UAC Whitelist Hole In Windows 7

David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"

If it was easy--

[Geoffrey.landis]

Hey, if security was easy, everybody would do it.

Re:If it was easy--

[spyrochaete]

I agree 100%. I guess I'm in the minority but I love Vista UAC. Fairly often I will carelessly click something, and UAC gives me a second chance to abort before it's too late. UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.

Re:If it was easy--

[schon]

It sounds like what you're saying is that UAC is only useful for people who know what they're doing. You are savvy enough to recognize when it's protecting you from mistakes, but the average user won't.

UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.

My first car was made by Isuzu. Like many (all?) imports, in order to lock the door from the outside of the car, you had to hold the handle up as you closed the door. I asked why this was, and was told that it was a mechanism to prevent you from locking your keys in the car. You couldn't just carelessly close the door, you had to actively hold the handle up.

One hot summer day, I got out of the car, took off my coat, and put it inside. Out of habit (because I needed to do it every time) held the handle up as I closed the door. A few minutes later I realized that the keys were in my coat pocket. And the door was locked.

The designers of this car though they were making it harder to lock your keys in the car, but in reality they were simply training people to hold the handle up when they closed the door.

UAC reminds me of the exact same thinking. It doesn't really prevent you from making mistakes, it just conditions you to click "OK".

Re:If it was easy--

[thetoadwarrior]

I agree 100%. I guess I'm in the minority but I love Vista UAC. Fairly often I will carelessly click something, and UAC gives me a second chance to abort before it's too late. UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.

Your comment reminds me of that a shirt sold by T-shirt hell which said on it "What about the good things Hitler did?".

Re:If it was easy--

You are so right. I hate to be one of those "I am awesome because of X" but I have not run virus or malware software on windows in many, many years and I have not had ANY problems. Other than the reg getting full of crap and having to re-install, about once a year. My system doesn't slow and things are great. Now, how do you teach a user to think about what they are doing before they do it and to have enough knowledge to make an informed decision? You don't I guess. I try with my friends and family to keep them educated and to use no-script, firefox and to stay away from IE. It works but I still wind up cleaning their PC's of badware.

My point is that if I never get in the habit of "holding the handle" then in the long run I will be better off. Be aware of what you are doing and use that damn melon in your head.

Re:If it was easy--

[Kaboom13]

Thats really the problem with UAC. It comes up so often for no good reason, and gives no information to the user why it even came up. The only people with the technical skill to make intelligent choices about it don't need it. Of course, the problem in some ways is not even MS's fault. The reality is most Windows programs are doing things that trigger UAC prompts for no good reason. In the linux world, if an text editor or card game or whatever app required you to su every time you ran it, even when it didn't perform any functions that actually needed su level privileges, people would be pissed. But there's a lot of Windows apps that need to run as admin, even when their primary function has no need for admin level privileges. Their coders were just lazy, and instead of doing things following MS's guidelines, they take shortcuts that lead to big headaches for everyone down the line.
Most apps don't handle a deny in UAC gracefully either, they either completely crash or have wildly unpredictable behavior. When they should be telling the user why they need a UAC ok, and giving an option to gracefully quit or retry, they seem to prefer to pretend it doesn't exist.

I think everyone agrees, UAC as it stands is a clusterfuck. But I think MS deserves a little slack. They are fighting a major battle, trying to reign in the thousands of terrible windows coders and get them to finally play nice not being admin all the time. Granted it would not be as big a problem if they had not ignored it for so long, but 2000 and xp both prove that simply offering and recommending that users don't run as admin, and programs not require it, is not enough.
Hopefully MS will keep working and improving it, and app designers will get tired of their users complaining about UAC prompts and design their apps to only need admin(and thus an UAC prompt) at install.

Re:If it was easy--

[dna_(c)(tm)(r)]

Nice car analogy!

I had a car that required you to close the driver's door with the key. Worked very well.

It was much more like sudo/gksudo/kdesudo. Only those with the key can make big mistakes.

Re:If it was easy--

[dna_(c)(tm)(r)]

Your comment reminds me of that a shirt sold by T-shirt hell which said on it "What about the good things Hitler did?".

