu users the sudo command seems to often to mean "run".

"run apt-get update" or "run apt-get install name"

Ubuntu users do not even understand the problems of sudo what Canonical has mde because it use sudo as root replacement and not as why sudo was designed in first place.

Re:Short: Don't work as Administrator

[Golddess]

Why not? It seems pretty analogous to the "Your last successful login was on [DATE]. There have been X unsuccessful login attempts since then." message that my bank displays any time I do online banking.

Just because some people would be apathetic to the message, doesn't mean it wouldn't work.

Re:Short: Don't work as Administrator

[jamstar7]

I just mention that not to tell you anything you don't know (I really doubt I'm doing that) or to antagonize you, but that I think "not gonna tell ya how" creates a mystique that could be replaced with an understanding of both how to do these things and when not to do these things.

Point I was making is, those of us who already know how, know enough to not shoot ourselves in the foot. The info is out there, and in the course of finding it, the newbie's gonna learn why doing it is a Bad Idea until they learn enough to not screw it up totally.

Re:Short: Don't work as Administrator

[causality]

I just mention that not to tell you anything you don't know (I really doubt I'm doing that) or to antagonize you, but that I think "not gonna tell ya how" creates a mystique that could be replaced with an understanding of both how to do these things and when not to do these things.

Point I was making is, those of us who already know how, know enough to not shoot ourselves in the foot. The info is out there, and in the course of finding it, the newbie's gonna learn why doing it is a Bad Idea until they learn enough to not screw it up totally.

In a way I think we're taking two slightly different approaches and arriving at the same place. That often happens when I am knowledgable about a subject and am discussing it with someone else who is also knowledgable about the subject. I consider it to be something like a stylistic difference.

I agree strongly that "the info is out there". I think the biggest difference between a skilled admin and a newbie is that the skilled admin knows how to educate himself where a newbie tends to be much more passive in this regard. So often someone is considered an "expert" or not based on how much they have memorized. Sysadmins may be called upon to perform a task when they may have never done that precise task before; they just know how to find good information and how to integrate it with their existing knowledge and how to find parallels between the new information and what they already understand. I appreciate your reasonable response and can add that I cannot help but agree with you about the (strong) importance of obtaining your own understanding of what is a Bad Idea and why. Especially the "why", as I consider that more important and more useful than a list of do's and don'ts, however comprehensive that list may be.

Re:Short: Don't work as Administrator

[ozphx]

Roughly. The local desktop is screenshotted, dimmed, and sent over IPC to the fkn consent.exe in the secure desktop.

This drives me damn nuts, as it seems to add lag if I've left a game running in the background :P

Re:Short: Don't work as Administrator

[jim_v2000]

You have more faith in users than I.

The beta worked!

[jamesmcm]

The beta worked perfectly!
Even the malware will be ready for Windows 7!

Microsoft already replied

[DavidR1991]

MS have already said that this flaw is "by design" to stop the appearance of too many UAC prompts when users alter their own system settings

http://www.istartedsomething.com/20090131/microsoft-dismisses-windows-7-uac-security-flaw-insists-by-design/

Re:Microsoft already replied

[jamesmcm]

That's the problem with UAC. Too many prompts and users will just get frustrated and either disable it or blindly hit Ok.

Really, they should make it just notify the user when any software changes any vital settings, it's just too slow otherwise (Try moving Admin, read-only files on Vista, it took ages messing about with permissions and hundreds of UAC windows before it'd move - slowing file management horribly).

Re:Microsoft already replied

[arogier]

Wait Microsoft intentionally made an annoying feature insufficiently annoying to prevent greater annoyance? A hole's a hole.

Re:Microsoft already replied

[Jurily]

That's the problem with UAC. Too many prompts and users will just get frustrated and either disable it or blindly hit Ok.

I disagree. I used Vista exclusively for 5 months, and I only ever got a UAC question when I was trying to change some system settings, and that one time when I didn't, it turned out to be a trojan.

It's not that hard to anticipate a UAC question, really. Just ask yourself: "Would Linux require root for this?"
Actually, UAC is much more permissive.

And the people who get frustrated with it, shouldn't have admin rights in the first place.
Sure, the initial setup and configuration is packed with these, but it's worth it.

Re:Microsoft already replied

[Yvanhoe]

defectivebydesign, then ?

Re:Microsoft already replied

they should really make the user account non admin by default, and fuck up all programs written by twelve years old kids each assuming to be the god of the machine. I did tried to use a non admin account, but almost no game worked correctly, even most of the non Microsoft applications tried to write garbage everywhere in the system; no really, the log file in the program folder or windows directory, the savegame in a profile stored beneath the installation directory....

Re:Microsoft already replied

[Nursie]

UAC is horrible.

Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".

It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".

It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.

YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.

Re:Microsoft already replied

[The+New+Andy]

From Microsoft's reply:

* The only way this could be changed without the userâ(TM)s knowledge is by malicious code already running on the box.

* In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)

What exactly is UAC then trying to protect people against? If protecting against malicious code isn't in the requirements, then it seems pretty useless.

Re:Microsoft already replied

[cgenman]

I kind of agree with the less-is-more approach to end user interactions. I get a lot of clients who have learned to cope with the modern click-prompt overload by simply clicking somewhat randomly on everything that comes up in front of them. Frequently, this leads to disabling some vitally important part of their computer in a way that any person who actually read prompts would have easily avoided.

Sadly, the less computer savvy you are, the more likely you are to be constantly deluged with upgrade prompts from Adobe, install requests for Safari from Apple, and the multitude of prompts when Hewlett Packard's genuinely awful drivers crash. Prompts to continue subscriptions to Symantec, upgrade to the latest acrobat, log in to windows messenger, etc. And, of course, each separate component has its own prompts. "Click here to upgrade. I see you've clicked here to upgrade, would you like me to go to the internet and upgrade? Upgrade will begin when you click the OK button below. Upgrading... Upgrade has completed, click OK below to continue. Thank you for upgrading, please visit unintelligiblylongwebsite.com/pagenobodywilleverclickon.html to give us feedback on this process. Press Dismiss below to return to the installer. Thank you for returning to the installer. If you are satisfied with this interaction, press OK below."

90% of users have no idea what their computer is doing, or should be doing, under the hood. If they weren't already suffering from click-fatigue, they wouldn't be the right people to decide on technical issues anyway.

Obviously, it shouldn't be possible to disable UAC without actually getting a UAC prompt. But in general, UAC is an annoying system that most users completely tune out. Instead of hightening user knowledge, it simply drowns out any real issues.

Re:Microsoft already replied

[nstlgc]

Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".

Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM.

It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".

There's no good reason for writing there, and doing so is exactly what messed up "running as an administrator" in XP and below. Ask the author of your application to make it less retarded.

It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.

Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC. It's almost like you're being proud of being an idiot.

YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.

Yes, I'd prefer that they would install like normal drivers (not at system startup) and that they go through the effort of getting signed. And if you're still on 32bit Windows, this is not even a problem.

But it kinda confirms my thought that you were running vague software written by Linux people for Windows.

Re:Microsoft already replied

[mwlewis]

Isn't that exactly what you quoted? If it's possible for malware to do this on your machine, then somehow it's already gotten past UAC, whether by some other hole, or by the user allowing it. What, exactly, do you suppose UAC is supposed to do in that case?

Re:Microsoft already replied

[netsharc]

Adobe Acrobat is the stupidest in their upgrade regime... it's a non-vital component, but after it updates itself: "You have to restart your computer in order to complete the updates. Restart now? Yes/No".

F*** you, if you were the kernel I'd understand.. you're just a viewer for an overused document format ffs!

Re:Microsoft already replied

[Nursie]

"Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM."

No, my application is not signed or recognised by MS, who believe they should have the final say over these things. A nice little box pops up saying "your system administrator has set policies to stop these things running at startup" and allowing you to click on them to start them up.

*I* am the system administrator and there was no way I could find to stop this behaviour, despite looking in all the UAC dialogs.

"There's no good reason for writing there,"

Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.

"doing so is exactly what messed up "running as an administrator" in XP"

No, what messed up "running as administrator" was "running as administrator". I don't need to write to program files to fuck up your system, if anything you run has admin privileges.

"Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC."

Where did I complain about warnings?
I don't give a crap about warnings.

"It's almost like you're being proud of being an idiot."

And it's almost like you can't read.

"if you're still on 32bit Windows, this is not even a problem."

This is all on Vista 32 bit.

But it kinda confirms my thought that you were running vague software written by Linux people for Windows.

And what *exactly* do you mean by that? WTF is wrong with software not written by a company big enough to pay MS to get things signed? Shouldn't I, as an educated power user, be able to decide to run what I want?

Why shouldn't I have the flexibility to run windows with the UAC security turned on (so I get warned about unautorised system changges), but be able to add startup exceptions of my choosing?

It's a clusterfuck, it's a bad hack which fails to leave any room for flexibility, whilst at the same time implementing dodgy compromises in the name of backward compatibility.

Re:Microsoft already replied

[myxiplx]

Protect people? Where on earth did you get that idea?

As far as I can see, UAC is all about protecting *Microsoft*. They've just shifted the responsibility for a whole class of security exploits to the end user:

"Infected by a virus? Oh dear, you must have clicked 'accept' at some point, not our fault."
"What do you mean you have to click 'accept' for everything?"

If they were serious about security they wouldn't have buried things like Winternals Protection Manager. That had the potential to really improve security for Windows XP (you could finally run everything as a limited user, and assign individual applications greater rights if needed, and could also whitelist allowed applications in an easy to use manner), but surprise surprise, within a few months of its launch, Microsoft bought the company and discontinued that product.

Re:Microsoft already replied

[LingNoi]

block further attacks obviously.

Re:Microsoft already replied

[The+New+Andy]

UAC should prevent it from disabling UAC?

I don't see how UAC was supposed to prevent you from downloading said malware, nor should it prevent you from running it - what it should be doing is preventing it from doing anything you didn't authorize it to do.

Re:Microsoft already replied

[MrNaz]

There is no way to properly prevent further attacks once a box is compromised. That's the nature of being compromised.

Re:Microsoft already replied

[kvezach]

See, this is why Windows is never going to rule the desktop. It doesn't even have a package manager!

Re:Microsoft already replied

[spitzak]

HP's popups are also on Macintosh. I have not figured out how to log in and not have it pop up a "configure your networked printers" dialog. Oh well, I learned you can cancel it and keep going (and the HP printer+scanner works fine!).

Re:Microsoft already replied

[jsoderba]

Why are you installing Adobe Reader? There are several alternatives, like Foxit, that are far less user-hostile.

Re:Microsoft already replied

[macs4all]

"There's no good reason for writing there,"

Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.

Um, isn't that exactly what happens in OS X with Preferences?

In OS X (and *NIX???), USER preferences are stored in the USER's "Home" directory. That way, permissions to write the "Applications" directory can be more tightly controlled, AND the USER can be granted permission to write in a relatively safe place (safe "system-wise", that is).

Far be it for me to laud anything MacroSuck does; but, to me, this "symlink" just appears to be MS's attempt to provide a modicum of security for system and application files, while not breaking backward compatibility for every-single-bullshit-written-app that required Admin privileges just because the DEVELOPER was TOO LAZY to put USER settings in the PER USER "Documents and Settings" Directory(ies), and instead wanted to spray files all over the SYSTEM and APPLICATION directories (which are NOT USER-SPECIFIC, of course). And before you cite the meme that "Windows Vista7 doesn't care about backward compatibility.", keep in mind just HOW stupid and suicidal such a move would be for MS if it were TRULY the case...

With OS X's Package approach, you get the best of both worlds: Dependencies are grouped together for easy maintenance, copying, and REMOVAL; but things like Preferences are not only PER USER, but they are in a place that can be written WITHOUT FEAR OF SYSTEM COMPROMISE!!!

Sheesh! Is it REALLY so hard???

