Slashdot Mirror
UAC Whitelist Hole In Windows 7
David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"
I had my try with UAC and came to the conclusion that it's just a lose/lose situation for Microsoft.
Lose 1. They're basically advertising to users that "The feature you're about to use is buggy as hell and totally insecure, so you'll have to accept the responsibility for using it". Great way to sell a product.
Lose 2. It's so annoying, people just turn it off completely, thus negating any "security" it supposedly provides
The only upside is that they insulate themselves legally by having the user do the "not recommended" thing whenever they use the OS. Then again, they've never been much to accept responsibility for security problems anyways, it's kind of a moot point.
Microsoft went an interesting way with UAC and security in Vista. If you are running as a normal user, then if you attempt to do an operation that requires elevated priviliges, then you get prompted for an admin user id and password. Which is what you want.
Where it goes weird is if you are running as administrator then it prompts you with the allow or deny box. This is silly for power users, but for people who only used the older versions of windows and don't know much about the other user rights model in other OSes, then at least it does provide some information that some software is trying to do something significant.
I always thought the point of UAC was to push people to run as a normal user for their day to day operations. However, I don't believe Microsoft attempted to do even a little bit of education and the UAC prompt itself is not very informative.
However, I don't think Microsoft should be blasted for UAC: They tried something new and interesting to attempt to make their OS more secure.
As for the story, as long as the behavior when running as a normal user is not affected, then I don't really think it matters.
I agree 100%. I guess I'm in the minority but I love Vista UAC. Fairly often I will carelessly click something, and UAC gives me a second chance to abort before it's too late. UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.
This shows the benefit of Microsoft's development model. They have an (effectively) open beta so everyone interested will have downloaded the beta and tested it. Closed source, signed binaries and software that phones home (or DRM as slashdot inaccurately calls it) means that they can give away the beta and be confident that most (note: not all) people will stop using it when it expires and buy the full version.
In the meantime the software is going to be widely used and people will check for exploits like this. Many eyeballs make all bugs shallow as ESR pointed out. There are more eyeballs on Windows 7 than Linux, and more programmers working to fix the bugs the eyeballs find, because Windows is a multibillion dollar product. Even more profoundly, it's not just bugs that getting fixed. Any features in Vista that irritate people, like UAC are getting changed as well. That can only happen with commercial software. If it was FOSS the developers would just tell us that security was important and we mere users were idiots for not understandind this. With Windows they were forced to change things improve security in Vista and userfriendliness in 7.
Windows isn't even a monopoly either. Vistas flaws have seen the OS X market share increase. In response to that they are working hard to fix those flaws for 7.
This is the closed source empire, striking back. Don't expect Window's market share to drop by much if they keep behaving like this.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
...is to re-configure the UAC to make it as strict as Vista.
Hell, UAC is good. It's better than sudo. With sudo I will be tempted to use "sudo -s".
The most common scenario to meet an UAC dialog for me is when installing new apps or drivers. Other than that, you shouldn't really see an UAC dialog...
Most of the apps I came across have adopted to require no admin privileges. After all, it's the App fault to requires UAC in the first place for those doesn't really need admin privileges.
BTW, I think in Win 7, AFAIK all Microsoft signed EXE are exempted for UAC prompt by default. There isn't a whitelist but simply all MS signed binaries are exempted.
No. People piled on Microsoft because UAC was a nuisance and did little to improve security because even experienced users became conditioned to click on continue whenever they heard "bing".
It was the world's largest exercise in Pavlovian conditioning. The Unix sudo model tends to work much better, and there are far fewer points where root access is required to get a particular task done.
-- $G
You are so right. I hate to be one of those "I am awesome because of X" but I have not run virus or malware software on windows in many, many years and I have not had ANY problems. Other than the reg getting full of crap and having to re-install, about once a year. My system doesn't slow and things are great. Now, how do you teach a user to think about what they are doing before they do it and to have enough knowledge to make an informed decision? You don't I guess. I try with my friends and family to keep them educated and to use no-script, firefox and to stay away from IE. It works but I still wind up cleaning their PC's of badware.
My point is that if I never get in the habit of "holding the handle" then in the long run I will be better off. Be aware of what you are doing and use that damn melon in your head.
Nice car analogy!
I had a car that required you to close the driver's door with the key. Worked very well.
It was much more like sudo/gksudo/kdesudo. Only those with the key can make big mistakes.
That's fine, I hear a lot of valid criticisms of UAC.
What bothers me is nobody seems to answer the question: "What *should* they be doing?" in a reasonable manner.
If you ask that on Slashdot, you get either "switch to Linux hur hur" or "they should write a new OS from scratch and run NT in a VM." Neither of those is a realistic option. The second is (slightly) more realistic, but it would be a decade of work even assuming MS started this minute.
