Slashdot Mirror
Users' Admin Logins Make Most Windows Malware Worse
nandemoari writes "A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."
Would you like to install a virus? [Cancel/Allow]
Not running as a fully-privileged user reduces your security risk? Who knew!
This is not news. The question is why it hasn't been meaningfully addressed in Windows for such a long time.
To fight the war on terror, stop being afraid.
sudo apt-get with the times, microsoft!
-I only code in BASIC.-
Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.
Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.
-my apologies to plasmacutter
The vulnerability is in Windows 7's UAC, not Vista's, so that part of the story is not only wrong but a dupe of the previous "UAC vulnerability" article. As for the rest of the story, it's just marketing copy for BeyondTrust Corp. Congratulations samzenpus, you've posted perhaps the first article that's wrong, dupe, blogspam, and slashvertisement all at the same time!
The history and culture of Windows is at least as responsible for the "run as root" problem as any shortcomings, and there were many over the years, in the OS itself and although Windows OSes has progressively improved security over the years there is only so much to be done, on any system, when users have been trained to run as root and click "yes" everytime. Of course, malicious programs like downadup and the infamous ClickYesToContinue ActiveX certificate debacle don't help matters.
What's really annoying is that too many programs still insist on "administrator" privileges for installation. Installation needs to be a far more contained process, with limited authority. Most applications don't really need the ability to manipulate elements of the system outside their own directory subtree and their own subtree of the Registry. Installation of "normal" applications (especially games) should be contained accordingly. Most applications are, in a security sense, "leaf nodes"; nothing else depends on them. But Microsoft doesn't make that distinction. (Nor do most Linux application installers, even though Linux/UNIX doesn't have the registry issues that Windows does.)
What they need to do is limit all users to not be administrators. They should create the admin account so that it can ONLY do admin tasks. It cannot run programs like office or games. It can only run security and diagnostic apps, adding-remove apps. If they restricted admin users from using their account for daily use and only for admin use, that would significantly reduce the attack surface for crackers.
Or you could use a modern antivirus like antivirus2009
It stops everything.
Help stamp out iliturcy.
I am sure this is not news to anyone whether you love or hate Microsoft. The fact is the coding practices commonly followed under DOS and then under Windows have been rather poor. The reasons for it are many, but largely because of a thirst for performance. But in order to keep people hooked on Windows, they have to keep supporting the mistakes of others as well as their own. This is what they call "backward compatibility."
But there is a way out of it and for some reason they seem unwilling to do it. Write a new OS, virtualize old Windows for "legacy support" and eventually all the software vendors will port their code to work with the new Microsoft OS natively just as they did with Mac OS X. I can't imagine why Microsoft is unwilling to do that... got any suggestions anyone?
Lame blogs aside, The Fucking Article is damn near worthless. Highlights include:
In conclusion: Running everything with admin privileges is bad, which is why Microsoft fixed this 2 years ago with UAC. It's a lame PR piece about an equally lame study from a company that wants to sell you stuff to do things that MS did years ago. If you are here reading Slashdot, there's nothing here you didn't already know.
What you suggest is either impossible, extremely undesirable, or both, assuming that by "they" you mean Microsoft.
For them to prevent certain classes of applications from running, without special knowledge, would require a kind of analysis similar in nature to solving the halting problem - a problem well known to be unsolvable.
Then the course of action is to require applications requiring root privileges to be signed by Microsoft, essentially making Windows a closed platform for developers. Furthermore, any applications they sign would have to be bullet-proof, getting back to the halting problem.
Insert self-referential sig here.
Problem is that they assume that when the security bulletin says that successful exploitation will allow the attacker to run as the current user, this does not mean that the attacker will be able to run as admin, even though the user is an admin.
Indeed (with UAC on) IE7 runs in protected mode which is a "sandbox" where the users' security tokens have very limited rights, thus intrinsically protecting the OS.
The Vista protected mode effectively runs the process as a limited user, even though it preserves the users identity.