Re:Microsoft already replied

[Animaether]

As I understand it, the problem is that the app that sends the keystrokes (standard windows messaging APIs to interact with a UI) does not have to get around UAC at all. It can simply go to the control utility, lower the UAC level, and reboot.. no prompts (unless UAC is at the highest level - it is 1 lower by default), nothing.
After the reboot, the -actual- malware.. that would otherwise get blocked by UAC ..can now do its thing without worry.

But reports are sketchy, so that above *may* be incorrect.

Re:Microsoft already replied

[PopeRatzo]

Try moving Admin, read-only files on Vista

Why?

Re:Microsoft already replied

[PopeRatzo]

A hole's a hole.

And a beta's a beta.

That's why they make disclaimers.

Re:Microsoft already replied

[Junta]

I whole heartedly agree with most of your complaints, the crux being that MS purports to know what's good for your computer to the extent of overriding what you know in and of itself. MS should handle unsigned content better, one single warning when you install and an administrator to allow it. Of course, they are in this weird bastardized state of 'everyone is administrator' and 'noone is an administrator except microsoft'. Managing system startup aspects before any login would be the role of a administrator, but MS can't seem to nail that concept down.

Now for writes to Program Files, MS is in a tricky situation. Through your complaint about per-user views into that directory, I take it you are complaining about things that would be written to '/etc' rather than things that would be written to rc files in the home directory. I think the parent is thinking you mean the latter. The latter is by *far* the most common case of application developers, and thus MS has to do something to be able to run those applications yet not break separation of users to the extent they pull it off. It's not perfect, but MS is in a bind, many of the applications they need to support no longer have anyone who *could* update them to be better about file locations per user. MS has a large part of the blame due to recommendations made in Windows 95, however application developers would have done it despite any microsoft recommendations not to in Win9x world, which inherited security concerns from DOS which at its inception could not have been expected to meaningfully protect data (too expensive/complex to implement in the home desktop market at the time). Win95 could have been like 2k/XP, but some applications under DOS to this day require something like dosbox in 2k+, and that wouldn't have been feasible in 1995 either. As to files written to configure things, officially the 'registry' is where they are supposed to go. It's a horrible looking mess, but that is the paradigm MS chose and as such, Windows developers should not have much reason to store configuration in flat-files under Program Files. Of course, the ubiquity of 'ini' files goes against that too, so MS is just all clusterfuck.

Unix and Linux are thankfully spared a lot of this. Through being unforgiving out of the gate, they forced application developers to behave. They don't have to worry about legacy or about the degree to which someone is an administrator. That doesn't stop some vendors from being absolutely brain-dead (I've seen some clone their entire application on initial run to the users home directory), but at least you know what is what.

Re:Microsoft already replied

[techprophet]

But in UNIX style systems you can actually FIND THINGS in your /home. The preference files in the Windows user directories are hidden in arcane locations. Makes sense that the Outlook data would be in C:\Documents and Settings\\Program Data\Microsoft\Outlook but it's not. The only way to ehfin find it is to back the stuff up! What if the computer crashed and I can't RUN outlook???? I'm hosed (this actually happened)

Re:Microsoft already replied

[Jurily]

It's "I stopped these things from being launched at startup and there's no way to override this behaviour".

Even Windows Defender has an option to re-enable these. What kind of dodgy crap are you running anyway?

Of course, it's Vista's fault if some programmers haven't figured out how to do an automatic startup properly.

configuration files stored in program files

Again, Vista's fault...

Name one *nix instance, where the default configuration had /usr user-writable. Last time it happened, a typical user coded in hex.

And name one *nix program, that stores its config files in /usr/bin.

Re:Microsoft already replied

[plumby]

Am I missing something?

If malware can turn off UAC without prompting the user, and can therefore subsequently do whatever it wants without any further prompts (as UAC is disabled), what protection is it offering me?

You can say that "something else must have broken for this to have caused a problem", but that's true of anything that UAC is protecting, surely?

Either UAC is serving a purpose, in which case being able to silently turn it off is a security hole, or it's not and it's a total waste of time.

Re:Microsoft already replied

[Jurily]

Unix and Linux are thankfully spared a lot of this.

*nix has a well thought-out multi-user structure.

In Windows it was bolted on a basically single-user design originating with DOS. They try to do it right, but they can't break everything when backwards compatibility is all that keeps their empire from falling apart.

Remember the Windows 98 home directory? Me neither. Noone used it except Microsoft.

Re:Microsoft already replied

[jellomizer]

Because if it doesn't work then you can go to the person that sent you the PDF and say it is a bad PDF you fix it. If it is an Other tool you will need to make sure it is not your program, aka downloading reader anyways and see if it opens.

Re:Microsoft already replied

[adolf]

What, exactly, do you suppose UAC is supposed to do in that case?

Cry.

Re:Microsoft already replied

[stim]

Yes, I'd prefer that they would install like normal drivers (not at system startup) and that they go through the effort of getting signed. And if you're still on 32bit Windows, this is not even a problem. But it kinda confirms my thought that you were running vague software written by Linux people for Windows.

LOL. I'm revoking 20 nerd points from you. Thanks for the laugh at your expense!

Re:Microsoft already replied

[Nursie]

"not breaking backward compatibility for every-single-bullshit-written-app that required Admin privileges just because the DEVELOPER was TOO LAZY to put USER settings in the PER USER "Documents and Settings" Directory(ies),"

Who said ANYTHING about user settings?

You know MS push their OS's for corporate and server use, right? And that they've got this UAC bullshit in 2k8 as well?

and instead wanted to spray files all over the SYSTEM and APPLICATION directories (which are NOT USER-SPECIFIC, of course).

Which is precisely the FUCKING point for a SYSTEMWIDE SERVER APPLICATION. Users with the correct permissions should be able to edit the file, and the process (running as a different user) should be able to read the file. NOT have it SILENTLY squirreled away somewhere else.

Spring up another warning, log an error, do whatever, but don't silently pull this shit.

Re:Microsoft already replied

[Nursie]

"I take it you are complaining about things that would be written to '/etc' rather than things that would be written to rc files in the home directory."

Yes, exactly those sorts of things. Or even for proprietary software on UNIX it would in /opt/product/etc or some similar. Settings that are specifically not per-user but are systemwide and app specific.

That's the sort of stuff MS have made more difficult. As I say, I'd be pretty happy with a warning or a failure, it's the silence that upsets me. Took us ages to work out what was going on. (Yes, we're mostly a *nix oriented shop).

There is some sort of global app data storage area, which we probably will move to sooner or later, but it's an annoyance. We already separate out our code and config, but under the app dir rather than in system specific places. Allows for more flexibility, multiple installs and stuff.

Re:Microsoft already replied

[Foolhardy]

The preference files in the Windows user directories are hidden in arcane locations.

It took me 5 seconds to google some docs for user profile paths: User Data and Settings Management

Makes sense that the Outlook data would be in C:\Documents and Settings\\Program Data\Microsoft\Outlook but it's not.

Instead, the roaming stuff goes into:
C:\Documents and Settings\USERNAME\Application Data\Microsoft\Outlook
And the non-roaming stuff goes into
C:\Documents and Settings\USERNAME\Local Settings\Application Data\Microsoft\Outlook
Doesn't seem so awful.

The only way to ehfin find it is to back the stuff up! What if the computer crashed and I can't RUN outlook???? I'm hosed (this actually happened)

Copy the user profile over?

Re:Microsoft already replied

[morgan_greywolf]

Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM.

Define "fishy". If an OS has a mechanism for making things run on startup and the administrator of the box deliberately installs a program that uses that mechanism to start, it shouldn't be up to UAC to prevent it from starting.

There's no good reason for writing there, and doing so is exactly what messed up "running as an administrator" in XP and below. Ask the author of your application to make it less retarded.

Perhaps it would be best if it were up to the administrator whether or not there was a good reason for writing there and not the OS vendor. This is exactly the approach *nix takes.

Yes, I'd prefer that they would install like normal drivers (not at system startup) and that they go through the effort of getting signed. And if you're still on 32bit Windows, this is not even a problem.

The problem with signed drivers is that the process of getting something signed practically precludes open source projects and definitely precludes GPL v3 projects (not that ext2/3 is GPL 3).

Re:Microsoft already replied

[drsmithy]

If it's possible for malware to do this on your machine, then somehow it's already gotten past UAC, whether by some other hole, or by the user allowing it. What, exactly, do you suppose UAC is supposed to do in that case?

It's a matter of defense-in-depth.

UAC should not be able to be disabled (or have its configuration changed) easily, and under no circumstances should this be able to happen programmatically, without user interaction. However, incessant whining from the kinds of people who frequent Slashdot about how annoying UAC is, means both of the above are now possible, rendering UAC basically worthless.

I predict that within 12 months, developers will be shipping their software with installers that either disable/reconfigure UAC, or tell the user to do so, just so they don't have to do the hard work of modifying their crappily-written software (that they should have done a decade ago) to work properly in on a multiuser platform.

Re:Microsoft already replied

[GooberToo]

but almost no game worked correctly

This is usually caused by DRM and/or anti-cheat software used by the game.

Re:Microsoft already replied

[gad_zuki!]

>But in general, UAC is an annoying system that most users completely tune out.

That seems pretty defeatist. The problem I see with UAC is:

1. The system should never allow anyone to disable it

2. It should ask for a password

The problem is that whiny geeks are resistant to change so everything gets half-assed. Users shouldnt be running as admin 24/7 and installing software should be a chore. System changes should be serious. The more we half-ass this the more botnets get created.

Re:Microsoft already replied

[lord_sarpedon]

Yet another example of why the "user == app" idea is silly and dated.

The concepts seen on certain mobile phones as well as the OLPC make a lot more sense and are simple enough to understand. An app is not a user. An app is granted some subset of permissions at install time, such as network access and (drumroll please) ability to change system settings.

If you want to get really fancy, you can define perms for an app, perms for a user (such that an app can pop up a UAC prompt to gain (most) of a user's perms in addition to what it already has), and even perms for an app granted by an admin that no user actually has - only the signed Firefox binary at path X can make outgoing port 80 connections, or somesuch.

Notepad doesn't need network access. Notepad doesn't need write access to my entire home directory (especially the ability to delete files) - open/save single files with a gui prompt as 99 percent of files need to do should involve a privileged service. The MS settings apps shouldn't show a UAC prompt - but the solution is NOT to let everybody change system settings - that's just lazy.

Disclaimer: yes, I hate the unix security model even more

Re:Microsoft already replied

[drsmithy]

Am I missing something?

If malware can turn off UAC without prompting the user, and can therefore subsequently do whatever it wants without any further prompts (as UAC is disabled), what protection is it offering me?

Yes. You're missing the part that the malware cannot run in the first place unless the user has authorised it to.

I can see the reasoning behind their argument, and it is sound. However, I don't agree with the conclusion because it assumes the average user confronted with a security question will make an educated, rational and correct decision - when they almost invariably will not.

Re:Microsoft already replied

[juenger1701]

It's not that hard to anticipate a UAC question, really. Just ask yourself: "Would Linux require root for this?"

i don't use linux

my father doesn't use linux

no one i actually know in meat-space uses linux other than as an embedded hardware controller

therefore i cannot answer that question expecting any exclusive windows user to be able to answer that question is naive and unrealistic.

Give any nontechnical user 5 of those prompts in a day when they are just trying to install their software on a new machine and they will never read the prompt again it becomes nothing more than security theater.

juenger1701

Re:Microsoft already replied

[techprophet]

Copy the user profile over? I tried that. it didn't work.

Re:Microsoft already replied

[techprophet]

Google was unavailable at the time. If you have to google to find where your application data is, it is arcane.

Funny, if you have to google it in Linux, it's hard to use, but if you have to google it in Windows, it's obvious.

Re:Microsoft already replied

[The+MAZZTer]

UAC is supposed to limit the damage caused by running malware... for example, it would be unable to write to system folders or Program Files, it would be unable to set itself to start up globally (only for the specific user, unless there is already a global start up item that points to an EXE it can write to, outside of the system files), and it would be unable to write to HKLM or install or manipulate services or drivers.

Of course in the default configuration UAC can be easily disabled by the malware easily allowing all these things, like on XP.

