Slashdot Mirror
UAC Whitelist Hole In Windows 7
David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"
Hey, if security was easy, everybody would do it.
http://www.geoffreylandis.com
I still think that Microsoft will have a very hard time prying customers away from the fiercer of its competitors: WIN XP.
In all the financial institutions I work with, or know, WIN XP is the validated standard, and as far as I know no one takes the XP "expiry date" seriously, so no plan B is in place.
This is still in Microsoft favour, since no one is actively pursuing things like ubuntu/open office or such, but it's anyone's guess how long this state of grace will go on; after all, many applications work in terminal emulation, which is an ancient technology by any standard; why use Vista of Windows 7 for that?
"If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
Microsoft's approach to security is like putting too much air into a balloon! And when exploiters find a way around their measures, it's like.. a balloon, and... something bad happens!
Aren't you glad this was caught in testing? Yeah, I am too.
Hail Eris, full of mischief...
E pluribus sanguinem
Isn't Windows 7 still unreleased as a final product? One would think they could, idk, fix it possibly? I think all this doom and gloom about it being worthless is a little early.
It has great documentation and with NoScript I feel safe everywhere on the Internets.
I had my try with UAC and came to the conclusion that it's just a lose/lose situation for Microsoft.
Lose 1. They're basically advertising to users that "The feature you're about to use is buggy as hell and totally insecure, so you'll have to accept the responsibility for using it". Great way to sell a product.
Lose 2. It's so annoying, people just turn it off completely, thus negating any "security" it supposedly provides
The only upside is that they insulate themselves legally by having the user do the "not recommended" thing whenever they use the OS. Then again, they've never been much to accept responsibility for security problems anyways, it's kind of a moot point.
Let's see, how long did it take for M$ to realize many users weren't thrilled with IE and it's so called security? I'm betting UAC is here to stay for a loooooong time. They will just keep trying to patch it and in the process further irritate users.
Normally I ascribe all life to intelligent design, but in your case I'll make an exception.
1. Set UAC to full
2. ???
3. Profit
First, let me say where I'm coming from. I've been using Linux for over twelve years; I have two full-time Linux servers at home, and a desktop and a laptop that both dual-boot Linux and Vista. I have an XP box and a Linux box at work, where I'm a Linux/Windows sysadmin and programmer, and I do most of my serious stuff there on the Linux box. At home, I stay in Linux most of the time, and I just boot into Vista when I want to run iTunes, or a game, or something else that only runs on Windows.
That said, I actually like Vista. As I see it, its main problem is that is needs a fairly hefty machine to run it. If you're trying to run it with less than 1G of memory, or a not-very-fast processor, forget it. It certainly works for me.
And I don't mind UAC at all. When it comes up, it's usually trying to tell me that I'm about to do something that may have serious consequences, and that I need to think about what I want Vista to do before I press OK. It just takes a moment, really.
So why is everybody complaining about it? Have I missed something?
Is this a bug? I mean, with Microsoft's track record and unwillingness to learn from mistakes, I can only theorise that this is actually a feature.
74.117.115.116 32.97.110.111 116.104.101.114 32.80.101.114 108.32.104.97 99.107.101.114
It has great documentation and with NoScript I feel safe everywhere on the Internets.
You "no script" people are so funny with your need to Slashdot brag about using the internet without scripts. Yes, we get it, you're so amazing! The internet without scripts, wow that's so neat!
Is that whiny users want something that magically protects them, but doesn't bother them. That's a nice idea and all, but you can't have that. You can't have it both ways with something like this: Either it is a real separation of privileges like it is in Vista, or there's going to be holes.
Well, they gave people the real security that they'd been crying about with Vista. When UAC is on it is a no bullshit, you have to escalate to do things as admin. There aren't exceptions or the like, you escalate when you need admin. This does mean it asks in a lot of situations. Well, there's no avoiding that. Like I said, no exceptions. It is also very granular. It isn't one of these "Oh just click it once and we'll escalate everything for the next few minutes," things. That again would be insecure. No, it is per item. That thing and that thing only gets the elevated privilege.
But people whined and bitched, including many of the same people who whined and bitched in the first place, so now they are backing off. Well, as part of that, you open up some potential holes. Sorry, but that's just life. If there are exceptions to the rules, then something can make use of those exceptions.
