Slashdot Mirror
Users' Admin Logins Make Most Windows Malware Worse
nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."
Not running as a fully-privileged user reduces your security risk? Who knew!
This is not news. The question is why it hasn't been meaningfully addressed in Windows for such a long time.
To fight the war on terror, stop being afraid.
The vulnerability is in Windows 7's UAC, not Vista's, so that part of the story is not only wrong but a dupe of the previous "UAC vulnerability" article. As for the rest of the story, it's just marketing copy for BeyondTrust Corp. Congratulations samzenpus, you've posted perhaps the first article that's wrong, dupe, blogspam, and slashvertisement all at the same time!
The history and culture of Windows is at least as responsible for the "run as root" problem as any shortcomings, and there were many over the years, in the OS itself and although Windows OSes has progressively improved security over the years there is only so much to be done, on any system, when users have been trained to run as root and click "yes" everytime. Of course, malicious programs like downadup and the infamous ClickYesToContinue ActiveX certificate debacle don't help matters.
That's what UAC is for. It's there, applications can take advantage of it. IE takes advantage of it. Even Chrome takes advantage of it.
Most software developers are freakin' lazy.
What's really annoying is that too many programs still insist on "administrator" privileges for installation. Installation needs to be a far more contained process, with limited authority. Most applications don't really need the ability to manipulate elements of the system outside their own directory subtree and their own subtree of the Registry. Installation of "normal" applications (especially games) should be contained accordingly. Most applications are, in a security sense, "leaf nodes"; nothing else depends on them. But Microsoft doesn't make that distinction. (Nor do most Linux application installers, even though Linux/UNIX doesn't have the registry issues that Windows does.)
Lame blogs aside, The Fucking Article is damn near worthless. Highlights include:
In conclusion: Running everything with admin privileges is bad, which is why Microsoft fixed this 2 years ago with UAC. It's a lame PR piece about an equally lame study from a company that wants to sell you stuff to do things that MS did years ago. If you are here reading Slashdot, there's nothing here you didn't already know.
What you suggest is either impossible, extremely undesirable, or both, assuming that by "they" you mean Microsoft.
For them to prevent certain classes of applications from running, without special knowledge, would require a kind of analysis similar in nature to solving the halting problem - a problem well known to be unsolvable.
Then the course of action is to require applications requiring root privileges to be signed by Microsoft, essentially making Windows a closed platform for developers. Furthermore, any applications they sign would have to be bullet-proof, getting back to the halting problem.
Insert self-referential sig here.
Problem is that they assume that when the security bulletin says that successful exploitation will allow the attacker to run as the current user, this does not mean that the attacker will be able to run as admin, even though the user is an admin.
Indeed (with UAC on) IE7 runs in protected mode which is a "sandbox" where the users' security tokens have very limited rights, thus intrinsically protecting the OS.
The Vista protected mode effectively runs the process as a limited user, even though it preserves the users identity.
Even if the attacker can somehow trick the browser or user into downloading a malicious file and start it, it will still need elevation (yes, the cancel/allow thingy) to assert admin privileges.
So, another way to spin this would be "Vista UAC protects against exploitation of 92% of vulnerabilities".
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
I swear those guys are like that guy who just installed Linux, runs it as root all the time because he "knows what (he's) doing" and enables telnet and hands out logins to all his friends. Except that guy learns after the first or second time his system gets rooted that maybe he should stop being such a goddamn jackass and run his system the right way from now on. Microsoft never got past the jackass phase. They keep implementing half-assed fixes because they think they can do it better. You'd think 30 years of failure would convince them otherwise...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Microsoft's biggest market advantage is the amount of legacy software that supports their platform.
Rewriting an app to be cross platform is not much more work than rewriting for a single OS so if they force application makers to do a complete rewrite they risk having them rewrite using cross platform libraries.
I am sure this is not news to anyone whether you love or hate Microsoft. The fact is the coding practices commonly followed under DOS and then under Windows have been rather poor. The reasons for it are many, but largely because of a thirst for performance. But in order to keep people hooked on Windows, they have to keep supporting the mistakes of others as well as their own. This is what they call "backward compatibility."
But there is a way out of it and for some reason they seem unwilling to do it. Write a new OS, virtualize old Windows for "legacy support" and eventually all the software vendors will port their code to work with the new Microsoft OS natively just as they did with Mac OS X. I can't imagine why Microsoft is unwilling to do that... got any suggestions anyone?
I have been suggesting this for years. Enterprise (Microsoft's most important customer base), in general, does NOT want it. Seemingly they want the 'good ole' x86 to live forever and Windows to run programs written for DOS 5.0 even in 2009 and beyond. Ridiculous, but it is true.
If you are a business who relies upon some certain software to get work done and do NOT have the time, money or resources to switch to something else, it is in your interest to demand your software vendor (in this case Microsoft) NOT to remove compatibility for X application.
If you look at the Windows 2000 leaked source code, you can find plenty of comments about VERY specific application fixes. Yes, XP broke stuff. Vista broke more. But it probably did not break what the enterprises care about (Vista likely did break many things, hence why 7 is being rushed and so many enterprises skipped Vista and will go to 7 after some extensive testing).
Today I experienced a game that does not work on Vista. Microids' Corsairs from 1998, made for Windows 9x. Tried compatibility modes, the latest patches, etc. It just kept crashing. Microsoft does not care about your 'classic' games at all. All they care about is the enterprises who actually buy the expensive volume licenses Microsoft is always trying to sell.