Re:Microsoft already replied

[The+MAZZTer]

I used two ext2 drivers for Windows under Vista or 7. They run in the kernel as filesystem drivers and thus do not need to present UAC dialogs. Only for the control panels where you change the drive letter mounts... but those don't need to run on startup.

Re:Microsoft already replied

[perryizgr8]

mod parent up you could not install the malicious code without getting a uac prompt.

Re:Microsoft already replied

[perryizgr8]

what it should be doing is preventing it from doing anything you didn't authorize it to do.

like opening or saving a file to the users\username directory?
imagine getting one uac each for every file operation, every thread executed and so on.

Re:Microsoft already replied

[plague3106]

The problem is that whiny geeks are resistant to change so everything gets half-assed. Users shouldnt be running as admin 24/7 and installing software should be a chore. System changes should be serious. The more we half-ass this the more botnets get created.

I doubt you'll convince your mom of that. She's more likely to say "fuck it" and not use a computer at all.

Re:Microsoft already replied

[plague3106]

Notepad doesn't need network access.

Hmm.. I'd hate to have to end a file on a network share then.

Notepad doesn't need write access to my entire home directory (especially the ability to delete files) - open/save single files with a gui prompt as 99 percent of files need to do should involve a privileged service.

I thought those were supposed to be MY FILES. Why shouldn't I be allowed to overwrite them?

The MS settings apps shouldn't show a UAC prompt - but the solution is NOT to let everybody change system settings - that's just lazy.

I think it depends on the setting. Why shouldn't a user be able to set a different resolution for their monitor? Or adjust volume? Or even change their local clock?

Re:Microsoft already replied

[gad_zuki!]

No, she'll just use the computer as before. Double-click here for the browser, go to this bookmark for the email, etc. The more difficult it is to install "BADASS WALLPAPER OF THE DAY" and "MAGICAL CURSOR 3000!!!!" the better.

Re:Microsoft already replied

[msuarezalvarez]

The disclaimers are not exactly a beta thing. Do you thing they do not make the exact same disclaimers on their actual released versions?!

Re:Microsoft already replied

[plague3106]

It's "I stopped these things from being launched at startup and there's no way to override this behaviour".

Huh? That's Windows Defender.. nothing to do with UAC.

t's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".

No program should be writing to Program Files as part of their normal running. Most users have no need to even look in Program Files. Their data, which is all most users care about, should be in their profile directory.

It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.

Hmm... I guess you run X as root too. Nothing wrong with that.. I'd rather the extra security.

YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.

Sounds like the fault of the driver creator, if it causes a UAC prompt. Configuration files which change by user shouldn't be stored in Program Files, they should be in the user's profile directory.

Re:Microsoft already replied

[msuarezalvarez]

And how exactly can an application decide if theother is malicious or not? You appear to believe the Windows executable format has the analogue of an evil bit...

Re:Microsoft already replied

[Nursie]

Actually, that would violate LSB and good design. /opt should be capable of read-only mount. It is supposed to be /etc/opt/. Small point but want to make sure people are aware this.

Really? Never heard of this before. Is it the same on the commercial UNIX's (AIX/Solaris/HPUX)?

Re:Microsoft already replied

[plague3106]

If that's what she wants to do, who is anyone else to tell her no?

Re:Microsoft already replied

[DavidTC]

What they need to do is make one prompt for moving or deleting files.

Vista first warns you that said operation will require UAC. Then if you say yes it presents the UAC prompt. And then it presents another prompt asking if you want to delete the file.

Look, we understand that Windows wants to prompt the user before he deletes C:\Program Files\Empty Directory Uninstaller Left Behind\, and that there needs to be a UAC confirmation to make sure this is a user doing this, and not a virus deleting the directory of the antivirus software.

But, um, how about just one prompt? A UAC screen asking if we really want to delete that directory?

At the very least, don't warn us we're about to get a UAC prompt, that's completely inane.

Re:Microsoft already replied

[gad_zuki!]

Me, because Im the one cleaning the spyware from those applications when her browser doesnt work anymore or she is getting random pop-ups for "antivirus 2009."

Re:Microsoft already replied

[DavidTC]

Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM.

Unless by 'fishy way' you mean 'a shortcut put in the Startup Start Menu folder by the user', um no.

My copy of Vista will not automatically start, to pick an example, the World Community Grid without prompting. I thought maybe it was doing something weird, so I disable any of the program's built in methods to autostart itself, and manually copied the shortcut to the Startup folder.

Nope. Still prompts on startup. No obvious way to always allow it, no nothing.

And as far as I can tell it's not running as admin, because I can start it manually without any prompting at all.

I suspect this is because the executable is unsigned.

Re:Microsoft already replied

[DavidTC]

Um, no, you're missing the point.

The entire point of UAC is to force the user to authorize the actions of any malware that may be running already. I.e., the executable has already been launched, but it can't add itself to startup or alter system files without permission.

'Not starting malware' is not part of UAC in any circumstances. There is no part of UAC that fulfills that function. That's the job of your antivirus software and that prompt you get when you launch an executable that Windows marked as being 'downloaded from the internet'. That is not UAC. (You can tell, the screen doesn't dim.)

The point of UAC is that the malware is already running, but it can't do certain things, such as hide itself in the system directory, or install keyloggers, or device drivers, or all sorts of stuff that make it much harder to remove.

The fact that all malware now has to do is, instead of doing all that stuff that would cause UAC prompts, is to go into the control panel and disable UAC and reboot, and then it can do all that, is an epic fail.

Although, at least, it can't install startup programs before the uAC-less reboot, so it can't startup on said reboot. It has to wait until you hit the infected point again, which is a tiny amount of security when it's a web page, not so much when the malicious executable is a downloaded program or autorun CD.

Re:Microsoft already replied

[DavidTC]

It's because they're too lazy to check and see if you've closed your web browser.

Other PDF readers tend to avoid that whole 'read PDF in your web browser' thing so don't get pulled into that nonsense.

Re:Microsoft already replied

[DavidTC]

Why should it ask for a password?

Seriously, Microsoft appears to have been pretty smart with this UAC thing in that it's a way to make sure it's a user-initiated command, but not get in the way too much.

I actually wish that Linux distros aimed at consumers would start doing it. Linux has an 'uninterceptable keystroke', Alt-SysRq-K, just like Windows has 'Ctrl-Alt-Del', both of which are intended to stop spoofing of login screens. (I think Alt-SysRq-K works even if you don't have Magic SysRq compiled in.)

That's actually coming from the other direction, making sure a program can't 'hook' a specific key, instead of making sure it can't spoof a specific keystroke sent elsewhere.

But it wouldn't be impossible to add a way for an X application to make sure that keystrokes and mouse movements were coming from the user instead of a program. If such a way does not already exist, it really would be a simple change in X. (Or, heck, avoid X at all, and simply read /dev/input/whatever.)

This, obviously, would not be enabled on server machines, for multiple reason. (Like they rarely run X, they rarely have someone sitting at them, etc.)

Re:Microsoft already replied

[plague3106]

You realize you don't have to help her right? And that it's still her property?

Re:Microsoft already replied

[ciggieposeur]

Configuration files which change by user shouldn't be stored in Program Files, they should be in the user's profile directory.

I think the point is that configuration files that DON'T change by the user are still (by default) in the console user's profile directory.

Suppose I have something like IIS for the server, and I'm an admin user, and IIS is configured by a text file. I launch some kind of IIS configuration editor, which opens "C:\Program Files\IIS\foobaz.cfg" for edits. However, the file really being edited is "C:\Users\me\...\foobaz.cfg".

I think that's what the GP is talking about.

Re:Microsoft already replied

[Sigma+7]

like opening or saving a file to the users\username directory?

Right click said file/folder, choose properties. Click on the security tab. Unless you want to be self-masochistic, make sure that either either your account or the Users group has modify permissions. This is the exact procedure I used to help reorganize the start menu - since the start menu for "All users" was interleaved with my own version.

If the security tab isn't available, then either you have Simple file sharing active, or you are using the Home Basic version of Vista. In that case, your permissions table is messed up and you'll have to get a third-party utility to correct it - or you could life ICACLS.exe from another copy of windows.

Re:Microsoft already replied

[Mista2]

Now this is where my linux system rocks over Windows and OS X (I use all three dayly BTW)
Once a week, my linux systems updaters run (YOU on Suse, and update on ubuntu) and let me know there are some updates to ALL of the installed system that require them, the browsers, flash, Open Office, OS modules etc, all in one place with one list to review and accept, as all of the vendors software I have installed has come from the repositories I have subscribed to.

Compared to the daily grind with Windows and OS X, Apple updates for OS X, safari, iTunes, iPhone, i[everything else], Then Firefox chimes in sometimes when launched, then MS Office needs patching, then BootCamp says it has updates, so I have to apply these in Windows too, then While I am in Windows (I don't use it that much) MS Offce again says it needs updates, and a new version of flash, then Java says new version ready, then the AV patterns update, and I have to wait while it scans the HDD (it's only a mac mini, so this isn't quick, but it's only just enough space for Vista, 30GB or so, so not a real worry 8)). All these prompts come from different apps, and I can see how some users would suffer from overload and just click yes to everything without reading the dialog.

Oh, and only a very few times in the past year has my linux system told me I must reboot after patching. It usually just suggest it though, it doesn't force you to like OS X updates do.

Re:Microsoft already replied

[drsmithy]

It should ask for a password

The password is pretty meaningless. It only makes a difference if:

* the attacker is local, at the console
* cannot simply reboot the machine to completely circumvent all OS security
* the regular user is not present (or is complicit)
* the regular user has not secured their console before walking away

Hardly a significant vector. For those where it is relevant, UAC can be configured to prompt for a password.

Re:Microsoft already replied

[innocent_white_lamb]

Could you show some citations for that? I store a ton of data (and the programs that create and manage that data) under /opt/programname and always assumed that I was doing it right.

Re:Microsoft already replied

[shutdown+-p+now]

Who said ANYTHING about user settings?

Settings that are common for all users should go into "\Documents and Settings\All Users" on XP and "C:\ProgramData" on Vista (there are system APIs to determine the correct path). By default those folders allow read for anyone, but restrict write.

A correctly written application should, upon system-wide installation, create a folder for itself within one of those folders and set the permissions to it as needed (i.e. if there are any shared settings that should be user-modifiable, place them into a separate config file and allow write for everyone to that). As the installer would run under admin privileges, it can do that. After that, when actually running the program, it shouldn't ask to elevate because it has all the correct permissions already.

Re:Microsoft already replied

[Rockoon]

If microsoft designed a package manager and then enforced its use, you all would cry about microsofts unfair monopoly advantage over competing products such as Inno Setup.

After a few months, the EU would file a lawsuit against Microsoft seeking punative monetary damages for its clear violation of EU anti-trust statutes.

Re:Microsoft already replied

[cgenman]

I have found this just gets people conditioned to give their password out to any application that asks for it.

If you really want her not to install applications, just give your mom a limited-rights user account and don't give her the administrator password.

In the grand scheme of things, though, computer systems need to strive to be mom-proof. Why don't control panels know that changes are being made by scripts and not by the user? Why does installers for single-use applications have the right to stomp all over other application installations?

Re:Microsoft already replied

[Splintax]

TFA indicates that this is not the case - the problem appears to be that disabling UAC, by default, does not trigger a UAC prompt.

Re:Microsoft already replied

[perryizgr8]

but the code could not have run without uac warning the user

Re:Microsoft already replied

[Foolhardy]

I never said there weren't other problems. I consider the default name for those paths to be hideous. Plus with the ridiculous and horrible limitation that is MAX_PATH in so many Win32 components, that is path real estate that we can't afford to spend. Parts of Win32 go to great lengths to work around MAX_PATH, including searching for shorter surrogate paths to use instead. .NET, foolishly built on Win32, has the same problems.

At least they changed the defaults to "Users", "Documents" and "AppData", etc in Vista.

I was responding to the specific complaint that profile paths were arcane and not understandable.

Re:Microsoft already replied

[Foolhardy]

Then you have some other corruption problem that has nothing to do with the layout of user profiles.