You can't have a system that magically knows what the bad apps are, and only asks permission on those, well at least you can't without some sort of draconian trusted computing BS. That's what users want, but they can't have it, it isn't possible. Thus you've got three choices:
1) Allow everything for administrators. Assume the admin knows what they are doing, and let them do whatever they want. Don't ask for permission for any action. This is the Windows XP method. It's very convenient, but also means that you'd better be careful.
2) Have truly separate permissions, and require escalation. Everything has to go through the procedure, no exceptions. This is the Vista method. Means you get asked a lot (though personally I don't find it bad at all) but it is secure. Nothing gets to slide through because there aren't special cases.
3) Have separate permissions, but allow exceptions to make things easier. Ask only in certain situation, or only so often. Just let everything else go by. This is the Windows 7 method (and also several variants of Linux I've seen). Fairly convenient, and more secure than #1, but only superficially so. Because there are exceptions, there are back doors for things to sneak through.
So really, users have to come to terms with what they really want. The "I want it to protect me from bad things, but not bother me," doesn't work. That is akin to saying "I want security to make sure nobody sneaks a weapon on a plane but I don't want to go through a security checkpoint." No, sorry, doesn't work that way. If it is really going to work, then it has to be consistently applied to everyone or everything.
Microsoft went an interesting way with UAC and security in Vista. If you are running as a normal user, then if you attempt to do an operation that requires elevated priviliges, then you get prompted for an admin user id and password. Which is what you want.
Where it goes weird is if you are running as administrator then it prompts you with the allow or deny box. This is silly for power users, but for people who only used the older versions of windows and don't know much about the other user rights model in other OSes, then at least it does provide some information that some software is trying to do something significant.
I always thought the point of UAC was to push people to run as a normal user for their day to day operations. However, I don't believe Microsoft attempted to do even a little bit of education and the UAC prompt itself is not very informative.
However, I don't think Microsoft should be blasted for UAC: They tried something new and interesting to attempt to make their OS more secure.
As for the story, as long as the behavior when running as a normal user is not affected, then I don't really think it matters.
"Ending is better than mending. The more stitches, the less riches; the more stitches ..."
Squirrel!
Microsoft's problem is that they tried to fix human stupidity with a technical solution. The problem with UAC is that people would either just click ok without reading, or turn it off entirely. Then, complain that windows was insecure. What Microsoft failed to really come to terms with, is that there are a lot of dumb users out there that will circumvent everything, go to all the nasty porn sites they can, and get viruses that they will then blame on something other than their own user error.
The musings of just another geek and his junk.
I'm mostly an office user and switched to Mac - there's no way I'll run Vista or, at this point, W7 (which looks like a Vista retread). I'm not at all alone. How fast will MS OS share decline if W7 doesn't stop the bleeding?
I hate being bipolar; it's awesome!
Windows was designed as a single user system with the user sitting at the box. As soon as you connect it to other boxes via a network it's dead. All of Microsoft's plans for Windows security are based around trying to get a level of multi-user protection into a system not designed for it. They are desperately trying to apply a band aid to a broken leg with solutions like UAC; some of the damage may be limited but it's not a great solution and will never be, no matter how much they work on it.
The only solution is to scrap Windows altogether and build a new multi-user OS from scratch.....or do what Apple did; take the BSD kernel, add a few bells and whistles with a fancy skin and pretend they invented it. The two areas they have a problem if they go that route, is that they are hemorrhaging money on the products they do have on the market since more and more people are deciding that they don't want what Microsoft are offering them, and that they have the world convinced that the Microsoft way is king, that any change is bad because it's confusing and means relearning.....which would be an issue if they changed Windows with another OS.
Companies only put work into a product if that somehow feeds results back into the profits. Like any company, they want to do as little for the most gain. Constantly tinkering with the security applications is much easier and cheaper than a complete rewrite. It also helps when you have a software sector which rely soley on your incompetence. The anti-malware companies wouldn't exist if you did your job right, they also have to compete with each other as to who can cover your ass the best; which also lets you cut back on spending money to really make it secure.
As the internet evolves, as people find new ways to use and abuse it, Windows gets more and more obsolete. The more FOSS improves, evolves and continues to offer users flexibility, freedom, security and stability, Windows gets more and more obsolete. It's only a matter of when, not if it becomes a minority player.
At first glance I was wondering why Microsoft would supply and API function CreateRemoteThreat().
Even for Windows, that would be a little out there.
...is to re-configure the UAC to make it as strict as Vista.
Hell, UAC is good. It's better than sudo. With sudo I will be tempted to use "sudo -s".