To make things worse, when Microsoft makes UAC comprehensive (like in Vista) people whine that it's too annoying. When they make it looser (like in Windows 7) people whine that the protection on rundll isn't sufficient. I almost feel sorry for Microsoft, because there's literally no way they could make everybody happy.
So what should Microsoft be doing?
Comment of the year
Before Vista came out, during its beta phase, I already thought of a way to get around UAC using a form of social engineering. First, two background facts:
1. When you run a signed program as Administrator, the UAC dialog box you get is colored differently, such that it looks more legitimate.
2. Explorer runs as an unprivileged account, and as such can be injected into (same as TFA).
The idea is rather simple. Have your malware inject into Explorer and wait. When the user finally does something that requires elevation, intercept the request.
Instead of running the application the user intended, elevate a Microsoft program that can easily be told to run another program; simple examples are cmd.exe and rundll32.exe. The UAC dialog box will come up, as the user expected. The program name will say "Windows Command Processor" instead of whatever Control Panel feature the user was actually trying to use.
But how many non-expert users know the difference? They were expecting to have to elevate and will click Yes. "Windows Command Processor" sounds legitimate enough.
After your malware takes control, run the original program the user wanted to run, keeping the illusion that everything is normal.
By the way, Administrator access is overrated. You can be a botnet node, steal bank account passwords, and still WoW passwords all without needing to ever access the Administrator account in Windows. Those passwords are the items of real value now, and they're in unprivileged processes within the reach of unprivileged malware.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
They should be doing this:
https://bugs.launchpad.net/ubuntu/+bug/156693
http://slashdot.org/comments.pl?sid=1152645&cid=27105713
Summary:
UAC is like getting users to solve the "halting problem", e.g. figure out whether the program will halt or not (aka screw up your PC or not) without having the program's source code, or knowing all the inputs. Google the "halting problem" to see how hard it is.
My suggestion is analogous to:
Program: "Hi, I'm a flash demo, I want 30 seconds of real time"
User: "Sounds reasonable. OK",
The O/S then runs the program, and if the program is still running 30 seconds later, the O/S kills it.
So no need to figure out whether it will halt or not. The program will halt - the O/S ensures it.
If the program says "Hi, I'm a flash demo, I want infinite time", it should be far easier to train the user to go: "No" or "Too bad, you only get two minutes to do your stuff, that's all I'm willing to give you".
AFAIK, Microsoft has lots of very very smart people working for them. I'm sure they have already figured out something far better than my idea, after spending 6 billion dollars and thousands of man-years on Vista.
So UAC is either institution incompetence, or malice (they just want to shift blame to the users, or they don't actually want increased security).
The problem with the doors on my house is I have to unlock them whenever I want to enter my house after I come home from work. I just want to enter my house, I don't want to mess with door locks. Locks do not work for humans.
For one, I don't believe Windows was originally designed to be a multi-user OS, was it? Everything it does that pretends to be has been an afterthought kludge. I honestly don't know if this is the case with NT-based systems so feel free to correct me.
But let's not pretend that it's the "exact same", either. In 2000 and XP none of it mattered because everyone ran as Administrator and did whatever the hell they wanted, which resulted in just about every Windows machine you'd ever come across being infested with malware and trash. In Vista, UAC hassles people to the point where they either get trained to just click "yes" to everything, or turn it off completely -- and it almost never tells you exactly what it's whining about either. I usually just see some vague message about how "Windows needs your permission to continue! If you started this action, continue. 'File Operation, Microsoft Windows." What the hell does that mean? I know what I'm doing and even I just blindly click "continue" to that because I have no idea what it actually means and I don't really have a choice.
And that's just one of Microsoft's many problems with security. Here's another. The expected method of installing new software on a Microsoft system is to download an untrusted executable and run it. You have no way of knowing where it's coming from, no means of defeating MITM compromises, and no way of knowing what the installer is really going to do. Windows then happily lets the installer vomit anywhere it wants, make registry changes, dump files into important system folders, and so on.
In any modern distro, the Linux method is to pull applications from the repositories of whatever package management system that distro uses. MD5 checksums prevent MITM attacks. The code has been examined and vetted by people who know what they're doing, and used by thousands more, so if there was some problem -- and there can be -- it quickly gets noticed, fixed, and pushed out as an update.
(Yes, yes, on a Unix system you can go get source code and compile and install it yourself, potentially compromising your system, but that takes some know-how and isn't something the average yob is ever going to do. And doing this isn't the expected way of doing things anymore except in very specific, rare circumstances. Anyone doing this is also presumably a bit more knowledgable about what they're doing, as well. The average dope isn't opening a terminal any more than they're using the command shell in Windows; most people don't even know it's there.)
Meanwhile we're all still waiting around for Microsoft to deal with known security holes; there was an article here on Slashdot yesterday mentioning the zero-day Excel problem, but it also talked about how two other crucial Excel holes, known since last April, are still open and it doesn't look like Microsoft intends to do anything about those. And no one else can do anything about it either since it's a closed-source system. That's just one recent example -- we see articles about major security problems all the time around here.