Besides, I didn't have to google to determine the layout, I could see it after a minute of browsing. Google provided me with more formal documentation to reference in my post.

Re:Microsoft already replied

[GravityStar]

Odd, using a non-admin account works great for me, and has worked great for the past 5 years.

Re:Microsoft already replied

[plumby]

Yes. You're missing the part that the malware cannot run in the first place unless the user has authorised it to.

Not sure that I am. My understanding of the various UAC warnings is that they are to try to stop malicious behaviour once a program is already running, otherwise why not simply have a single "Do you trust this application to run" prompt? What else is the rest of the UAC mechanism achieving?

Re:Microsoft already replied

[drsmithy]

Not sure that I am.

For malicious code to change the UAC setting, it needs to a) get on the machine and b) be run by the user. Microsoft's point is that if both those conditions are met, then there's a non-trivial chance the system is already exploited, or would be even if UAC was still enabled.

Like I said, I can see the reasoning there, but IMHO this is an issue of defense in depth, and such a critical system setting should be individually protected.

My understanding of the various UAC warnings is that they are to try to stop malicious behaviour once a program is already running, otherwise why not simply have a single "Do you trust this application to run" prompt?

That is basically what a UAC prompt is [for applications that need elevated privileges]. UAC is only triggered if an application specifically requests it, or if it tries to access system areas.

Re:Microsoft already replied

[plumby]

UAC is only triggered if an application specifically requests it, or if it tries to access system areas.

And if I understand the issue with Windows 7, your malicious app can simply turn UAC off before it tries to access the system area.

Like I keep saying - either the UAC warnings serve some purpose, in which case being able to silently turn them off is a bad thing, or they don't and UAC may as well be abandoned.

I accept that it's only a second level defence, but that's like saying a burglar alarm that has a simple off switch on the front is not broken because the front door must already have been compromised for the burglar to get to the switch.

Re:Microsoft already replied

[drsmithy]

And if I understand the issue with Windows 7, your malicious app can simply turn UAC off before it tries to access the system area.

Yes, but the argument from Microsoft was that for the malicious app to be executing in the first place, the security of the system had already been breached somehow. I don't agree with this principle, because such critical aspects of a systems security configuration should be protected by defense in depth, but it is not unreasonable to assume that a user happy to run unknown and/or malicious binaries would also be happy to approve any UAC prompts that they might raise (eg: in the process of lowering the UAC level).

Like I keep saying - either the UAC warnings serve some purpose, in which case being able to silently turn them off is a bad thing, or they don't and UAC may as well be abandoned.

UAC warnings appear when something tries to access an area of the system that it does not have privileges for by default - the UAC prompt is there to elevate privileges to the necessary level. That is the "purpose" of UAC (and its equivalents on other systems) - to allow a low level of privilege to be used by default, then easily elevated when required. It is conceptually the same as sudo in UNIXish systems, and implemented in a nearly identical fashion (or at least as similarly as the different security models allow).

I accept that it's only a second level defence, but that's like saying a burglar alarm that has a simple off switch on the front is not broken because the front door must already have been compromised for the burglar to get to the switch.

Well, arguably it's not "broken" - merely somewhat less secure [0] - because if an intruder has already made it far enough in to disable the burglar alarm, then your "security" is breached.

[0] Note that even with an additional UAC prompt, it's still "somewhat less secure" that it possibly could be. For example, resetting the UAC mode could require booting the system into a special, restricted, single-user "security mode", where nothing else could be done except security-related configuration changes (eg: you wouldn't be able to run unsigned binaries, the network stack would be disabled, etc, etc). The fundamental problem is that security and convenience are inversely proportional, so you have to find a balance between the two.

Re:Microsoft already replied

[plumby]

Well, arguably it's not "broken" - merely somewhat less secure [0] - because if an intruder has already made it far enough in to disable the burglar alarm, then your "security" is breached.

Then what possible purpose is it serving? The only point it would ever be needed is when someone's breached other security, and at that point it is useless as it can be turned off.

And that is pretty much the position I see with UAC as it was planned in Win 7 (it seems to have been changed now). At the point it would serve any useful purpose, it could be turned off without the user knowing.

The issue isn't whether Win 7 should have impenetrable security. It's about whether this choice would have made UAC totally and utterly useless. Security and convenience aren't always inversely proportional - as originally planned in Win 7, UAC would offer pretty much no additional protection at all (any malicious code would simply turn it off before doing anything that would trigger the warnings), while continuing to annoy people trying to make legitimate changes to the system.

Mechanical Analog

[pm_rat_poison]

So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!

Re:Mechanical Analog

the worst car analogy I've seen on slashdot for a while.

Re:Mechanical Analog

[pm_rat_poison]

It's so bad a car analogy, that it doesn't even have cars.

Re:Mechanical Analog

You must be new here, that IS a proper car analogy on slashdot.

Re:Mechanical Analog

[JohnBailey]

So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!

Nah.. it's the new Microsoft advertising slogan.. "Windows without walls"

Re:Mechanical Analog

[Drinking+Bleach]

But then there's nothing to hold the windows up! ... wait while I call Jay Leno for putting this in his "Truth in Labeling" part of the show

Re:Mechanical Analog

[mdielmann]

(from GGP)

So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!

the worst car analogy I've seen on slashdot for a while.

It's so bad a car analogy, that it doesn't even have cars.

I prefer to think of that as a chastity belt analogy. Put in that light, I think it's a great design!

Re:Mechanical Analog

[shutdown+-p+now]

So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside.

You're almost correct, except for that last part. They built a button that unlicks the door from the inside. So, if you get inside somehow, then you can wire up that button so that you can let yourself (and anyone else) in from the outside from there on. Of course, first you have to get inside...

Yes, that's really what TFA is about.

Re:Mechanical Analog

[pm_rat_poison]

There is always someone who takes the analogy too far. Yes, I do understand, but there are limits to the complexity of a usable analogy, even in slashdot. Still the "get inside once/come in as often that you like" kind of situation isn't secure, either

Re:Mechanical Analog

[shutdown+-p+now]

Still the "get inside once/come in as often that you like" kind of situation isn't secure, either

Do you know any alternatives that fare better? To the best of my knowledge, you can do precisely the same with pretty much any Linux distro, and I believe also OS X.

Early

[TehPhoenux]

Hey, at least they found it early - this is what beta's are for - now they can build a lock for that door

Fix it FFS.

[yakumo.unr]

re. MS's 'By Design' / 'Won't Fix' response, they basically say - 'This doesn't matter as if this happens you are already infected'.

You need the damn UAC setting prompt so you are ALERTED TO THE FACT THAT THIS HAS HAPPENED SOMEHOW ASAP.

Yes the user may have done something stupid to allow infection, but the UAC setting prompt would then protect them from further damage even before the malicious code check package was updated to find whatever was out there infecting systems.

The Highest UAC setting would prevent this but it is not default.

All they have to do to fix this entirely, and make the current default not effected by this flaw, is change the UAC settings security certificate.

Re:Fix it FFS.

[jamesmcm]

Well really there's a compromise between security and usability with the UAC. Given Windows' diverse user base, it must be very accessible and so they lower the security of UAC to stop it interfering.

Of course they should fix this bug, but having too much UAC makes it frustrating and useless as people disable it, and too little obviously doesn't do enough. It's a very hard compromise.

Excuse me

[A+Wise+Guy]

But your settings have been altered for better net penetration, do you want to allow?

It IS a problem, because it is being rushed out!

[ed]

Microsoft feel happy wnough with Windows Vista SP2

So much that they are not bothering with a second Beta

So what you have in your hands now is pretty much how it may ship

http://www.theregister.co.uk/2009/02/02/windows_7_no_second_beta/

How hard is it to copy something...

[51M02]

correctly.

I mean, Linux and MacOSX (and others) have sudo for years, the original code dating back to 1980 according to Wikipedia.

The concept is not new : type your password to gain access to some privileges. That way bots and virus can't do everything while you can still administrative tasks easily.

My question is how hard is it to copy some 25 years old functionality (marketing it as brand new) and still don't get it right.

Re:How hard is it to copy something...

[magamiako1]

Here, start this installer that asks for your root password during install so that it auto elevates itself via your root account.

Re:How hard is it to copy something...

[heffrey]

That's exactly how UAC works when you run as standard user.

Re:How hard is it to copy something...

[51M02]

Your point is not valid since I don't usually run "installer" with root privileges as you say it.

Under Linux, to install a software, I

  - install a package from a trusted sources
  - compile code from a trusted sources
  - examine an untrusted sotfware's package content/source code before installing it

and I don't have to worry about it.

--

Under MacOSX, to install a software, I :

  - copy one folder from a disk image to my /Application folder using my password (sudo) or my home folder or anywere else without password.
  - compile code from trusted sources.

without running an installer as root and I don't have to worry about it.

--

The principle is simple : I become root and nothing else. Nothing that will execute bad code anyway.

Re:How hard is it to copy something...

[DavidTC]

I agree. UAC is an amazingly good idea to the bad situation MS found themselves in.

Granted, MS didn't invent this. Anti-spyware have had this idea for years, and it was invented with application-level software firewalls, but putting it in the OS allowed a special 'prompt' feature that is impossible for applications to forge.

Which is very good as more and more malware would just say 'Okay' to such security prompts. Incidentally, for competitive reasons, I hope MS has published a UAC API, and that other applications can specifically make their own UAC prompts for whatever they want. So that soon anti-viruses will be popping one up when we disable the anti-virus.

Of course, the specific security flaw in this article means the implementation is near-useless, as malware will just turn it off. People saying 'It should password prompt you' are morons, especially as, um, that wouldn't solve the security issue in the article at all.

In short: If UAC isn't tripped on 'turning UAC off', asking for passwords in UAC is not going to help a damn thing. In reality, if that tripped UAC, this wouldn't be an issue at all. (Although it really should cause a much bigger and brighter warning than all other UAC prompts.)

Re:How hard is it to copy something...

[mgblst]

Hard, especially when you entire system is built on doing it one way, and suddenly you change some of the core logic.

You are clearly not a Software Developer, or at least not a very good one.

whoa, recursive Meta-UAC

[rarel]

From TFA: Microsoft could remedy the problem by prompting the user when the UAC setting is altered.

==============

"It look like you're trying to alter the UAC settings, Cancel or Allow?"
*click*
"It looks like you've confirmed the change in UAC settings, Cancel or Allow?"
*click*
"The UAC settings have been altered, Cancel or Allow?"
*click**click**click**click**click*-----INPUT DEVICE FAILURE

Re:whoa, recursive Meta-UAC

[morgan_greywolf]

Ah! I see now. It's a conspiracy to sell more pointing devices!

Re:whoa, recursive Meta-UAC

[wastedlife]

Parent speaks truth. I'm currently troubleshooting a Windows 2003 server that is not accepting Remote Desktop connections. This is the error appearing in Event Viewer:

Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x1003ac4e.

No, I did not remove the application name, there is just nothing there. How does the OS not even know what application faulted?

Re:whoa, recursive Meta-UAC

[DavidTC]

Frankly, while I loath the sheer amount of prompts when, for example, deleting non-user files, if there ever was an action that should prompt you multiple times in huge warnings, it should be turning the UAC system off.

It's a double-edged sword

[jimicus]

With Vista, there's no (official, at least) way to disable UAC except by a user actively going to Control Panel and disabling it.

This breaks a lot of things - particularly a lot of stuff concerning scripted/automated installers.

The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, a lot of the protection offered by UAC disappears.

Re:It's a double-edged sword

[yakumo.unr]

The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, ALL of the protection offered by UAC disappears.

Fixed.

Re:It's a double-edged sword

[__aardcx5948]

With Vista, there's no (official, at least) way to disable UAC except by a user actively going to Control Panel and disabling it.

This breaks a lot of things - particularly a lot of stuff concerning scripted/automated installers.

Hm, that's strange, I've never used UAC and I've used Vista since SP1 came out. I've never had any issues with any installers.

Re:It's a double-edged sword

[Seth+Kriticos]

Wait a sec. When did the UAC ever provide protection for the system? Even before it appeared, nobody read the waring dialogs. The design failure was to try improving the security by prompting even more dialogs which led to the phenomenon that even less of those dialogs were ever read.