The most common scenario to meet an UAC dialog for me is when installing new apps or drivers. Other than that, you shouldn't really see an UAC dialog...
Most of the apps I came across have adopted to require no admin privileges. After all, it's the App fault to requires UAC in the first place for those doesn't really need admin privileges.
BTW, I think in Win 7, AFAIK all Microsoft signed EXE are exempted for UAC prompt by default. There isn't a whitelist but simply all MS signed binaries are exempted.
OSX has both the unix permissions and something like the UAC.
I find the UAC so mind boggling I don't use it. Some applications seem to respect it and some don't. e.g. if you can't do something in a Finder window, sometimes you can do it in a terminal window. I have not figured out what the pattern is or if the UAC are there to allow actual secure protection or just guard railings to keep the riff raff from doing stupid things.
I suspect the Windows folks would say the UAC is just guard railings not actual security.
Some drink at the fountain of knowledge. Others just gargle.
The flaw is fundemental to the design, this is NOT a coding error, the entire idea is flawed. It should have died at the drawing board. For it to have made it to the beta shows just what is wrong with software development especially at Microsoft.
For the famous car anology, a brake that malfunctions under stress is something you find during a driving test. A brake that is only attached to one wheel, that being the spare should have been caught a bit earlier. But of course the car industry isn't that stupid, that is because car makers are liable for any damages. Software makers aren't.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Comment removed based on user account deletion
I agree in spirit, but the implementation is bad.
I once tried to write a "sudo for Cygwin" that would bring up the UAC confirmation box and run a program with associated elevated permissions in Vista. (Other people have written programs that they call "sudo for Vista," but none of them do what I want. In particular, they don't run programs in the same console.) In the process of poking through the security APIs, I learned a little about what a mess UAC is uder the hood.
Windows NT/XP has a perfectly good security model, if only people would use it. In some ways it's more sophisticated than Linux's: For instance, file permissions are more fine-grained on NT. The problem really hasn't been with XP/NT; it's been "social:" it was the culture of software development on Windows to too often require, unnecessarily, that users have administrative rights.
Microsoft's solution in Vista was to restrict the rights of administrators and add GUI confirmation boxes. This was the wrong solution, I think. In my (admittedly armchair-quarterback's) judgment, the right one would have been to,
1 - Keep traditional XP-style administrator and user accounts, with roughly the same privileges as they'd always had.
2 - Require OEMs to ship computers with user, rather than admin accounts, enabled. Randomly-generated default admin passwords should be written on a sticker on the front of the PC's case.
3 - Add a "sudo" mechanism, perhaps with the following modifications from 'nix sudo to make it easier for novices:
... a - The sudo prompt pops up automatically when a program attempts to do certain classes of things for which it does not have privileges. This differs from Linux, in which a program will simply fail with an "Insufficient permissions" error; this would be pretty opaque to novice users I think.
... b - "sudo" could be configured (and perhaps should be by default) so that it is sufficient to click a "confirm" button in lieu of typing in a password.
This is almost what UAC is. But the devil is in the details. What Microsoft actually did was make "Administrator" accounts into something more like "user" accounts, and add a level of privilege yet higher than administrator. But it feels tacked-on, and not really "at home" in the NT security model, which in fact provides plenty of control on its own over what rights different users and groups have, if only it were used correctly.
In other words, Microsoft shouldn't have restricted Admin accounts in this poorly-documented way; it should have instead added a sudo mechanism to make it more feasible to run as a User, and kept the nicely-documented and well-designed security model that NT has always had but people have simply never used.
In the original Vista release, this activity would cause an annoying back-to-back double elevation: once to create the folder, and again to rename it to its intended name. Service Pack 1 streamlined this a little, reducing it to only a single elevation, but Microsoft clearly wanted to get this down to zero.
NO! Bad monkey, no cookie! There is NO reason to allow ANYTHING to write to my /Program Files (or /Applications if you prefer) folder without my permission. None. Zero. I want a prompt. Yes, just one, but I want a prompt!
And that passes right into the hands of an almost unbelievable standard method in windows:
Unfortunately, the "Microsoft-signed application" restriction is easily bypassed using a standard Windows trick that allows one process to insert code into a second process, as long as both processes are being run by the same user. The limitations of the file management component are probably unavoidable (it can only do the things it has been programmed to do, after all), but it turns out it doesn't really matter. The file management component can place files into various locations on the system that an unelevated user cannot; an auto-elevate program can then be tricked into loading those files and executing code from them.