Even if the attacker can somehow trick the browser or user into downloading a malicious file and start it, it will still need elevation (yes, the cancel/allow thingy) to assert admin privileges.
So, another way to spin this would be "Vista UAC protects against exploitation of 92% of vulnerabilities".
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
I swear those guys are like that guy who just installed Linux, runs it as root all the time because he "knows what (he's) doing" and enables telnet and hands out logins to all his friends. Except that guy learns after the first or second time his system gets rooted that maybe he should stop being such a goddamn jackass and run his system the right way from now on. Microsoft never got past the jackass phase. They keep implementing half-assed fixes because they think they can do it better. You'd think 30 years of failure would convince them otherwise...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
A Mac fan extolling the merits of the command line.
It's going to take some time to get used to. Forgive me.
Help stamp out iliturcy.
But Valve will go after you for trying.
My question:
Customer 06/11/2006 04:15 AM
I am not willing to play (and let other people play) HL2 using the Admin account on my computer because of the obvious security implications (I don't want my computer infested with malware).
Is there any way to run it without admin privileges? I installed it using admin privileges and went back to my unprivileged account but turns out it needs to write data to the install folder (bad programmer - no donut for you).
Which are the files STEAM tries to write to in the install folder?
If it turns out to be too complicated I'll just download the no-steam version with BitTorrent ;-).
Their response:
Response (Josh) 06/13/2006 01:34 PM
Thiago, It cannot be run without admin privileges. I know you were probably joking, but I would also encourage you to avoid any product that claims to get around Steam. We take cheating and hacking very seriously.
of road warriors, bluetooth, pirate WAPs, Promiscuous mode, and a lot of other modern technologies. Your network is not the hallowed ground you think it is.
The only trusted host on the network is a Known Host with a secure connection. Ever and always. There is no excuse for having open ports ever, let alone by default on a desktop, unless you intend to deliver a service on that port to untrusted strangers.
This has been common knowledge and best practice for at least 15 years.
Help stamp out iliturcy.
It's a combination of ignorant users and ignorant IT people. I've never seen a single IT person use "runas" (impersonation), ACLs on the Windows file system or registry or and this is the damning one, a command line utility that allows you to selectively strip administrative rights on applications as you use them thatâ(TM)s been on Microsoftâ(TM)s site for years (after I pointed it out to them).
There was a reason once upon a time Microsoft chose to release Windows XP in such a way as to have users running with administrative rights. A reason that is extremely weak now - many people were upgrading to Windows XP from Windows 9x/ME and Microsoft didn't want to incur the support cost (or their partners) of having lots of applications stop working. Among them is the popular WinAmp. It used ancient APIs for its configuration file, WINAMP.INI, that stored global preferential data (as opposed to per user) in C:\WINDOWS\WINAMP.INI. If you didn't have administrative rights, it would just hang when you fired it up. Google Desktop when first released would *NOT* work on a non-administrative desktop. The list of offending applications goes on and on, e.g., a friend of mine had oceanic navigation software that insisted running with admin rights.
However, it turns out there is a programmatic mechanism in place in every copy of Windows XP (and Windows 2000) that allows you to strip administrative rights when you launch a process. Microsoft never exposed users to this ability for reasons that to this day are unclear to me. The magic API in question is CreateRestrictedToken.
But what really was an eye opener to me is when I would point out a tool on Microsoft's site to strip out administrative rights when you run a program. Namely, years ago you could have made the situation tenable in the case of apps like WinAmp and Google Desktop by yes, logging onto your desktop as an administrator but launching most Internet facing application without administrative rights but hereâ(TM)s the clincher *AND NOT CHANGING USERS* . In fact, I've been doing this for years.
Nonetheless I observed an incredible amount of laziness on IT professionals when I pointed out these capabilities. Laziness, apathy and the usual suspect of insecurity ("Don't tell me what to do, I know what I'm doing"). Yes, that's right, you manage a CISCO PIX firewall, you must be a security guru all around and follow best practices.