I still think it would be a better way to teach the user about security than to prompt him messages he/she does not understand anyway.

How about including a security and basic computer usage tutorial in the OS? Put in some porn and computer security will rise at once!

Re:It's a double-edged sword

[ciderVisor]

Put in some porn and computer security will rise at once!

Ah, so you call him "Computer Security", do you ?

Kinky !

Re:It's a double-edged sword

[mysticgoat]

The design failure was to try improving the security by prompting even more dialogs which led to the phenomenon that even less of those dialogs were ever read.

Well, the design failed, but not for the reason stated above.

People, you have got to realize that Vista, like other Microsoft products, is not written to meet end user needs. It is written to meet salesman needs; he is the customer whose needs are addressed. Vista succeeds if it is good enough to close the deal in the sales room. Vista has failed since it has been hard to sell to users who already have better OSs (WinXP, even Win2000) on their current systems, but the UAC did not contribute to that. A good sales rep can demonstrate the advantages of the UAC to a PHB in charge of the IT budget very quickly and easily, so that really was not a problem.

That MS treats the sales reps as its real customers goes back to at least Win3.1 days. The infamous Calculator bug in Win3.0 was not fixed in Win3.1, since it was less expensive to tell sales reps to breeze over the problem than to fix the floating point arithmetic routines. Plus it gave the enterprising sales rep the opportunity to sell the user a third party calculator that actually could be used for basic money handling. The calculator provided with Win3.0 and Win3.1 that could not do basic arithmetic: it failed with subtraction involving 2 or more significant digits. Yet it was never repaired, nor the bug officially acknowledged, through the entire life of Win3.0 and Win3.1, since it had no impact on sales.

Interesting that the current Wikipedia article on the Windows Calculator has dropped the section on Bugs. Earlier versions of the article mention this in a "Trivia" section or a "Bugs" section. These sections seem to come and go.

Re:It's a double-edged sword

[Z80xxc!]

It's actually controlled by just one registry setting in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. ConsentPromptBehaviorAdmin sets the UAC behavior for administrators. ConsentPromptBehaviorUser sets the UAC behavior for users. If the entry (a DWORD value in case you were wondering) is set to 00000001, then it will prompt for a password. Even for administrators, which enables a functionality essentially like sudo. If set to 00000005 (the default), it will only prompt you when a program needs elevation. However, even when in the default setting to not prompt for system changes, it still prompts when you try to edit the registry, even with a .reg file, meaning you can't just add a reg file to disable the UAC. I haven't tested yet what happens when you try to change the UAC setting from a batch file using the reg command, or from a VBS script.

I devised a somewhat elaborate scheme for UAC which I am rather proud of. I created two registry files; one of them sets it to 00000001 (prompt for password for all system changes) and one sets it to 00000005 (only prompt for programs requiring elevation). I then created two scheduled tasks. One of them is triggered by disconnecting from a network, and it runs the registry file to put UAC into "password" mode. This way any time I leave my home network or am not on a network, it's in password mode so that someone can't just walk up and change my computer. The other task runs when I connect to a network, but under the conditions tab I specified that it should only run if I am connected to my home network. It sets it to less-annoying mode, so that at home I don't get bothered since I don't need to type my password to run the defragger thank you. (Both tasks are set to run with administrative privileges of course, so that they can successfully modify that reg entry) This has the advantage of putting it into an extra secure mode when I'm away from home and people might mess with my laptop, but being non-annoying when I'm at home, and resetting the UAC setting how I want it every time I disconnect from a network, meaning that even if a virus were to disable UAC, it would get turned right back on in short order.

Re:It's a double-edged sword

[jimicus]

I spent hours Googling and got nothing but a bunch of snarky MVPs saying "it may or may not be possible but in any case I'm sure as hell not going to tell you how".

A single bitch on /. and I've got all the documentation one could want.

And people say that you need to do this in order to get anywhere on Linux?!

Thanks for your help.

In other news, security hole in sudo

[mpcjans]

Setting sudo settings to NOPASSWD for a user will result in an exploitable security issue. proof of concept:

sudo rm -Rf /

Big deal, just use Vista where you'll get a UAC dialog for everything by default. That will 'fix' this issue.

Pointless.

[janopdm]

Tell me about security holes after Microsoft fix the following UAC issues:

1. Any process can perform a read on the whole system disregarding integrity levels.
2. Any installer runs with full access to the system, allowing even kernel modifications.
3. Any process can send a window message to any other process disregarding integrity levels.
4. UAC uses heuristics to find out which privileges are required by each program.

Re:Pointless.

[shutdown+-p+now]

Any process can perform a read on the whole system disregarding integrity levels.

That's not true. You can't read other users' home folders content, for example (not unless they share it). And, in general, you can't read anything that doesn't have read permission for you in the ACL. This has been true since the first versions of NT.

Any installer runs with full access to the system, allowing even kernel modifications.

Installers typically run with full access because they install system-wide stuff. However, installers can be user-specific (see Google Chrome), in which case they can perfectly well install without ever requesting admin privileges. In general, an installer should provide a manifest which details what kind of permissions are needed; if it states it only needs default user permissions, that's what it'll get, and no UAC prompt. If it says it needs admin, you'll get an UAC prompt. "Legacy" installers without manifests are treated as if they requested admin for backward compatibility reasons (and, again, you get an UAC prompt).

Given that you need to elevate to install anything on Ubuntu using Synaptic as well, for example, what's the problem with any of the above?

Any process can send a window message to any other process disregarding integrity levels.

This isn't true. You cannot mess up with processes of other users, and even for the same account, a non-elevated process cannot mess with an elevated one. So you cannot hijack mouse & keyboard input, for example. This is certainly true in Vista, and I think in XP too since some hotfix.

UAC uses heuristics to find out which privileges are required by each program.

It only does that for installers, and the heuristics are basically, "does it have 'install' or 'setup' as part of its filename"? In any case, this is the behavior only when there's no manifest (and all Windows apps should really have a manifest), and you still get an UAC prompt for any elevation if it decides it needs one.

Re:Pointless.

[xtravagan]

1. Incorrect, they cannot, there are many levels of integrity. Have a look at the model for IE protected mode for instance. Normally you need the DEBUG privliege to read anywhere, this can only be granted by an elevated account.

2. Any installer will usually be prompted to elevate, through the mentioned heuristic. However you don't have to agree to this and instead install the APP into _non_ system directory. Very much like unix works, actually exactly the same way.

3. No it cannot, a non admin process (started by a non elevated admin, the normal with UAC enabled admin account) cannot send messages to an elevated process.

4. Nope it doesn't, it uses heuristics to figure out if the program has compatiblity issues and thus would need elevation to work. Vast difference, it will never elevate without letting you know and agree to it.

Windows 7 can be set to full prompt like in Vista, I would recommend this (which would close the mentioned attack, if the attack is possible in the first place, haven't tried yet). If you are hit by UAC prompts daily you are doing something wrong or something out of the ordinary. There are however exceptions as many games today still required admin to run, completely screwed up. They even have checks to make sure you elevate, some even go so far to recommand turning UAC off. These are the kinds of evils that should be fought, not good intentions like UAC in a difficult situation.

However you can easily setup shortcuts to start app's that need elevation so that it will not prompt you. However this setup _must_ be done when elevated. This will reduce the daily prompts, but it will still leave you more vulernable as the program/game you are running can now be attacked with much success.

Most people get UAC technically completely wrong. It is not like a sudo system, it is more clever than that and it needs to be, because MS built themselves into a corner by not getting it right from the start.

In an admin UAC enabled account your account is associated with 2 security tokens, one elevated and one "normal". All application you run and all activities you do is handled by the normal token. However whenever the UAC elevates you (through your consent) the higher priviliege token is used.

UAC can be changed to work exactly like a sudo system, however a sudo system cannot be set to work like UAC.

A sudo system is way more annoying than the UAC system, if MS would have configured this by default it would crippled even more users. Just like it would cripple people on a unix system (app-get requires root just like installers on windows gets elevated). MS should have been much stricter from the beginning so they wouldn't have ISV etc implementing apps completely in the wrong manner.

Any sys-admin worth his salt will not allow "normal" users to run under an admin account, not even in a XP environment. However with UAC and Vista they will at least gain the benefit of being able to easily elevate and install apps for the users, either physically or through AD push. Physically is useful when a user needs special software that the masses don't.

UAC can be set to ask for a password even for an admin, I wish this was default, but nothing prevents you from changing it. Or for admins to enforce it.

UAC can be set to auto elevate for the built in admin account (like logging in as root) but default it "secure".

UAC can be set to not use the secure desktop, thus allow script attacks. This is normally not the default mode, however in Windows 7 it can be default if the hardware you run on is listed as being too "annoying" when switching desktop. Due to inherently bad graphic card's in some low end laptops.

Re:Pointless.

[xtravagan]

I just wrote a vbscript to replicate the steps and it works out of the box. Very scary, I really hope they will close this.

If they don't, I really don't understand what they are thinking.

Re:Pointless.

[xtravagan]

Truth to be told though, you will need a reboot in between, still scary and very silly.

Re:It IS a problem, because it is being rushed out

[arogier]

Vista service pack 2 seems a rather apt way to describe windows 7. I seem to think rather vista may be a late alpha or early beta or Windows 7 (its not like the number actually has a real sequential meaning).

UAC

[essence]

all this talk of UAC makes me feel like playing some doom again.

Re:UAC

[SeaFox]

Not really. They only used three different locks and they left the keys lying around everywhere.

Security in UAC

[SeaFox]

The biggest security hole in Windows 7's UAC is the user.

Re:Security in UAC

[mrapps]

The biggest hole in ANY system is the user. Not particularly a Windows 7 user..

Re:Security in UAC

Dude, you're a hole!

Re:Security in UAC

[SirGarlon]

Well we've got to get rid of that guy then!

Actually, I disagree. Requiring the user to click "I agree" isn't security, it's nagging. A judge might agree that the user's responsible for whatever if he clicks "I agree," but I am less forgiving. If a botnet is trying to take over the system and the only thing standing in the way is a dialog box, then security has already failed.

Re:Security in UAC

[adolf]

Right. Of course.

I'd like to submit that your comments about Vista's UAC also apply equally to anything else using a similar model; Ubuntu comes to mind.

Folks are very used to having a sudo/UAC popup asking for a password, which then gives a program root/admin. So all I, Johnny Hackstuff, have to do is write my malicious script to execute gksudo first and ask permission before conducting it's badness, and it's off to the races.

I, Johnny Hackstuff, might even sit and look at the process list instead. When I see something else run sudo to get root access (Synaptic, for instance), I'll just fire up my own sudo right over top of it. And then David Slowman will gladly enter his password. Oh, sure, he might soon realize that he's been pwn3d, but it's too late by then.

Yay.

Of, course, this stuff shouldn't happen in Ubuntu if you're only using signed programs from trusted sources. (Figuring out why this is bad is left as an exercise for the reader, but the term Trusted Computing comes to my mind very quickly.)

And it won't happen at all in Vista, where the screen is locked during a UAC prompt, making it impossible to draw another one on top of it.

But I'm sure Microsoft has it all wrong.

Re:Security in UAC

[DavidTC]

Exactly. UAC is a very good idea, although prompts telling the user that copying files is going to trigger UAC, and then the actual UAC prompt, is somewhat stupid. (Warning, we're about to ask you a question! Can we ask you that question, yes or no?)

However, the 'protected screen' idea is very very good, and puts Vista miles ahead of, um, everyone else, where malware can not only put up their own boxes to get permission, but, hell, have stolen the root password while they're at it.

Yes, malware is not supposed to be actively running on Linux, but, then again, it's not supposed to be running on Windows either. UAC is designed to stop the harm caused by already running malware, and any criticism of it that ignores the framework it's supposed to be operating in is idiotic.

Although the entire thing is undermined by the bug mentioned in this article that MS seems unwilling to fix. A security system that intruders can turn off without warning is not actually a security system.