The result is, just as with the rundll32 problem, silent and automatic elevation, able to do anything.
WHY ON EARTH would you arbitrarily allow any random program a user is running to pass commands to a signed application that by its signature can walk right through locked doors?? I'll admit there probably are instances where you would like to pass commands (requests) to another app to handle something, you either (1) have to severely restrict the scope of the requests it will process, or don't sign it to give it rights to do whatever it pleases. This is like a mall security guard being given the keys to the maintenance halls, and the guard letting any joe public in that asks him. Either give him some common sense or take away his keys. A filemanager that has the power to do anything you ask it to, and will do so blindly and willingly, is just a jaw-dropper.
Sometimes the scope of Windows security stupidity astounds me. And yet they consistently keep finding ways to top themselves.
I work for the Department of Redundancy Department.
Hell, UAC is good. It's better than sudo.
I'm not quite sure I'm convinced. I saw a documentary on this a few months ago that made it quite clear that the UAC doesn't really offer much value and is very annoying at best. I don't remember what it was called but it ended with the following quote (maybe you can use it to track it down online?)
"You are coming to a sad realization. Cancel or allow?"
Back out the huge mistake introduced in 1997 with Active Desktop... the ability of the HTML control to grant untrusted code full local user privileges. Building layers of soft internal sandboxes between local user processes is fine and dandy, but it won't provide a fraction of the benefit of reducing the surface area to initial infection.
Remove the ability of the HTML control to grant local user access. Make ANY privilege escalation from a hard sandbox (via ActiveX, .NET, or active scripting, or even passing off a URL or downloaded object to a helper application) require an explicit operation (either ahead of time, as in KHTML's 'IO Slaves', or through a callback) from the process that launched that instance of the HTML control.
Then, provide a wrapper that implements the old API, but require the user to explicitly launch this legacy mode and run any application that uses the legacy API inside a hard sandbox (either a virtual machine, or if the Windows APIs can be sufficiently firewalled something like a FreeBSD Jail) that provides no long-term storage visible outside that sandbox.
Nothing less is going to solve Microsoft's security nightmare.
The internet is now critical infrastructure, becoming more so with every passing day.
Microsoft is profiting by selling software.
Because that software is broken by design, it makes it easy for unskilled kids to deploy networks of computers that can deny service on that critical infrastructure. Microsoft apparently understands how to prevent this, because posts here say Windows 7 security is a step back from Vista security.
I honestly don't understand why this isn't considered criminal behavior or, at the very least, a source of dangerous civil liability for Microsoft.
I honestly believe the internet needs some mechanism to prevent connections from machines running easily compromised software.
Perhaps the solution is for a standards body to announce that starting n years from today, it will deploy software that will actively hunt out compromisable machines and run programs on them that will disconnect them from public networks.
It's better than sudo. With sudo I will be tempted to use "sudo -s".
Why don't you configure your sudo to not allow running shells directly and remove the temptation?
That may be the default in your Linux distro (?), but not from the actual coders of sudo itself.
The thing is, the MS developers should have read the sudo man page before they implemented UAC. They were too proud to do that. It seems like they forgot that many years ago, MS had their own Unix distribution (Xenix), so they had a clue back then.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Union Aerospace Corporation did it again...
Before Vista came out, during its beta phase, I already thought of a way to get around UAC using a form of social engineering. First, two background facts:
1. When you run a signed program as Administrator, the UAC dialog box you get is colored differently, such that it looks more legitimate.
2. Explorer runs as an unprivileged account, and as such can be injected into (same as TFA).
The idea is rather simple. Have your malware inject into Explorer and wait. When the user finally does something that requires elevation, intercept the request.
Instead of running the application the user intended, elevate a Microsoft program that can easily be told to run another program; simple examples are cmd.exe and rundll32.exe. The UAC dialog box will come up, as the user expected. The program name will say "Windows Command Processor" instead of whatever Control Panel feature the user was actually trying to use.
But how many non-expert users know the difference? They were expecting to have to elevate and will click Yes. "Windows Command Processor" sounds legitimate enough.
After your malware takes control, run the original program the user wanted to run, keeping the illusion that everything is normal.
By the way, Administrator access is overrated. You can be a botnet node, steal bank account passwords, and still WoW passwords all without needing to ever access the Administrator account in Windows. Those passwords are the items of real value now, and they're in unprivileged processes within the reach of unprivileged malware.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
UAC is not the only way, nor is it the correct way.