I want one with "Remember Godwin's Law" on it.

Re:If it was easy--

[Blakey+Rat]

That's fine, I hear a lot of valid criticisms of UAC.

What bothers me is nobody seems to answer the question: "What *should* they be doing?" in a reasonable manner.

If you ask that on Slashdot, you get either "switch to Linux hur hur" or "they should write a new OS from scratch and run NT in a VM." Neither of those is a realistic option. The second is (slightly) more realistic, but it would be a decade of work even assuming MS started this minute.

To make things worse, when Microsoft makes UAC comprehensive (like in Vista) people whine that it's too annoying. When they make it looser (like in Windows 7) people whine that the protection on rundll isn't sufficient. I almost feel sorry for Microsoft, because there's literally no way they could make everybody happy.

So what should Microsoft be doing?

Re:If it was easy--

[Blakey+Rat]

It was an analogy. You don't have to respond to the analogy whether or not you've heard of it. Respond instead to the *point* of the post. You're missing the forest for the trees: this topic isn't about locking keys in the car, it's about UAC in Windows 7. (For what it's worth, my Mitsubishi Cordia-L had that "feature.")

Now someone mod this off-topic.

Re:If it was easy--

[aaronbeekay]

I thought the same thing you did, until I thought a little bit more about why those door locks work the way they do.

No car company can really stop people from locking their keys in their cars without fancy solutions like RFID fingers or Bluetooth or some-such. I don't think the people at Isuzu who designed your car door thought that they could. Instead, they were trying to solve the problem of unintentionally closing the locked door. It seems like something that doesn't happen often, but what if you had locked the door, then went for something you had tossed on the roof, etc., then bumped the door shut? Maybe the wind blew? Holding the door handle isn't supposed to make you think about your keys, it's only supposed to confirm that it's a human performing the action. Wind doesn't hold door handles open.

Of course, this doesn't really relate to your UAC analogy. Sorry.

Re:If it was easy--

[funkatron]

So what should Microsoft be doing?

The one thing that's always worked before. Design a new colour scheme and let the marketing department do the rest.

Re:If it was easy--

[schon]

"they should write a new OS from scratch and run NT in a VM." Neither of those is a realistic option.

Why not? Apple did it, and people adjusted pretty well.

Apple realized what MS didn't - that they had a single-user OS, and it was flat-out impossible to turn it into a true multi-user OS without changing everything about it, so they started over from scratch (well, with the help of Darwin) and ran legacy apps in a VM. It worked very well.

Security is a necessary feature of any multi-user OS, and security isn't something that can be bolted onto something after the fact - you have to design software with security in mind. Windows (however much it tries to be multi-user) is still at it's core, a single-user OS. No amount of add-ons will change that. If they want security, they need to start over from scratch.

Just like Apple did.

Re:If it was easy--

[Blakey+Rat]

I definitely agree with you. It's a systemic problem, though... Lotus Notes took until version 6.5 to install correctly on multi-user systems. (And their first version was designed for NT3!)

World of Warcraft, the most popular video game, not only doesn't work correctly in a multi-user setup, they've done half-assed "fixes" to make it kind of work in Vista. (Instead of storing the Plug-Ins folder in a sensible location, they've actually moved *the entire WOW install* to the Users folder. It's ridiculous!)

So you have a big problem with the second-biggest corporate email system and the biggest video game simply do not get it.

Re:If it was easy--

[rantingkitten]

If you ask that on Slashdot, you get either "switch to Linux hur hur" or "they should write a new OS from scratch and run NT in a VM." Neither of those is a realistic option.

How are these not realistic options? If you had a car that simply broke down every couple of days for no discernable reason, "get a different car" is a perfectly valid and realistic option -- a hell of a lot more reasonable than "continue with the car you have and make mostly random, incremental repairs hoping it'll get better."

To make things worse, when Microsoft makes UAC comprehensive (like in Vista) people whine that it's too annoying. When they make it looser (like in Windows 7) people whine that the protection on rundll isn't sufficient.

That's because Windows security is fundamentally flawed from the ground up and bolting on garbage like UAC isn't the answer, nor was it ever. If Microsoft can't get their stuff together, using a different OS is a perfectly reasonable answer.