Long Zheng seems like a nice bloke

[amirulbahr]

but is certainly no security expert.

Re:Long Zheng seems like a nice bloke

[moriya]

Actually... I doubt I'd call him nice since... well, I'll quote a small excerpt from the link:

First, I was originally going to blackmail Microsoft for a large ransom for the details of this flaw, but in these uncertain economic times, their ransom fund has probably been cut back so I'm just going to share this for free.

Let's see what other people think of him now...

Watchmen

[Thanshin]

But... Who controls the user acces to the user access control?

Re:Watchmen

[Spatial]

Please see this post for further information.

Beta != fundamental testing

[CarpetShark]

While betas do help with testing, they're certainly not for such fundamental security testing. If they couldn't prove with hard math that their root access was limited properly, they should at least have had a bunch of unit tests for every variation from the tried and tested unix sudo model.

"A prolific blogger ..."

[timmarhy]

people if that's not a big big warning sign i don't know what is. you know what this guy has discovered? if you login as administrator, attackers can do the same things you can.

This is no different to me browsing the web as root in linux and running any shit that pops up

Anonymous submitters

[macraig]

I wonder if Slashdot should allow anonymous article submissions? Isn't it useful information to know if the submitter is also the subject of the article or its reference source? Shouldn't we be allowed to know that, so we can better judge the credibility of the article and its source(s)? Transparency is ALWAYS good.

What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?

Re:Anonymous submitters

[Zouden]

I'm sure his widow certainly would.

Re:Anonymous submitters

[MichaelSmith]

What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?

That would certainly be something.

Re:Anonymous submitters

[macraig]

See, I would, too! A dead guy submitting articles would be actual news. We might have to question the articles a bit more, too.

Re:Anonymous submitters

[macraig]

(I knew he was dead... I was making a point with humor.)

Re:Anonymous submitters

Slashdot's readership seem to be very pro-privacy, and your highly rated comment is contradicting that philosophy. Governments would like every byte on the Internet to be traceable, is that transparent? If they got their wish, and then shared all traces, would that be transparent?

This is an intellectual site, and the articles posted are (ideally) meant to be interpreted objectively -- Slashvertising, astro turfing, and shameless self-promotion are not to be combated with transparency, but with the strength of logic.

My opinion is that Slashdot's article submitters should continue to have the choice to remain anonymous. If a story is crap, the identity of the submitter shouldn't be necessary to detail the ways the story is crap.

This argument is also simply ideological, technically speaking a submitter can create a Wikipedia-style sock puppet and submit the story via an unsecured proxy.

Posting this anonymously for the irony.

Re:Anonymous submitters

[Coppit]

What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?

Yeah, I sure as hell would want to know that!

Re:Anonymous submitters

[Dhalka226]

I wonder if Slashdot should allow anonymous article submissions? Isn't it useful information to know if the submitter is also the subject of the article or its reference source? Shouldn't we be allowed to know that, so we can better judge the credibility of the article and its source(s)? Transparency is ALWAYS good.

If two stories are submitted on the same subject, one with an anonymous submitter and one without, then they should use the non-anonymous one. This I can agree with; as you say, transparency is good.

But if it's a choice between seeing a story with an anonymous submitter and not seeing it at all, I'd rather we see it. Ultimately, there's nothing wrong with bias. The only issue is whether or not it affects the information. So, look at the information and judge for yourself. If there's not enough to make a guess, default to whatever position you prefer. In this particular case I don't see how somebody saying there's a security hole in a product suffers from bias; there's a security hole or there's not. If there's not, well, that's not bias, that's an outright lie, and it's an entirely different problem--one that wouldn't have been fixed by knowing the Internet alias of the person who submitted it. (Surely you're not suggesting people be forced to give their actual names if they aren't comfortable with that, right?)

What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?

Nope. In a case like that, I think it being anonymous would actually be a good thing. I never understood the furor; I'm interested in what someone's posting or I'm not, and the answer to that has absolutely nothing to do with who that someone is.

Re:Anonymous submitters

[rudlavibizon]

But why would he link to Long Zheng's blog, hmmm? This mystery baffles me...

Re:Anonymous submitters

[hannson]

What if the anonymous reader who submitted this was Roland P.?

What's stopping Roland to create a new account with a fake/new email address and submit the article?

Correct me if I'm wrong but isn't this the whole point of the firehose? If a submission isn't newsworthy or just bad it's supposed to be modded down and not get to the front page, right?

Re:Anonymous submitters

[macraig]

The fact that he's dead might - just might - stop him.

Hmmm

[Mr_Silver]

Seems like an odd bit of "by design".

Unless i'm mistaken, I (as a user) could download an application and run it on the mistaken assumption that my UAC settings would alert me if anything suspicious is going to happen.

The application could then drop my security level to the lowest possible (without me knowing) and then start silently installing a bunch of other stuff with no UAC prompts. If it was particulary careful, it could then reset the UAC level back to the what it was before it started.

I'm now completely compromised without the slightest indication that anything suspicious happened.

Re:Hmmm

[canajin56]

Correct. But you missed the a step in your description.

I then get a UAC prompt that the script wants to modify system settings and click "Accept" because I really want to see the dancing bunnies. The application could then drop my security level to the lowest possible (without me knowing) and then start silently installing a bunch of other stuff with no UAC prompts. If it was particulary careful, it could then reset the UAC level back to the what it was before it started.

The "exploit" is that UAC settings can be altered by root, so if you allow something through UAC, it can use the permissions you just granted it, to disable UAC. It is no different than a Linux "attack" where it changes your root password: You had to use sudo to run the script in the first place, so it's not an exploit that bypasses sudo at all.

Re:Hmmm

[shutdown+-p+now]

Unless i'm mistaken, I (as a user) could download an application and run it on the mistaken assumption that my UAC settings would alert me if anything suspicious is going to happen.

The application could then drop my security level to the lowest possible (without me knowing) and then start silently installing a bunch of other stuff with no UAC prompts. If it was particulary careful, it could then reset the UAC level back to the what it was before it started.

That's not quite right. When it actually tries to reset your UAC level, you'd still get an elevation prompt. The point is that you do not know what the UAC prompt refers to - it names the process that's requesting the elevation, but not what it's actually trying to do. A user who's trained to click on "OK" in any confirmation dialogs he sees without thinking twice may fall into this trap, but then again, UAC is useless for him anyway... otherwise, there's no real problem here. Of course after an explicit elevation the program can introduce a backdoor!

Similarly, on Ubuntu, if you run a program, and it asks you to sudo, and you actually go ahead and do it, it can then create its own account and add it to the sudoers file, and then sudo whenever it wants without you knowing. And that's really all there is to it here as well.

Re:Hmmm

[xtravagan]

I would trust that you are clever enough to not run unverified software, without digital certificates or web trusts?

Properly configured UAC will prompt you. However as all installers normally prompts for elevation you really _always_ need to trust your source.

For all code, and _all_ systems unix/windows/macos alike.

apt-get can have been compromised, apple store can have been compromised and microsoft download can have been compromised.

Thus you need digitally signed software on _all_ OSes.

Anything else is just up to chance.

Re:Hmmm

[Z80xxc!]

No, it can't. It would pop up a UAC prompt when the installer or application tried to do that. With all UAC settings but the very lowest (OFF), you will get a prompt if it tries to make those sorts of changes. So it would prompt you for UAC rights before it could turn off UAC, hence rendering the scheme pointless.

Heh

[glwtta]

Even the anonymous submitter can't muster up a more flattering adjective for the author than "prolific" - I'm sure I am about to enjoy a quality article.

Re:"Gerald" or ...

[TaoPhoenix]

This?

http://www.youtube.com/watch?v=1JMuJ6Wy1j0

YES YES YES

[Karem+Lore]

Another UAC prompt...Yes, by all means, not like there isn't enough of them already!

Why does Windows make such a meal of user security

[Viol8]

I don't use Windows much so perhaps I'm missing something obvious, but why is it so hard for MS to implement this sort of system? Unix has managed it with root, groups since the 70s and with ACLs, su, sudo etc since the 80s so why can't MS manage to get right something so simple and so fundamental to a multi user OS in 2009?? And why would you need it much anyway? If you're simply installing an app (as opposed to an OS/library update) why would you need administrator/root type access anyway?

UAC is a stupid idea

[Peaker]

If you look at the computer as a whole, it is incredibly stupid that after the user selects some option, the computer will pop up a dialog asking the user if he is indeed the one who selected this option.

I realize the series of historic accidents that led to this absurd situation - but couldn't they figure out a better way that does not make the computer behave so incredibly stupidly?

Re:UAC is a stupid idea

[JasterBobaMereel]

The problem is there is in Windows no difference between an interactive task and an interactive task that presents no interface, this means that UAC has to prompt for the very very obvious like "did you really press the button marked install" because it has no idea if the user did something or it was done for them ...

Because Microsoft does not have a proper installer interface that installs programs for you.. instead each program has it's own installer/updater Windows has no control over the process and does not know if the user has been asked or not ... Unix style package management systems are one solution where the install is managed by one system which asks the users permission then monitors the installation process ...

Re:UAC is a stupid idea

[Omniscientist]

Because Microsoft does not have a proper installer interface that installs programs for you.. instead each program has it's own installer/updater Windows has no control over the process and does not know if the user has been asked or not ...

Perhaps you meant to say that Microsoft doesn't have a package management system, because Windows definitely has a transactional installer interface that installs programs for you. Yes, it does require developers/publishers to learn how to use it, but many don't, which there is no excuse for.

If Microsoft offered a package management system like our favorite Linux distros do, would you really trust it?

Re:UAC is a stupid idea

[drsmithy]

Because Microsoft does not have a proper installer interface that installs programs for you.. instead each program has it's own installer/updater Windows has no control over the process and does not know if the user has been asked or not ... Unix style package management systems are one solution where the install is managed by one system which asks the users permission then monitors the installation process ...

You appear to be suggesting that package (well, software in general) installation cannot be automated on UNIX systems.

Re:UAC is a stupid idea

[ShinmaWa]

I never did understand why UAC prompts get such a bad rap but the incessant sudo prompts in GNOME and KDE are considered the height of security.

To twist your words: If you look at Linux as a whole, it is incredibly stupid that after the user selects some option, like adjust the screen resolution, the computer will pop up a dialog asking the user to enter his password to prove he is indeed the one who selected the option. (I know its to elevate privs, but the distinction is academic)

Re:UAC is a stupid idea

[The+MAZZTer]

The dialog, by default, pops up on a "secure desktop". It's separate from the desktop you normally work on, and basically it means anything that appears on this desktop cannot be seen or, more importantly, manipulated from the "normal" desktop. Thus any input on dialogs in the secure desktop must come from the user. At least that's the idea.

Incidentally, Remote Desktop can manipulate the secure desktop (I guess it'd have to be able to). And it conveniently breaks VNC (IIRC it disconnects if a UAC prompt pops up and you can't reconnect until you take care of the prompt locally.

Re:UAC is a stupid idea

[bpjk]

This goes a bit deeper than just have a single "installer application" that installs everything. For one, that wouldn't cover most entry vectors for malware (webpages, e-mail, etc.).

The root problem is that in the Windows event queue and interrupts systems, there is no accountability for individual events, i.e. it's impossible to determine where any event originated. Since the event queues can be hooked, any application can create and simulate just about any event, including user input, disk I/O, etc., so the event queue cannot be trusted.

Since the OS can't know if an event was user-generated, app-generated, or driver-generated, it will have to ask about things that may be dangerous.

There is a solution to this, which is to make the entire event path, which may start with an interrupt, right up to event-handling, secure, e.g. digitally sign everything every step of the way, building an accountability-trace into the events themselves. At the lowest level in the OS, the kernel and low-level device drivers kick off the first thing that leads to an event and signing can start there (using the TPM chip on the moterboard for security).

To implement such a thing requires a lot of effort: a total revamp of the anything in the OS to do with events, interrupts, etc.; strictly enforced signed-drivers-only just above the hardware level; system- and event queue hooking only allowed by already-installed and securely signed software; faster hardware as performance-impact of something like this will be high, etc.