So given my former life as a Windows software developer I took it upon myself to create a turn key installer that at least protects Jane & Joe Average called *RemoveAdmin*:
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515
RemoveAdmin is a utility to strip administrative rights off apps as they're launched under Windows XP and Windows 2000 where unfortunately 99.9% of home users run with administrative rights.
The default RemoveAdmin installer creates shortcuts for IE and Firefox but if you analyze the shortcut, you see IE and Firefox are passed as an argument to the removeAdmin.exe program.
You can trivially setup another shortcut for Opera and/or any other Internet facing application... as you should since you can't trust foreign computer systems you connect to.
Itâ(TM)s version 0.1 since I havenâ(TM)t created a FAQ and thereâ(TM)s the situation that if you have multiple administrative SIDs it wonâ(TM)t work (not the case for most people). I need to fix that, create a FAQ and also offer to adjust the ACLs on the Startup folder to tighten security such that when combined with RemoveAdmin, breaching your system on account of your browsing becomes because crazy hard.
Random dlls, configs, assets and exes in WINDOWS dir.
Do a fresh installation of Windows, don't install anything on it, take a look at the Windows directory. I recommend you sort by file type. You'll notice it's actually quite organised; the "system32" directory for instance, notorious for being a huge mess, is something like 90% just "exe" and "dll" files, and very little else. It's all surprisingly organised. As soon as you start installing programs however, many will just decide to dump stuff in the Windows directory (and subdirs) for literally no good reason. The crap Creative drivers decide to drop is unbelievable, I found out first hand. There is VERY little that _needs_ to be in the Windows directory, application devs need to realise this.
dlls, data, configs and exes in Program Files.
Yes, good thing Unix systems only install programs in users home directories, and not in system-wide accessible directories.
Some data and configs in Documents and Settings.
You might notice each user has a sub directory in "Documents and Settings" (now "Users" in Vista and later), which contains all their personal documents and user-specific configuration files for the OS and applications. Definitely very single user.
Registry.
I'm guessing the distinction between HKLM (Local Machine) and HKCU (Current User) is lost on you? Current User, by the way, is a registry hive specific to the logged on user that is unique to their user profile.
Once again, this all stems from the OS supporting a feature, and the feature not being utilised. Windows NT didn't become a multi-user OS with Windows 2000, or NT 4.0, it was a multi-user OS from the very beginning, the first release being NT 3.1. In fact, that's in part why NT was developed, Microsoft realised that 9x was completely stuffed from a security perspective, and had no hope of ever becoming a serious multi-user OS, so, they started NT (along with various other objectives).
The mass migration of 9x applications designed for a single user environment to the multi-user NT of course resulted in many of these programs having very poor support for multi-user configurations, and were never really updated to support it. Then, there's just simple developer laziness, not caring to develop their application with a multi-user design in mind. Or theirs ignorance, resulting in poor implementation (this is one of the key reasons why so many programs "require" administrator priveleges. Not because they need them, but they use API's that are administrator only to achieve their goals, when there are other API's that can do what they want that have no administrator requirement.)
My point is, it's not Windows that's broken, it's several applications that run on it. It's important to lay the blame correctly, and when the OS has been a multi-user system since its original release in 1993, it's fairly clear to me that Microsoft hasn't been slow to adopt such a design principle.
As well as that, how about setting the default admin account so you have no sounds, no desktop wallpaper, no animated cursors - none of the flashy crap that users seem intent on encumbering themselves with. You want the bling == run as a limited user.
However this would require limiting the capabilities of the Admin account, and this is something I'm not entirely happy with (as, admin *should* be equivalent to god mode).
Our user population is split about 50/50 between desktops and laptops. Most laptop users have blagged admin rights at some point because they need to add printers, sometimes change LAN settings, install applications to hide their porn surfing, that sort of thing. Our desktop users are in a fully managed environment, and do not have admin rights.