Re:If it was easy--

[rantingkitten]

For one, I don't believe Windows was originally designed to be a multi-user OS, was it? Everything it does that pretends to be has been an afterthought kludge. I honestly don't know if this is the case with NT-based systems so feel free to correct me.

But let's not pretend that it's the "exact same", either. In 2000 and XP none of it mattered because everyone ran as Administrator and did whatever the hell they wanted, which resulted in just about every Windows machine you'd ever come across being infested with malware and trash. In Vista, UAC hassles people to the point where they either get trained to just click "yes" to everything, or turn it off completely -- and it almost never tells you exactly what it's whining about either. I usually just see some vague message about how "Windows needs your permission to continue! If you started this action, continue. 'File Operation, Microsoft Windows." What the hell does that mean? I know what I'm doing and even I just blindly click "continue" to that because I have no idea what it actually means and I don't really have a choice.

And that's just one of Microsoft's many problems with security. Here's another. The expected method of installing new software on a Microsoft system is to download an untrusted executable and run it. You have no way of knowing where it's coming from, no means of defeating MITM compromises, and no way of knowing what the installer is really going to do. Windows then happily lets the installer vomit anywhere it wants, make registry changes, dump files into important system folders, and so on.

In any modern distro, the Linux method is to pull applications from the repositories of whatever package management system that distro uses. MD5 checksums prevent MITM attacks. The code has been examined and vetted by people who know what they're doing, and used by thousands more, so if there was some problem -- and there can be -- it quickly gets noticed, fixed, and pushed out as an update.

(Yes, yes, on a Unix system you can go get source code and compile and install it yourself, potentially compromising your system, but that takes some know-how and isn't something the average yob is ever going to do. And doing this isn't the expected way of doing things anymore except in very specific, rare circumstances. Anyone doing this is also presumably a bit more knowledgable about what they're doing, as well. The average dope isn't opening a terminal any more than they're using the command shell in Windows; most people don't even know it's there.)

Meanwhile we're all still waiting around for Microsoft to deal with known security holes; there was an article here on Slashdot yesterday mentioning the zero-day Excel problem, but it also talked about how two other crucial Excel holes, known since last April, are still open and it doesn't look like Microsoft intends to do anything about those. And no one else can do anything about it either since it's a closed-source system. That's just one recent example -- we see articles about major security problems all the time around here.

This kind of garbage is what I mean by "Microsoft security is flawed from the ground up." Virtually everything it does, or expects a user to do, leaves gaping security holes, and the only way anyone can ever find out about them is by becoming a victim. Then, when enough noise gets made about the problem, Microsoft might, possibly, get off its ass and do something about it, but maybe not, and almost certainly never within a reasonable timeframe.

UAC was a poorly-implemented band-aid to just one of Microsoft's many, many security problems, all of which are, as I said, from the ground up. Given that I think that using a different OS is a completely realistic and reasonable option. Maybe someday Microsoft will get their act together and release an OS that isn't poisoned by this kind of stupidity, but in the meantime, why stick with them?

Re:If it was easy--

[mathew7]

Let's not forget WHY UAC was created: normal users (with little or no computer experience) used windows with an admin account (thank you legacy DOS and Microsofts reluctance to break the pattern). So any rogue program could install itself for ALL users.
MS instead of enforcing limited accounts, they created UAC.
My opinion: DO NOT USE UAC. EVER. For a computer with only 1 user, CREATE 2 ACCOUNTS, 1 admin and 1 limited. Their reasons (probably): not breaking applications which were created badly in the 1st place (which required admin rights for everyday use).
I work for a big company (multi-national, 100.000+ employees) and I can tell you: LIMITED ACCOUNTS WORK. You want to install something, either do it only for you (if the installer does not complain), or ASK AN ADMIN. Someone who really knows what is doing.
I use at home the 2-account setup since over 3 years, and it's great. My only problem is that some installers refuse to run without admin rights.