Such a change would of course also break just about every driver and app out there, so forget about any backwards compatibility. The effort required would also be enormous. This won't happen anytime soon, I don't think...

Note that Linux and MaxOS X suffer from the exact same problem (plenty of event-manipulatings apps around for those as well, albeit not as many as for Windows), but they have the significant advantage that users run by default as non-admins so anything the OS thinks is iffy actually requires them to type in a password rather than just click "Yes", and yes, having a single installer app helps a bit too (but not much).

Re:UAC is a stupid idea

[shutdown+-p+now]

Because Microsoft does not have a proper installer interface that installs programs for you.. instead each program has it's own installer/updater Windows has no control over the process and does not know if the user has been asked or not ... Unix style package management systems are one solution where the install is managed by one system which asks the users permission then monitors the installation process ...

Um, so the difference between a Windows installer and Unix package manager is that, in the first case, the "MSI Installer" application will ask you to elevate once, and then proceed to install; and in the second case, "Synaptic" application will ask you to elevate once, and then proceed to install. So, the difference is?..

Re:UAC is a stupid idea

[coryking]

(I know its to elevate privs, but the distinction is academic)

Actually, UAC prompts to elevate privs to--really there is no difference. UAC = a GUI version of sudo.

Re:UAC is a stupid idea

[JasterBobaMereel]

The difference is that the package manager will do the install of the verified installation package(s), while MSI will run the unverified install script which will install the program and do whatever else the installer asks including running any programs requested, and at no point does Windows know if it is the installer, the installed program, or the user, or another program that was running in the background, trying to do anything at any time...

Re:UAC is a stupid idea

[shutdown+-p+now]

The difference is that the package manager will do the install of the verified installation package(s

Verified by whom? The source of the packages? The installer is similarly verified by whoever provided it to you. There's no difference to trust e.g. a .deb package from Opera, and not to trust an .msi installer from them - either you trust them, or you don't.

MSI will run the unverified install script which will install the program and do whatever else the installer asks including running any programs requested, and at no point does Windows know if it is the installer, the installed program, or the user, or another program that was running in the background, trying to do anything at any time...

Both .deb and .rpm packages can run arbitrary scripts and binaries as well, doing whatever it wants, without letting the package manager or the user know (once running as root).

Re:UAC is a stupid idea

[JasterBobaMereel]

The difference is that an .MSI installer was written by the site you just downloaded it from and you either trust them or not ...

The Package selected from the package manager is in a repository and has been verified as non-malicious by the keeper of the repository ... who has a reputation to keep ....

If you install a raw unsigned .DEB or .RPM then it is no different than an .MSI (or other installer)

Re:UAC is a stupid idea

[Peaker]

I agree that the password prompts are not the brightest idea, but at least they're conveying some new information to the computer (The User is indeed an administrator).

Clicking "Yes, its me", however, conveys no new information to the computer.

Re:Ubuntu is vulnerable!

[Drinking+Bleach]

It's for convenience really, and it could be turned off. The idea of the default timeout is really so that if you want to run a few root commands in a row, you won't have to retype your password after every try. If you really want to be sure that you never accidentally run sudo see `man sudoers`

timestamp_timeout
Number of minutes that can elapse before sudo will ask
for a passwd again. The default is 15. Set this to 0
to always prompt for a password. If set to a value
less than 0 the user's timestamp will never expire.
This can be used to allow users to create or delete
their own timestamps via sudo -v and sudo -k respec‐
tively.

Note that most distributions don't enable sudo for the user account per default (not even Ubuntu's parent distro, Debian), it would be interesting what the Ubuntu folks would say if you suggested turning off sudo per default.

Ooh goody!

[PontifexMaximus]

ANOTHER prompt! I have a great idea, why doesn't MS prompt the user telling them they are about to be prompted? Wouldn't that be just grand?

'You have hit the A on the keyboard. Continue (Y/N)?'

Genius.

Re:Ooh goody!

[Culture20]

Evil genius if it also works on the Y and N keys.

Re:Why does Windows make such a meal of user secur

[magamiako1]

Viol8:

UAC mimics much of the functionality present in a lot of Linux applications. You need root to install the application, but you don't need root to launch the application.

At least, this is exactly how Microsoft has it designed. And anything that requires administrative privileges should have a service that starts as admin/root and then the client side process should be low privileged.

This is exactly how Microsoft has it setup. The problem is that a lot of application developers are lazy. They don't want to write software for how Microsoft wants it to be written. This has, essentially been how Microsoft has intended software to be written for years. C:\Documents and Settings\User\Application Data has only been around since the Windows 2000 days.

The aforementioned design, however, has never been enforced by Microsoft.

And the worst part about it is that users themselves are asking for software to be written poorly. All you have to do is to take a quick look over at the ZSNES forums where the developers openly asked its users how they should store configurations now that UAC gets in the way, and the users tell them "We want it to be more portable!"

That's fine and all, if you want to install all applications to C:\Users\. But like Linux, there are folder conventions.

It's all there, everything. The environment for writing secure products that don't get exploited that run within the context of a limited user are all built into the OS already.

Microsoft even went out of their way to "virtualize" Program Files for applications that fail to follow the proper format.

Re:Ubuntu is vulnerable!

[dna_(c)(tm)(r)]

But at least in Ubuntu you can change that easily...

/etc/sudoers: timestamp_timeout = 0

Bugs in Beta?

[Lord+Byron+II]

Why are we talking about a bug in beta software? This is code that is still 6-12 months from release.

Re:Bugs in Beta?

[wastedlife]

Because Microsoft does not consider this a bug. It is a "design change":

http://www.istartedsomething.com/20090131/microsoft-dismisses-windows-7-uac-security-flaw-insists-by-design/

Re:Bugs in Beta?

[dalexeenko]

Because according to Microsoft's response they are not going to fix it. From their perspective it is not a security flaw.

UAC isn't "security"

[argent]

UAC is a hack to deal with the problem that the Win32 API is full of inherent security holes that would require changing lots third-party software to fix. So they put a prompt up if a program is about to use one of the features that contain or implement part of one of these security holes.

The only real way to fix it is to implement a designed-for-security API and designate Win32 and everything based on it "legacy", only run in a sandbox.

Which is what Windows 7 was rumored to be, a couple years ago.

Re:UAC isn't "security"

[rsmith-mac]

At some point this tripe gets ridiculous, particularly when Vista has been out there for over 2 years now. The Win32 API has its flaws, but security issues are due to problems with the underlying OS, not the API.

If there are security flaws in the Win32 API as implemented by Vista, please by all means point them out. But I'm going to be surprised if you can point out anything that doesn't fall under "It's a system level change, you need admin credentials moron" school of thought. Most people don't understand security nearly as well as they think they do, and Slashdot is no different.

Re:UAC isn't "security"

[argent]

Since everything in the OS is exposed via the Win32 API... you can't even see the NT kernel API unless you're someone like Softway Systems... the difference is academic. So is "it's a system level change", when it's a system level change that thousands of applications (for many of which the source is no longer available) depend on.

"There are APIs in Windows that applications have been written to use, that should not be exposed to untrusted applications. These APIs can not be blocked without breaking too many legacy applications, so UAC makes the user responsible for deciding when they should be allowed." Better?

The fact that these APIs were made available for general use was a security flaw, but one that didn't much matter when there was no security. Now they make security impossible.

This is the same logic as the stupid security dialogs in IE and other applications that use the Microsoft HTML control. It's not "security", it's "we're afraid to make the OS/libraries/COM objects/APIs secure, so we're putting it on you, the user".

Re:UAC isn't "security"

[rsmith-mac]

Should the user not be free to run software as they please then? Because there are plenty of complaints just in this article that are people bitching about just that - how Vista is somehow preventing them from doing what they want. Should "untrusted applications" be everything other than a select few applications that only Microsoft gets to define?

And if not, how should users tell the OS that an application is trusted? Perhaps they could indicate that in some kind of dialog box...

At the end of the day the user is the only one responsible for their system. If they want to run an application that will wipe their hard drives, drink all their beer, and knock up their wife, then that is their right, and their responsibility. Sadly too few people seem to understand the latter part of that.

Re:UAC isn't "security"

[drsmithy]

UAC is a hack to deal with the problem that the Win32 API is full of inherent security holes that would require changing lots third-party software to fix.

[Citation Needed]

UAC is (basically) a somewhat-friendlier implementation of sudo. What is the purpose of sudo, then ?

Re:UAC isn't "security"

[dedazo]

Here, I fixed this for you:

UAC is a hack to deal with the problem that the Win32 API is typically accessed by third party software written with no security in mind, that would require changing lots third-party software to fix.

A little redundant, but actually true now.

Re:UAC isn't "security"

[drsmithy]

The Win32 API has its flaws, but security issues are due to problems with the underlying OS, not the API.

What problems ?

Re:UAC isn't "security"

[drsmithy]

"There are APIs in Windows that applications have been written to use, that should not be exposed to untrusted applications. These APIs can not be blocked without breaking too many legacy applications, so UAC makes the user responsible for deciding when they should be allowed."

Which APIs, and what are the "inherent security flaws" ?

Re:UAC isn't "security"

[darkmeridian]

Windows Vista x64 runs all 32-bit Windows applications in Windows On Windows (WOW), which looks like a sandbox to me. The x64 instruction set includes a disable execution bit that is supposed to increase security but who knows how that works.

Re:UAC isn't "security"

[shutdown+-p+now]

Win32 API is full of inherent security holes that would require changing lots third-party software to fix.

Can you actually give just one specific example of non-deprecated API with an "inherent security hole".

Meanwhile, keep in mind that e.g. strcpy and strcat have "inherent security holes" as well, depending on how you look at it.

Re:UAC isn't "security"

[xtravagan]

It is pretty simple really, if you the working of a computer. This security flaw is on Intel. They allowed from the start programs to execute on the stack. disable execution makes sure you have to mark sections as executable, this makes buffer overrun's more or less impossible, not entirely, but alot harder.

The problem again, like with UAC, is that applications out there use this functionality, such as JITs (Java, .Net), not really on the stack, but on the heap, so the attacks just have to move there instead.

However with UAC in place, and your app running as a non privilieged (or even low priv) it cannot make compromising changes to your computer. It can still steal stuff though.

Re:UAC isn't "security"

[coryking]

The problem is that you dont understand the problem. According to your +5 informative post, sudo is also a hack to get around inherent security holes in the Linux kernel, right? Because that is basically what you said.

The problem is until UAC every damn user account was running root. UAC was Microsoft's version of sudo. A program runs as a normal user until you click through the UAC dialog and run it as root instead.

But the real, true problem with UAC is a bunch of Unix nerds have no clue what the hell UAC actually is. UAC is nothing more then a graphical version, sometimes password-free version of "sudo [path to your program]". That is it.

Re:UAC isn't "security"

[bill_mcgonigle]

Which is what Windows 7 was rumored to be, a couple years ago.

Don't tell me they dropped the database-backed filesystem from Chicago too!

Re:UAC isn't "security"

[argent]

The requirement that applications run as root to do things like open low IP ports in UNIX is a security flaw, yes. It's a design flaw in the Berkeley socket API and has led to many programs running setuid root, instead of running setgid or requiring that users be in a particular group, that shouldn't be.

Sudo is also not part of the standard UNIX toolset, either... it STILL doesn't ship as a standard part of many traditional UNIX systems, and it isn't actually required for the use of ANY UNIX system. You could eliminate sudo and just perform privileged actions logged in as root on a separate virtual console and most users would never notice.

Yes, even on Mac OS X, Apple could remove their hack around sudo (which I don't approve of) and force users to use Fast User Switching back to a real Administrator account, and most users wouldn't notice.

Also, sudo isn't built in at a low level so that every application that wants to do something that requires privileges automatically gets a dialog popped up on its behalf, teaching users that these kinds of security dialogs are a normal part of their day, and so making it easier for malware authors to social-engineer their way in. It's not as bad as the way applications that use the Microsoft HTML control are willing to grant full local user access to untrusted websites and email attachments if the user can be tricked into clicking "OK" at the wrong time, but it's still a daft idea.