This kind of garbage is what I mean by "Microsoft security is flawed from the ground up." Virtually everything it does, or expects a user to do, leaves gaping security holes, and the only way anyone can ever find out about them is by becoming a victim. Then, when enough noise gets made about the problem, Microsoft might, possibly, get off its ass and do something about it, but maybe not, and almost certainly never within a reasonable timeframe.
UAC was a poorly-implemented band-aid to just one of Microsoft's many, many security problems, all of which are, as I said, from the ground up. Given that I think that using a different OS is a completely realistic and reasonable option. Maybe someday Microsoft will get their act together and release an OS that isn't poisoned by this kind of stupidity, but in the meantime, why stick with them?
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
Let's not forget WHY UAC was created: normal users (with little or no computer experience) used windows with an admin account (thank you legacy DOS and Microsofts reluctance to break the pattern). So any rogue program could install itself for ALL users.
MS instead of enforcing limited accounts, they created UAC.
My opinion: DO NOT USE UAC. EVER. For a computer with only 1 user, CREATE 2 ACCOUNTS, 1 admin and 1 limited. Their reasons (probably): not breaking applications which were created badly in the 1st place (which required admin rights for everyday use).
I work for a big company (multi-national, 100.000+ employees) and I can tell you: LIMITED ACCOUNTS WORK. You want to install something, either do it only for you (if the installer does not complain), or ASK AN ADMIN. Someone who really knows what is doing.
I use at home the 2-account setup since over 3 years, and it's great. My only problem is that some installers refuse to run without admin rights.
I have tried Vista a long time ago and I don't remember what I though about UAC then. But now I've tried Windows 7 and I ended up disabling UAC (I started with 2-account setup form the beginning). My only problem: an explorer window can no longer be started as different user (run as). Although I do get the user/password prompt, it still starts as the logged-on user (defeating the run-as concept). Too bad because almost all control panel items are based on explorer.
> MS is in the learning stages in designing security. I wonder how long they will take
> to require an administrator login to perform administrator tasks.
Better question. Will Linux have forgotten by then? The current trend is to have 'admin' users on Linux able to do things with their password instead of root, many even ban root from logging in. The 'sudo for everything' mental disease all in the name of making Linux look like Windows/Mac.
Sudu is a wonderful tool when used to give occasional and controlled access to normal users. Replacing root with it is misusing an otherwise good tool.
Democrat delenda est
It does appear that an "administrator" has the file system privledges to modify the /Applications directory, and thus commands typed at the shell will work (so will the system calls to mess with those files so any program can mess it up, but running prorams in /bin from the shell is the easiest way to do it).
For some reason they decided to instead have the Finder do a "is this guy Administrator?" test before doing things that the Finder decided were illegal.
I agree this sounds stupid. The user should not be able to do thise things without sudo! And the Finder should simply get those permission-denied errors from the system and use them to decide if sudo is needed, rather than having to keep it's own model of how system permissions are laid out.
Almost certainly they did this so that applications could be installed/removed, but it does seem like there are better ways. Perhaps if you tried to drag an application to /Applications, the Finder could not do it, but it could recognize the attempt and run a setuid program that refuses to allow overwrite but will add the file.
Of course, the problem in some ways is not even MS's fault. The reality is most Windows programs are doing things that trigger UAC prompts for no good reason. In the linux world, if an text editor or card game or whatever app required you to su every time you ran it, even when it didn't perform any functions that actually needed su level privileges, people would be pissed.
5 years ago I implemented a Windows system for a gov't agency which required to have the typical auditing capabilities of the OS turned on. So I turned on success and failure auditing for object access. I quickly found out that this generated way too much (useless) information. I turned off success audits but still got a ton of audit data. The problem was that many applications (even Microsoft apps) were trying to access registry keys and files with privileges higher than they really needed and were generating failure audits but the ACLs were still allowing the operations to succeed. Up until a few months ago I thought this was the nature of the Windows environment but found out while deploying some RHEL blades that even Linux applications do the same thing of trying to access files with more privileges than needed. Simple auditing provided me that information.
Point being that even in the Linux world there are apps that try to do more than they should. Luckily this is still hidden from the user but if something like UAC was ever implemented (incorrectly?) in Linux then users would see the same thing as what is happening in Windows. As it stands, in audit records both OSes have the same problem of generating too many false positives. UAC just makes it worse for users of Windows.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Microsoft has published application guidelines since 1993 that state these very things. In order for a software application to become Windows Logo certified it has to demonstrate that it can run appropriately under a standard User account which has no ability to write to either location and that it can degrade gracefully (or, in the case of Vista, elevate appropriately) if the application has a genuine reason to perform an administrative task.