After all, what good is user confirmation in that case?
How does the user know what the code is REALLY going to do after it gets admin privileges?
Figuring it out is worse than trying to solve the "halting problem".
Unlike the Halting Problem, the users don't even get a true description of the program ( unless you count having access to the binary object code), nor do they know what all the inputs are going to be.
Their options are:
a) Make a guess, hopefully a correct guess (education helps, but even the educated can only solve specific halting problems).
b) not run any new/nonbundled programs
c) only getting code from a "trusted repository" ala Debian/etc. Forgive me if I consider that dismal. Also, if Microsoft did that people would cry "Monopoly!".
After so many decades, we're stuck with these crappy options because of crappy primitive operating systems.
Crappy Unix style security (omnipotent root vs "everyone else"), or the usually impractical SELinux (who really thinks that's Desktop ready?), or Vista UAC. There's a glimmer of hope with AppArmor but it's still far from "Desktop Ready".
If people think that's as good as it can get, I say they're not thinking or trying hard enough.
For example here's what I came up with just a bit of thinking:
https://bugs.launchpad.net/ubuntu/+bug/156693
An analogy:
With the Halting Problem, the user has to figure out whether the program will halt or not.
With my approach, the program says "I want at most 30 seconds of CPU time", the user says "sounds reasonable. So, OK", the O/S then runs the program, and if the program is still running 30 seconds of CPU later, the O/S kills it. So no need to figure out whether it will halt or not. It will halt - the O/S ensures it.
Whereas if the program says "I want infinite CPU time", it should be easier to train the user to click "No" or click "Too bad, you only get 30 seconds (you don't get to turn my machine into a zombie)".
Detail: the program says which privilege template it wants, and if it matches the user's expectations, the user says "OK" (and possibly checks the "remember this decision for this program"), then the O/S _enforces_ the privileges - so the program only gets what it asked for.
For example, if a program claims to be a "guest flash/shockwave applet", it is unlikely to need access to your microphone or your personal Documents and email. All it needs is the ability to draw graphics, get keyboard and mouse input when in foreground, play sounds, write and read from its temporary scratchpad directory. If it wants network access it better ask for "guest flash/shockwave applet (with network access)", otherwise the O/S should not allow it network access.
Whereas if a program that initially claimed it was a "flash game", but when the user attempts to launch it, the O/S says it is asking for "Full System Privileges" (with all the scary red warnings), I think it's a lot easier to train users not to click "OK" (or at least call for help when they see "red").
Yes, UAC is better than nothing and the sandboxing in Vista is better than what you get in XP and default Ubuntu, but I thought Microsoft hired all those super smart people who can pass all those fancy interviews.
Maybe they did think of something better, but UAC is just Microsoft's way of shifting the blame to the users "aha - you disabled UAC, so it's YOUR FAULT, not Microsoft's". Cheaper and simpler to do that? But they still said it took them 6 billion dollars and many years to develop it!
Maybe a lot of it went into DRM and getting it to kinda work...
My suggestion isn't fantastic, but it's definitely better than UAC.
I'm just showing how things can be better. I'll be happy if people come up with something far better than my suggestion.
p.s. if anyone says it doesn't work just because I left out all the pages of details that
"Sometimes the scope of Windows security stupidity astounds me. And yet they consistently keep finding ways to top themselves." - by v1 (525388) on Saturday March 07, @11:01AM (#27104913) Homepage
Then it appears to be up to end users to help them out, by doing a little bit of work (1-2 hours or so) to secure themselves vs. the threats present today online, thus:
----
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do" using CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=09533d0df9933344bb7e42d05acb5cec&showtopic=2662
----
It works, and has been working for myself since around 1997...
(When I began writing up guides (I was doing it on forums like 3dfiles.com before 1998 though) to submit as articles for websites that were Windows NT-based, to improve the security &/or performance of a Windows NT-based OS, such as the one from NTCompatible.com's former 1998-2003 "Article #1", where it was later featured @ Neowin forums, circa 2001 -> http://www.neowin.net/news/main/01/11/29/apk-a-to-z-internet-speedup--security-text & rated very well)
Currently?
The guide is featured now on 20++ forums online, & has yielded some very good results (see my p.s. as an example) for people using its points on many levels!