Now if Microsoft were to say "applications that have UAC pop up will be completely broken in Windows 8, unless the user installs them in a legacy VM, because we're going to replace UAC with something that requires more explicit user interaction", so they were using UAC to force application writers (including Microsoft) to quit using raw system management APIs directly from applications... but they don't.

Re:UAC isn't "security"

[argent]

Yes, strcpy and strcat and sprintf have inherent security holes, but YOU can't write a program using strcpy or strcat and have that lead to the user seeing a "please run me as root" dialog which, of course, they approve because they get "please run me as root" dialogs ALL THE TIME.

Re:UAC isn't "security"

[argent]

Um, I was criticizing Microsoft (and Apple) for the lack of security in Windows (and Mac) APIs back in '89 or '91 or whenever they were introducing Win32s (and System 7). And I'm not any kind of super genius, so if I could see the problems they were letting themselves in for why couldn't they?

At least Apple has finally scotched Classic.

Re:UAC isn't "security"

[argent]

I'm free to run any software on this here FreeBSD box I want.

Some of it I have to log in as root, or su to root, to run. Because that's something I do rarely, applications don't routinely make calls to APIs that are restricted to root very often.

On Windows, these calls have never been restricted, so applications have been free to call them, since they were introduced (some as far back as Windows 1.0). There's never been any reason for applications to avoid using them. So thousands of applications, including applications written by Microsoft, make these calls routinely. So instead of having "su" something you do once a week, at most, UAC is something that comes up many times a day.

Re:UAC isn't "security"

[argent]

I was right with you up until you started talking about .NET.

No, please, just no.

Re:UAC isn't "security"

[cocacolaboy]

Which is what Windows 7 was rumored to be, a couple years ago.

Don't tell me they dropped the database-backed filesystem from Chicago too!

The features mentioned will /always/ be in the next version of Windows

Agreed

[FoamingToad]

I've been installing Foxit on new machines for about nine months now, and have a lot of love for it. It was the retarded reboot-on-upgrade policy of Adobe that particularly ticked me off (load times notwithstanding).

I noticed earlier today that V3 is out, will be giving this a trial run sometime over the next couple of weeks. Only thing I'm hoping for is that they've improved the process for unattended setups, as this is the only thing that bugs me at the moment.

And you thought ...

[yvesdandoy]

they had "changed" ???

HA HA !

Anonymous Coward

I don't see this as a security hole. The first thing I did after installing was disable UAC. All it does is protect users from themselves...

Also, it using sendkeys in a script would be rendered completely useless if it was executed while the user was typing something, so this would only work assuming the user executed the script, and then immediately afterward went to take a piss...

Re:Anonymous Coward

[Beefslaya]

Which is why most Windows users wear helmets.

Re:Why does Windows make such a meal of user secur

[maugle]

Because, in Unix terms, the applications are all horribly written and want to store your personal settings in /etc

Re:Ubuntu is vulnerable!

[redxxx]

Note that most distributions don't enable sudo for the user account per default (not even Ubuntu's parent distro, Debian), it would be interesting what the Ubuntu folks would say if you suggested turning off sudo per default.

Then users will need to know their administrator password, and will end up using it as an account.

Sudo prevents a certain large segment of the potential Ubuntu population from being retarded. It's a calculated risk, but I don't think they would change their position. It is not one they arrived at by chance.

Re:Why does Windows make such a meal of user secur

[magamiako1]

maugle:

pretty much.

Re:Why does Windows make such a meal of user secur

[drsmithy]

This is exactly how Microsoft has it setup. The problem is that a lot of application developers are lazy. They don't want to write software for how Microsoft wants it to be written. This has, essentially been how Microsoft has intended software to be written for years. C:\Documents and Settings\User\Application Data has only been around since the Windows 2000 days.

Actually, per-user Registry Hives and filesystem locations were introduced in one of the last versions of Windows 95, IIRC - and they were _definitely_ in Windows 98 (and all versions of NT).

It's been a decade since a Windows developer has had any excuse whatsoever (let alone a good one) for releasing software that wasn't "multiuser friendly".

To the point,

[ternarybit]

from my understanding UAC is designed to prevent execution of malicious code, or at least warn the user of the potential threat that they may be launching a virus instead of "top40.mp3" they just pirated from limewire.

As a repair tech at a small computer shop, I service *plenty* of infected Vista machines with UAC enabled. At least 1 in 3 have rogues like Antivirus 2009 installed.

So IMHO this "security hole" in UAC is moot because the PEBKAC.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:You dont know what you are talking about

Well, don't keep us in suspense here, Mr. MCSE. What's the difference?

Re:This story is still floating around?

[wastedlife]

Sure it is over-hyped. But it is a security hole if an application can change UAC settings on a default install without user interaction.

Re:Why does Windows make such a meal of user secur

[magamiako1]

Well, I know that it's "technically" possible to install applications as non-root. The problem comes in that there are certain conventions that each distribution wants to follow to allow a unified experience for application developers.

There's a little give and take there.

Re:Why does Windows make such a meal of user secur

[drsmithy]

I don't use Windows much so perhaps I'm missing something obvious, but why is it so hard for MS to implement this sort of system?

Because Windows tries to accommodate incompetent developers and ignorant users, rather than telling them to "RTFM or GTFO !".

Windows Security Hole is News????

[queenb**ch]

Seriously.... how is this news???? SOP (Standard Operating Procedure) should not be news.

2 cents,

QueenB.

Re:You dont know what you are talking about

[dunng808]

OMG, an Anonymous Coward dialog. How informative. How insightful. How authoritative. I am quivering in anticipation of what other Windows security gems I will find here.

I just had a weird thought. Perhaps Windows fanboys are comfortable posting AC because they are so certain their position is correct. I call that the Sarah Palin effect. Could one of these ACs be her? Anyone who can field dress a moose is likely to believe they can lecture on Windows 7 security design.

Whatever happened to the old Slashdot, when Windows was always laughed at?

Blame The Developers?

[EXTomar]

I'm always a little irked by this supposition that the developer for an app that has nothing to do with security has to be aware of the details of the security subsystem.

Going back to the check book software example, we can probably agree there is nothing about such a software system that needs Admin privileges but we should also agree such a system shouldn't need to take any special consideration for the permission or security beyond the defaults. The data itself may need to be kept locked and private from other users but you don't do that by switching to Admin/elevating permissions.

So how did we end up with a situation where the check book balancing application has to be "aware" of roles and security? It is really all the fault of Windows design. Parts of the installer need to access other parts of the system that require elevation in privileges. Parts of the application often sit in restricted parts of the file system (C:\Program Files). Depending on what other facilities are being used working with Windows may restrict you. Add to this the system is tied up with AV and other security software which may interfere as well. At every level there may or may not be documentation on how to gain access. All of this is a PITA handle to program let alone support the user when it shouldn't have been an issue in the first place! Since Microsoft didn't see it fit to provide elegant systems to the developer to handle these case, developers came up with their own with the system available.

The people trying to sell a check book balancing software should be focused on writing the best damn check book balancing software instead of worrying about how to get the right "permission token" to run their app or cataloging thousands of possible error coming from outside of their application.

Re:Blame The Developers?

[Splintax]

I'm always a little irked by this supposition that the developer for an app that has nothing to do with security has to be aware of the details of the security subsystem.

I consider the concept of running as user vs. administrator a pretty basic part of the way the OS works, not a 'detail of the security subsystem'. Any developer writing software for a particular OS needs a basic understanding of how the OS works, and this is part of it.

Re:Changes to UAC

[Shados]

No. UAC is meant to have people run as unprivileged accounts without having the people who MUST RUN AS ADMIN OR ELSE!!! cry -too- much.

Its just impossible to get a balance between making people aware of admin-account requirements, and having people not bitch too much.

Well dont do that

[coryking]

You have no business writing to Program Files. Do you still modify win.ini and system.ini and drop DLL's into system32 as well? Writing to Program Files is about as bad and obsolete a practice as writing to win.ini.

Yes it is frustrating to have it redirected and maybe they should have put something in your event log to help make it obvious, but dammit, writing to Program Files was discouraged even in Windows XP. The only reason it redirects instead of totally fails is because there are gobs of badly written programs that still exist (try to write to Program Files as a normal user) and Microsoft didn't want to break all of them.

There are API's to get a proper place to write system-wide settings. Even then, you probably will need to get your program to elevate itself via UAC because you are modifying global stuff. I bet if you elevated your app before writing to Program Files, it wouldn't redirect (check MSDN). Remember that "admin user" doesn't mean you are running as an admin in vista, your program has to request a UAC dialog before you run as root otherwise you run as a regular joe.

Seriously though, try running your program as Administrator (right click on the exe and go "Run as Administrator). See if it still redirects, I bet it doesnt.

it raises the parental support costs

[coryking]

Making it harder to install "Stupid Mouse Jumps Around the Screen and Installs Spyware.exe" is a feature, not a bug.

If that's what she wants to do, who is anyone else to tell her no?

Well, for one I'd stop supporting her machine. Can't do that though because, you know, she is my mother and all. I can't just tell her to FOAD seeing as how she gave birth to me.

Lets see

[coryking]

In other words, you want everybody to run as root all the time, right? Because the only way to avoid having a prompt of some kind or other is to always run as root.

How can you make a system both secure, "prompt free" *and* not have it run as root? Or is your solution to run as root 24/7? If so, sorry, been there done that, got the botnet.

Re:Lets see

[Seth+Kriticos]

Heck, the last thing I would want anybody is to run as root if not engaged in some kind of setup process.

It would just make more sense to make this process straight forward (initiate setup process, do stuff, end setup). This would require a one time authorization and a clue on what one is doing. -> education.

This is completely false.

[coryking]

That is 100% not true. Your user account *is running as a regular user* no matter what group it is in. It doesn't matter if you are in the admin group (unless you stupidly disable UAC, in which case you basically run as root).

"UAC" = "sudo [program name]"
"Vista, Administrator Group" = "your account is in /etc/sudoers with 'username = NOPASSWD: [your program]'"
"Vista, non admin group" = "sudo [program name] with password, but that depends on the group policy... "

Your highly moderated post is 100% mis-information and is *not true*. YOU ARE NOT RUNNING AS ROOT UNTIL YOU ELEVATE VIA UAC!!

Re:This is completely false.

[Splintax]

You're correct, but the post you replied to never said that being in the administrator group was the same as 'running as root'. In fact, the AC seemed to understand how UAC works just as well as you do.

Re:This is completely false.

[GravityStar]

Disclaimer: I think UAC is great.

It's actually important to remember that UAC does not represent a "Security Barrier"(WinNT TM). MS has communicated that at numerous occasions. There are specific sets of circumstances where a program may be able to bypass UAC tripwires entirely.

Though, subverting the UAC in that way *does* require some level of cooperation from an already elevated Administrator process using legacy interop methods. (IIRC, it was DDE)

Though, this was the case for Vista, I'm wondering if things changed with W7*?

*Just remember, I'm copyrighting this novel expression designating the Windows 7 software. Anyone can have permanent, non-revocable, non-transferrable license for the meager cost of 50 cent to my paypal account.

Re:Why does Windows make such a meal of user secur

[Yunzil]

I don't use Windows much so perhaps I'm missing something obvious, but why is it so hard for MS to implement this sort of system?

Because people expect to still be able to use their horribly-written apps that assume they can scribble freely all over the C: drive.

no, he did not understand it at all

[coryking]

Words have specific meanings and "You are not inputting a password to authenticate higher privileges. You already have them" means one doesn't know what they are talking about. That statement is *not* true. You do *not* have higher privileges no matter who you are. You need to go through a UAC dialog to elevate the privileges of a program.

If AC knew what he was talking about, he'd draw a line between the wheel group and the Vista admin group. They are somewhat alike, though on many unix systems a person in "wheel" can do all kinds of root-like things without the use of sudo--this is not true on Vista.

The fact that the AC says "input your password" says he is either a very good troll or has never used Vista in his life. People in the admin group never have to input their password.