Slashdot Mirror
UAC Whitelist Hole In Windows 7
David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"
I had my try with UAC and came to the conclusion that it's just a lose/lose situation for Microsoft.
Lose 1. They're basically advertising to users that "The feature you're about to use is buggy as hell and totally insecure, so you'll have to accept the responsibility for using it". Great way to sell a product.
Lose 2. It's so annoying, people just turn it off completely, thus negating any "security" it supposedly provides
The only upside is that they insulate themselves legally by having the user do the "not recommended" thing whenever they use the OS. Then again, they've never been much to accept responsibility for security problems anyways, it's kind of a moot point.
I agree 100%. I guess I'm in the minority but I love Vista UAC. Fairly often I will carelessly click something, and UAC gives me a second chance to abort before it's too late. UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.
...is to re-configure the UAC to make it as strict as Vista.
Hell, UAC is good. It's better than sudo. With sudo I will be tempted to use "sudo -s".
The most common scenario to meet an UAC dialog for me is when installing new apps or drivers. Other than that, you shouldn't really see an UAC dialog...
Most of the apps I came across have adopted to require no admin privileges. After all, it's the App fault to requires UAC in the first place for those doesn't really need admin privileges.
BTW, I think in Win 7, AFAIK all Microsoft signed EXE are exempted for UAC prompt by default. There isn't a whitelist but simply all MS signed binaries are exempted.
You are so right. I hate to be one of those "I am awesome because of X" but I have not run virus or malware software on windows in many, many years and I have not had ANY problems. Other than the reg getting full of crap and having to re-install, about once a year. My system doesn't slow and things are great. Now, how do you teach a user to think about what they are doing before they do it and to have enough knowledge to make an informed decision? You don't I guess. I try with my friends and family to keep them educated and to use no-script, firefox and to stay away from IE. It works but I still wind up cleaning their PC's of badware.
My point is that if I never get in the habit of "holding the handle" then in the long run I will be better off. Be aware of what you are doing and use that damn melon in your head.
Nice car analogy!
I had a car that required you to close the driver's door with the key. Worked very well.
It was much more like sudo/gksudo/kdesudo. Only those with the key can make big mistakes.
That's fine, I hear a lot of valid criticisms of UAC.
What bothers me is nobody seems to answer the question: "What *should* they be doing?" in a reasonable manner.
If you ask that on Slashdot, you get either "switch to Linux hur hur" or "they should write a new OS from scratch and run NT in a VM." Neither of those is a realistic option. The second is (slightly) more realistic, but it would be a decade of work even assuming MS started this minute.
To make things worse, when Microsoft makes UAC comprehensive (like in Vista) people whine that it's too annoying. When they make it looser (like in Windows 7) people whine that the protection on rundll isn't sufficient. I almost feel sorry for Microsoft, because there's literally no way they could make everybody happy.
So what should Microsoft be doing?
Comment of the year
They should be doing this:
https://bugs.launchpad.net/ubuntu/+bug/156693
http://slashdot.org/comments.pl?sid=1152645&cid=27105713
Summary:
UAC is like getting users to solve the "halting problem", e.g. figure out whether the program will halt or not (aka screw up your PC or not) without having the program's source code, or knowing all the inputs. Google the "halting problem" to see how hard it is.
My suggestion is analogous to:
Program: "Hi, I'm a flash demo, I want 30 seconds of real time"
User: "Sounds reasonable. OK",
The O/S then runs the program, and if the program is still running 30 seconds later, the O/S kills it.
So no need to figure out whether it will halt or not. The program will halt - the O/S ensures it.
If the program says "Hi, I'm a flash demo, I want infinite time", it should be far easier to train the user to go: "No" or "Too bad, you only get two minutes to do your stuff, that's all I'm willing to give you".
AFAIK, Microsoft has lots of very very smart people working for them. I'm sure they have already figured out something far better than my idea, after spending 6 billion dollars and thousands of man-years on Vista.
So UAC is either institution incompetence, or malice (they just want to shift blame to the users, or they don't actually want increased security).