E.G,-> It has crossed 200,000++ views in the relatively short timeframe of the 1 yr. this latest iteration of it has been online, & it was made an "ESSENTIAL GUIDE/Sticky-Pinned Thread" on 15/20 of those forums, as well as being the most viewed in a short timeframe (considering it has only been online in THIS form for a yr. now, & some of those sites it is on have been around a decade++), &/or being rated 5/5 stars, etc. et al... )
HOWEVER, AN IMPORTANT POINT (illustrated by "hard concrete evidence" in test scores):
The tips/tricks/techniques in that older model still shown @ Neowin forums would yield between 60-72/100 on the CIS Tool test - the new model of said guide, by way of comparison? 99/100 possible & doable scores result (examples thereof are shown in said thread URL above in fact)).
It just works, for both superior speed online AND security. From my own usage of it? 3++ yrs. now on this machine, no "bugs" or other hassles, & running as ADMINISTRATOR the entire time (& the system I had before this, 4++ yrs. same result).
APK
P.S.=> And, as to that guide's efficacy? The BEST testimonial I can provide, is the results of folks (others, not just myself) using it, such as those like THRONKA here, who have applied it to not only his own personal systems, but those of his clients, and NO VIRUS/TROJAN/ROOTKIT/SPYWARE/MALWARE-IN-GENERAL INFESTATIONS or other screwups, for more than 1++ yr. now, see here:
http://www.xtremepccentral.com/forums/showthread.php?s=4e5e02a13dff9594f890b9f5c7d4ae75&t=28430&page=3
----
SALIENT QUOTE/EXCERPT:
"Its 2009 - still trouble free!
I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008.
Great stuff!
My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. S
In the windows side, people rarely ask the question "Why do you need admin privilege?" Till the app developers learn to write code that lives comfortably in user space with user privilege, you will have problems.
The problem is not users blindly klicking UAC dialogs or MS's auto privilege elevation is not perfect. The problem is users not asking the question, "why the hell you want to be root?".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Well of course, since they trust their own.
---- Booth was a patriot ----
The sudo 'implementation' has nothing to do with it.
The /Applications directory has rwx for owner and (admin) group. The subdirectories belonging to applications (e.g./Applications/OpenOffice.org.app) belong to the admin user that installed them. A normal user has only rx, and can not delete/move apps. Every admin can without using sudo.
In Ubuntu the /usr/bin directory belongs to root:root and in order to move/remove apps you have to elevate your privileges. Most Linux disttributions come with a software management application (apt-get, yast,...) that requires you to sudo. I think it's more a question about how well thought through the software management is. It's better in Debian/Ubuntu than in OSX which in turn is far better than XP/Vista/Win7.
Of course, that's just an opinion.
They should be doing this:
https://bugs.launchpad.net/ubuntu/+bug/156693
http://slashdot.org/comments.pl?sid=1152645&cid=27105713
Summary:
UAC is like getting users to solve the "halting problem", e.g. figure out whether the program will halt or not (aka screw up your PC or not) without having the program's source code, or knowing all the inputs. Google the "halting problem" to see how hard it is.
My suggestion is analogous to:
Program: "Hi, I'm a flash demo, I want 30 seconds of real time"
User: "Sounds reasonable. OK",
The O/S then runs the program, and if the program is still running 30 seconds later, the O/S kills it.
So no need to figure out whether it will halt or not. The program will halt - the O/S ensures it.
If the program says "Hi, I'm a flash demo, I want infinite time", it should be far easier to train the user to go: "No" or "Too bad, you only get two minutes to do your stuff, that's all I'm willing to give you".
AFAIK, Microsoft has lots of very very smart people working for them. I'm sure they have already figured out something far better than my idea, after spending 6 billion dollars and thousands of man-years on Vista.
So UAC is either institution incompetence, or malice (they just want to shift blame to the users, or they don't actually want increased security).
... "rundll32.exe". So many malicious programs already use this instead of their own, more easily-detectable executables, that I no longer trust ANY instance of this when I see it in the process list. I'm an ignorant fool that didn't read the article, but just the summary is enough to make me irritated. I can't believe they'd whitelist THAT. :S
-- NeilO
The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code
Sounds like a Rootkit to me.
UAC as a normal (non-admin) user does provide a lot of value. It will prompt for a password, so its not just a one button click prompt. UAC as admin isn't as good, but it does a lot of things under the hood, such as making symlinks to reroute certain calls to priviledged areas to "compatibility" sections in the user directory, as it should be if the application was programmed well. It does similar things with the registry, sandboxes IE (if you need to use it...), etc.