I have tried Vista a long time ago and I don't remember what I though about UAC then. But now I've tried Windows 7 and I ended up disabling UAC (I started with 2-account setup form the beginning). My only problem: an explorer window can no longer be started as different user (run as). Although I do get the user/password prompt, it still starts as the logged-on user (defeating the run-as concept). Too bad because almost all control panel items are based on explorer.

Re:If it was easy--

[vux984]

Thats really the problem with UAC. It comes up so often for no good reason, and gives no information to the user why it even came up.

Really? I almost never get a UAC prompt I don't expect. I do agree it should explain more about what it is trying to do.

The only people with the technical skill to make intelligent choices about it don't need it.

Yes and no. Its true only people with technical skill will know whether the UAC prompt is expected or not. However, when a technical person gets one he doesn't expect, that a sign of well, UN-expected, activity going on. And yes, technical people do need that. If I run something and I don't expect a UAC prompt, and I get one, that's real red flag.

Of course, the problem in some ways is not even MS's fault. The reality is most Windows programs are doing things that trigger UAC prompts for no good reason. In the linux world, if an text editor or card game or whatever app required you to su every time you ran it, even when it didn't perform any functions that actually needed su level privileges, people would be pissed.

Precisely. Once the software ecosystem catches up, the only time you will see Vista UAC prompt is when you are installing software, installing hardware, or performaning genuine system admin stuff. Even today, as long as you stick to new "Vista aware software" you really don't see Vista UAC prompts for no reason. None of the software I use requires needless UAC prompts.

And the majority of UAC prompts I see are the result of auto-updates. And MS should start build a windows update site for 3rd parties and encourage companies to integrate with it. So I can authorize firefox, adobe reader, java updates all with one UAC prompt, instead of a separate one for each application.

I think everyone agrees, UAC as it stands is a clusterfuck.

I don't think its a clusterfuck. Its not perfect... I'd like to be able to see device manager without a UAC prompt (and only require one to make a change). I'd like more information on what exactly a program is doing that needs an elevation. But overall, its a very good first effort. MS had a much harder problem to solve than linux... on linux if an app tries to do something its not supposed to the OS just disallows it outright. That's ideal, but its just not an option on Windows... too much legacy stuff would just silently break... UAC's prompt is an acceptable transitional work around. Longer term, I think Windows will be able to move towards a *nix like system, but clearly that's not a jump they could just do all at once.

Re:If it was easy--

[jmorris42]

> MS is in the learning stages in designing security. I wonder how long they will take
> to require an administrator login to perform administrator tasks.

Better question. Will Linux have forgotten by then? The current trend is to have 'admin' users on Linux able to do things with their password instead of root, many even ban root from logging in. The 'sudo for everything' mental disease all in the name of making Linux look like Windows/Mac.

Sudu is a wonderful tool when used to give occasional and controlled access to normal users. Replacing root with it is misusing an otherwise good tool.

Re:If it was easy--

[TheNetAvenger]

Ok, let's get this one out of the way...

For one, I don't believe Windows was originally designed to be a multi-user OS, was it? Everything it does that pretends to be has been an afterthought kludge. I honestly don't know if this is the case with NT-based systems so feel free to correct me.

Wrong. NT was very much designed around a multi-user model, they just did not enable any multi-user interfaces beyond telnet. The same multi-user NT level separation and code running today was in the first NT release.

3rd parties were providing multi-user on NT back in 1992-1993 when it first shipped.

NT 4.0 added in RDP, but the multi-user model and concurrent multi-user access was already there, it was just the GUI protocol added.

But let's not pretend that it's the "exact same", either. In 2000 and XP none of it mattered because everyone ran as Administrator and did whatever the hell they wanted, which resulted in just about every Windows machine you'd ever come across being infested with malware and trash. In Vista, UAC hassles people to the point where they either get trained to just click "yes" to everything

Not exactly... MS screwed up with XP, as NT users including Win2K users usually business or professional users in a work environment and people didn't run as Administrator anymore than they ran as root on a *nix.

Along comes XP that is a replacement to the Win9X line of OS that had NO CONCEPT of security as they were a closed consumer level OS as most home users were not part of a network, let alone the Internet when Win9X was designed.