They're paid off by the Anti-Virus companies. If not for administrative login, who would buy their crap?
MS Windows are no longer the cheap option in the server room, or thanks to malware, they are not the cheap option on the desktop either. Personally I think it's time to let them go back to their better suited role of hobby machines at home until the first gaming console with more than 4GB buries them in that role.
of road warriors, bluetooth, pirate WAPs, Promiscuous mode, and a lot of other modern technologies. Your network is not the hallowed ground you think it is.
The only trusted host on the network is a Known Host with a secure connection. Ever and always. There is no excuse for having open ports ever, let alone by default on a desktop, unless you intend to deliver a service on that port to untrusted strangers.
This has been common knowledge and best practice for at least 15 years.
Help stamp out iliturcy.
As well as that, how about setting the default admin account so you have no sounds, no desktop wallpaper, no animated cursors - none of the flashy crap that users seem intent on encumbering themselves with. You want the bling == run as a limited user.
However this would require limiting the capabilities of the Admin account, and this is something I'm not entirely happy with (as, admin *should* be equivalent to god mode).
Microsoft's biggest market advantage is the amount of legacy software that supports their platform.
Microsoft's biggest problem, which I noted before Vista was even released, is that we're well invested in third party software and we've figured out how to play well with their previous platform over six long years. Our nest is well feathered. It's comfy and we don't want to leave it. Especially for a cold new future where we have to buy everything and figure everything out all over again. If we have to do that, why stick with the vendor that guarantees we'll feel this pain again in a little while?
The problem, two years later is even deeper because nobody in their right mind bought into this dog, and so they've been burrowing deeper into their XP cave this whole time.
It's probably too late now to save the Microsoft platform. It's been eight years since the 25 October 2001 release of XP. They have before them the task of creating something that's sufficiently similar to save their "Microsoft brand", sufficiently different from their "Vista debacle", and competitive against a swelling sea of free options. It's a lost cause. "If we have to change to something that radically different, and buy/engineer all our software over again, why not get Macs, or try this 'free' thing?"
Help stamp out iliturcy.
I never thought of that. Windows is such a pain to use at all without the admin access that most people just shrug, set themselves up as a Power User just so they can use the damn thing.
But when you think about it, in the *nix community running as standard users is a staple...the norm if you will of computer operation. If you're logged on as "Bob" and you need the Admin-level access (install something, access a file that is not owned by your account, etc) you fire up "sudo" or a terminal window and SU it for a while.
If it's a nice graphical interface in either usage or installation...it'll even pop up and say "I'm sorry, you need admin access. Do you have the password?" And if you do then it'll just shrug and bloody well go and do it.
This is something that needs to be put in future versions of Windows. That and stop requiring The Sims 2 to have administrator access just so you can play paper dolls.
Phoenix
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
Did you setup the "MOM" account FIRST, before installing software as admin?
Eh???? Why would you have to install software second? At some point, you will want to add other users. Will they not be able to access the software?
I prefer the "u" in honour as it seems to be missing these days.
The reason why Windows is such a pain in the ass is because Windows was never designed for this.
Let's say I install OSX. The OSX app is self-contained, which means that it does not need anything outside of its circle.
Let's say that I install on Linux. The Linux app can either be installed locally per the user or for everybody. But it is a clear cut case.
Windows? WTF... I need to access the registry, the windows system directory, the program files directory, and the local user directory. It is a bleeding mess!
Microsoft to this day does not understand that the issue is the fact that they have not revamped the complete installation process. There is absolutely no need for Office, or any other application to need anything other the system files if it is running in "install to user" mode.
This is the problem, and until Microsoft understands that nothing will change.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Windows lacks a really clear separation between what is in the realm of the user and what is in the realm of the administrator. This is the real root of the problem.
Unix based systems started out as multi-user timesharing systems. From day one you owned exactly one set of filesystem resources, your home directory, and nothing else. An admin CAN create other shared directories, but there is a clear boundary between user and admin. ALL developers know this, it is very clear. Any administrator knows this, they can count on it, it is a very simple rule to understand "home directory belong to user, not home directory not belong to user".
The real problem with windows is who knows who the heck is supposed to own what? User related 'stuff' is scattered willy nilly all over the hard drive, and what and where it is varies with wild abandon between different versions of windows. There is simply no clear cut rule, and thus developers aren't really encouraged to understand the separation because it isn't simple or straightforward. Instead it is complex and you need to know different rules for different versions of windows.
Now in theory maybe this shouldn't be a problem. In theory your developers can go hunt up what the rules are in some knowledge base somewhere. In theory. In practice they are paid to get the product out the door. In practice they don't have a whole lot of extra time to waste on dealing with MS inept handling of the whole issue. In reality they just elevate the privs of their installer and get on with their real jobs.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
Tools like these are just a bandage on a wound needing stitches. If things were designed properly you'd have no need to use this utility in the first place!
I find this interesting because I reinstalled my XP workstation only last week after several years and took the opportunity to start running in least privilege mode. It is quite apparent how much software there is that still does not function well using a non-admin account. A lot of my software I have converted to portable versions using thinapp which should prevent registry bloat, and allow me to take them with me on another device and keep all my settings.
If Windows allowed to have multiple users logged in at the same time, I would do as I do under Linux, I would login twice, once as user for routine task and once as administrator for the rest. The problem with Windows is that each account has only one set of rights and you cannot easily fall back to admin rights when you need to, and you cannot have two users logged at the same time.