They've got part of the right idea in that it shouldn't be possible to "work" (or play) as the real Administrator but the way they've completely fucked up the the NT security model is really the pits.
To see what to do they only have to look at the unix world. Firstly it's pretty common that X (or rather common login programs for X) will refuse root. Then any program that has to be security conscious and doesn't need root will also refuse to run under root. Many programs that need root to start with will discard root privs when they have done the tiny bit of setup that they need root for.
The point is there are two distinct classes here and users need to know it.
We wouldn't want a Windows that has to be administered from the command line but you can do almost as well. If the Administrator account could only be used from what looks like an 800x600 local loopback RDP connection I think the social pressure would slam the admin requiring developers full force. If to this you add some simple things like IE, Winword and Outlook refuse to run in that little admin window it becomes quite obvious that there are two classes of program, system and user. You can actually SEE them, programs that run on the blue desktop are user programs, the ones on the burgundy desktop are system.
It neatly sidesteps the need to logoff to do admin jobs as you just start the 'Administration client'. Also if the 'client' program takes over the desktop when it's given focus it has the security of a private desktop against things like a 'shatter attack'.
The best part, it's simple, nearly all the code exists already and you just need a couple of minor tweaks to the default winlogon and the user applications. Sure it would be easy to override but that's not a problem, in fact I think there should be a downloadable winlogon/IE update to do it.
The point is to clearly divide user programs from administration programs and to continually show the users the difference but without making "the right way" a complete PITA.
I installed vista the other day and UAC isn't a pain at all, it's certainly no worse than having to do an sudo in linux. I think people hate it because it works so well - it warns you when a privigle escalation is required.
if windows 7 has improved and runs faster (not that there was much of a speed difference compared to xp SP3), i'll be loading it for sure.
If you mod me down, I will become more powerful than you can imagine....
``The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread.''
Doesn't that sound like a huge security hole right there? I don't think the problem is really with UAC...
Please correct me if I got my facts wrong.
"What bothers me is nobody seems to answer the question: "What *should* they be doing?" in a reasonable manner."
Require users to create a separate admin account from the limited user account. Require decent credentials on the admin account (e.g., non-trivial password, or biometric, or whatever). If the user also wants credentials on their limited account, require those credentials to be different vs the admin account. Require regular, day-to-day operations to be performed under the limited account. Elevate operations which can effect system stability or security to the administrator account from the limited account, without requiring a log off, user switch, command prompt, special right-click menu option, or anything else cumbersome. Require the user to present credentials before elevating.
In other words, implement security best practices that have existed in the computer industry since the 1960s.
The real killer is that UAC can be configured to do this. You can have two accounts, and have it prompt for an admin password when needed. It's just not the default configuration.
Microsoft claims they didn't go this route because they thought people were too used to running as admin all the time and wouldn't give it up. But that seems like bullshit, because Microsoft forced plenty of other unwanted changes down people's throats with Vista. Why is security somehow different?
Per-process capabilities and sandboxing are also a good idea, for things like MSIE. From what I've seen, though, either the design or the implementation is poor, because they haven't been as effective as they should at stopping things like trojans (adware/spyware disguised as legit software to get the user to install it).
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"Except Vista and Windows 7 *don't* make Admin accounts by default."
I don't know about Win 7, but Vista prompts the user to create a new account during install. That account is assigned admin privileges. It's not even required to have a password.
As I believe is required at this point: *BZZT*, wrong, but thanks for playing!
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
security is a public relations problem
Examples
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: admin inherited allow delete
5: backup inherited deny read
6: admin inherited allow write-security
# chmod +ai "others allow read" file1
# ls -le
-rw-r--r--+ 1 juser wheel 0 Apr 28 14:06 file1
owner: juser
1: guest deny read
2: admin allow write,delete
3: juser inherited deny delete
4: others inherited allow read
5: admin inherited allow delete
6: backup inherited deny read
7: admin inherited allow write-security
Some drink at the fountain of knowledge. Others just gargle.
Repeat after me:
UAC is NOT a security feature!
It was added to software developers do the right thing, i.e. not require administrative privileges unless absolutely needed.
http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html
> Also, 90% of the population aren't computer programmers. Debugging should simply be
> disabled, by default, and require installation of additional userland tools and
> root/Administrator privileges to ENABLE the capability (not necessarily Administrator
> privileges to exercise the capability once it's enabled on a system).