We need to spend virtually zero time with malware problems on desktop machines. Any infections are generally minor and easy to fix. Laptops.. well, they are a complete nightmare of rootkits and stuff buried so deeply that we have to nuke the machine from orbit to clean it up.
The REALLY fun part is logging onto an infected machine with DOMAIN ADMIN rights... if it's a sophisticated bit of malware.. well.. Armageddon basically..
Never email donotemail@WeAreSpammers.com
Microsoft's biggest market advantage is the amount of legacy software that supports their platform.
Microsoft's biggest problem, which I noted before Vista was even released, is that we're well invested in third party software and we've figured out how to play well with their previous platform over six long years. Our nest is well feathered. It's comfy and we don't want to leave it. Especially for a cold new future where we have to buy everything and figure everything out all over again. If we have to do that, why stick with the vendor that guarantees we'll feel this pain again in a little while?
The problem, two years later is even deeper because nobody in their right mind bought into this dog, and so they've been burrowing deeper into their XP cave this whole time.
It's probably too late now to save the Microsoft platform. It's been eight years since the 25 October 2001 release of XP. They have before them the task of creating something that's sufficiently similar to save their "Microsoft brand", sufficiently different from their "Vista debacle", and competitive against a swelling sea of free options. It's a lost cause. "If we have to change to something that radically different, and buy/engineer all our software over again, why not get Macs, or try this 'free' thing?"
Help stamp out iliturcy.
I never thought of that. Windows is such a pain to use at all without the admin access that most people just shrug, set themselves up as a Power User just so they can use the damn thing.
But when you think about it, in the *nix community running as standard users is a staple...the norm if you will of computer operation. If you're logged on as "Bob" and you need the Admin-level access (install something, access a file that is not owned by your account, etc) you fire up "sudo" or a terminal window and SU it for a while.
If it's a nice graphical interface in either usage or installation...it'll even pop up and say "I'm sorry, you need admin access. Do you have the password?" And if you do then it'll just shrug and bloody well go and do it.
This is something that needs to be put in future versions of Windows. That and stop requiring The Sims 2 to have administrator access just so you can play paper dolls.
Phoenix
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
Did you setup the "MOM" account FIRST, before installing software as admin?
Eh???? Why would you have to install software second? At some point, you will want to add other users. Will they not be able to access the software?
I prefer the "u" in honour as it seems to be missing these days.
The reason why Windows is such a pain in the ass is because Windows was never designed for this.
Let's say I install OSX. The OSX app is self-contained, which means that it does not need anything outside of its circle.
Let's say that I install on Linux. The Linux app can either be installed locally per the user or for everybody. But it is a clear cut case.
Windows? WTF... I need to access the registry, the windows system directory, the program files directory, and the local user directory. It is a bleeding mess!
Microsoft to this day does not understand that the issue is the fact that they have not revamped the complete installation process. There is absolutely no need for Office, or any other application to need anything other the system files if it is running in "install to user" mode.
This is the problem, and until Microsoft understands that nothing will change.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Alright, I've read enough of your comments. The reason you won't get many (if ANY) downloads off of your cheap plugins is because as stated above it is "closed source" (really... plugging in closed source software on Slashdot?) and you're an untrusted source. Put the source code up or shut up... why do you want us to download 'YOUR' software so bad in the first place? Exactly... untrusted source with an untrusted answer. I have a hint: STOP ADVERTISING YOURSELF.
"The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
The problem with your post is your assumption that the design of Windows makes sense, versus being organically tacked-on after the initial mistakes. Don't worry, it's a common misconception.
My blog. Good stuff (when I remember to update it). Read it.
I can't really think of anything to say, so I'm going to do the green thing.
This comment is made of approximately 80% recycled material(s?).
From TFA:
In other words, it's a dup of the recent disussion about the Security Hole In Windows 7 UAC.
Recycle your old comments here.
Random Thoughts From A Diseased Mind (Not For Dummies)