Excellent idea. Programmers shouldn't mind doing a one-time configuration change to enable debugging. The change could even be made by the debugger postinst script. /home should also be mounted noexec. Yes, I know there are ways to work around that, but it adds a significant barrier to many attacks.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I think maybe if I was pulling in their kind of money, I could afford to hire somebody who knew the answer to this question. Maybe even two guys.
Help stamp out iliturcy.
That's what beta software is for.
Truth, Just Us, And Hatred For All Mankind!
I'm not quite sure I'm convinced. I saw a documentary on this a few months ago that made it quite clear that the UAC doesn't really offer much value and is very annoying at best.
As far as end user is concerned, UAC is really no different than Ubuntu Gtk sudo. Same benefits, same annoyances.
"You are coming to a sad realization. Cancel or allow?"
Oh, I see. That sort of thing usually comes way deep from the Reality Distortion Field.
If you really believe that, then the correct way to handle a process trying to access something they don't have permissions to is to deny it but be clear why. Instead what we got is something else...
Although Mac and Linux have applications and applets that prompt for elevation in privileges this is different than what is going on in UAC: In Linux, the Network Manager applet knows it needs elevated privileges to modify wireless settings. In Vista, UAC doesn't necessarily know "why" any process wants access to anything so it asks the user instead. Why would the user know any better to be qualified to make the decision? UAC would have been a better diagnostic tool than a security measure.
I heard Microsoft is gonna make a complete new operating system after the version after windows 7. This wouldn't even be called Windows.
Not sure if this is true though..
Windows started as a single-user O/S, didn't it? well, it should remain so.
Let me explain:
The O/S should provide a unique view for each of its users, including system files. The user should be able to modify *anything* on the system, from registry settings to the Windows folder. Each user should modify its own copy of the system!
The benefits of this approach are huge:
It's because if enough people do something stupid it's not stupid, it's culture. Like religion. Or buying outside your means (banks or people).
If he (the anti-NSer) can't convince you to blindly trust JS then he has to deal with the uncomfortable fact that there IS a solution to not getting viruses - one that he is not doing adequately.
On the other hand, if he convinces you then you reinforce his "It's too big to handle so close your eyes" delusion. One day he'd wake up in bot-net of the week, shrug, and go back to sleep - warm with the knowledge that there was nothing he could do.
You spoil his blissful ignorance.
He finds your unwillingness to sell your safety for a few cheesy JS gimmicks threatening.
You ever get stuck behind a huge RV with a drunk driver on a narrow road?
What Microsoft should do is really simple: Get their huge, unsafe-at-any-speed public nuisance out of the market and off the 'net and let people willing to do it right get past.
A guy who blogs as joudanzuki described one ideal solution -- split Microsoft into several different companies, one that maintains their current offerings as actively patched legacy software, another that focuses on re-implementing the current stuff on a stable foundation, again as a way to support legacy software.
I'd say it this way -- Microsoft should re-release XP as Wine on a BSD system. (Linux would be impossible because of all the cross-licensing junk they've done now.)
And quit depending, in the System itself, on the band-aid that is UAC.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
It's funny how Microsoft tries to re-create the best aspects of open-source in an OS, so they could sell it when the best aspects can already be gotten for free. This whole thing with security on Microsoft system is a joke. They should stop making new OS's and keep coming out with new XP patches. It's more cost effective - why try to make a 'secure' operating system, if you have an OS battlefield where that you and your enemies know well. Microsoft should realize that before they need to save their company and let it grow again, it needs to die a horrible death first.
Microsoft doesn't deserve slack on this. Maybe the UAC or Windows 7 teams deserve slack, but that development ecosystem is Microsoft's fault - because it's difficult to install a useful, nontrivial Windows program without being an Administrator.
In Vista they made this WORSE, to my understanding, by adding a UAC prompt for anything that looked like an installer. So a worm installing in less-privileged locations might not trigger UAC, but any normal installer is going to.
That IS the problem, right there. Userland programs should be installable not as root, and the ecosystem encouraged to make them that way. Maybe W7 is better, but in Vista they went _backwards_ on this issue. Linux has always done this. OS X has always done this (since there's been OS X, which isn't as long)
I get that pulling that off with a registry and DLLs is going to be a bit messy, but that's the real problem, in my opinion.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
For now, I run Linux.... and just don't worry about viruses. Stay away from the dominant platform of users and you're ok. I sure do hope when Linux gets the majority, as I think it will, that we can keep the operating system up to date as fast as I see virus programs update their data.