XP is where MS made a fatal mistake. They had two choices - break Win9X Win32 applications, or relax NT security and also run standard users as Administrator by default.

This was bad for several reasons.

1) Developers that had no concept of security, were not forced to update their software to do Security API checks, so even more years of bad software.

2) Users got 'use' to a everything runs at admin level and running as a 'power user' and elevating with "Run As..." was never needed, so users were never shoved down the path to understanding security.

3) It left holes open in XP that cause a lot of the security backlash XP took up until around SP2. And is why people today thing Windows or NT are poor at security.

Expanding on #3, this is where it gets interesting. NT itself and even the Win32 subsystem running on NT have a lot of security. In fact NT's security model was and probably still is more advanced than most *nix OSes.

When you see NT security at work, you see even low level kernel call obtaining a security token and having a full object based security model for every process, message, call, etc.

At kernel level NT does more security control than people realize, and then when you add in NTFS and ACLs and the 'object' nature of the NT messaging system, it is quite an expansive security model and there is NOTHING wrong with it.

This is why when people yell for MS to re-write NT, they have no idea what they are talking about. Even Win32 is not bad when it comes to security and it is not even the final say on security on NT, as it is just an OS client subsystem running on the NT kernel.

So move ahead from XP to Vista. Users are NOT use to dealing with elevating, have no concept of it, and developers still aren't writing software properly with security API checks or even keeping their hands off of OS level areas.

This makes the UAC in Vista a bitch for Microsoft, as they have to now balance several more years of poorly written applications that have no idea of NT security, and they also have to deal with users that never had to use "Run As..." or be forced to elevate no matter what they were doing.

This pissed off stupid developers as they now thing Vista is breaking their horrid software, it is also pissing off the users of that software.

And the UAC is pissing off users because they are not use to dealing with security themselves. And strangely, even t

Re:If it was easy--

[glitch23]

Of course, the problem in some ways is not even MS's fault. The reality is most Windows programs are doing things that trigger UAC prompts for no good reason. In the linux world, if an text editor or card game or whatever app required you to su every time you ran it, even when it didn't perform any functions that actually needed su level privileges, people would be pissed.

5 years ago I implemented a Windows system for a gov't agency which required to have the typical auditing capabilities of the OS turned on. So I turned on success and failure auditing for object access. I quickly found out that this generated way too much (useless) information. I turned off success audits but still got a ton of audit data. The problem was that many applications (even Microsoft apps) were trying to access registry keys and files with privileges higher than they really needed and were generating failure audits but the ACLs were still allowing the operations to succeed. Up until a few months ago I thought this was the nature of the Windows environment but found out while deploying some RHEL blades that even Linux applications do the same thing of trying to access files with more privileges than needed. Simple auditing provided me that information.

Point being that even in the Linux world there are apps that try to do more than they should. Luckily this is still hidden from the user but if something like UAC was ever implemented (incorrectly?) in Linux then users would see the same thing as what is happening in Windows. As it stands, in audit records both OSes have the same problem of generating too many false positives. UAC just makes it worse for users of Windows.

Re:If it was easy--

[nog_lorp]

Microsoft's behavior with Excel reflects their general behavior. They have taken YEARS to patch bugs like the CSRSS backspace exploit (unprivileged bug causing complete crash of system).

Re:If it was easy--

[Vainglorious+Coward]

The current trend is to have 'admin' users on Linux able to do things with their password instead of root, many even ban root from logging in. The 'sudo for everything' mental disease all in the name of making Linux look like Windows/Mac

The main reason for requiring admins to use sudo is accountability - all actions can be properly logged and audited. That's not possible if you allow admins to su to root or login as root. In any environment of any consequence that has multiple admins with (possibly individually varying levels of) root privileges, using sudo is the sensible and secure way to do it.

..bungle, bungle....

[gadget+junkie]

I still think that Microsoft will have a very hard time prying customers away from the fiercer of its competitors: WIN XP.

In all the financial institutions I work with, or know, WIN XP is the validated standard, and as far as I know no one takes the XP "expiry date" seriously, so no plan B is in place.

This is still in Microsoft favour, since no one is actively pursuing things like ubuntu/open office or such, but it's anyone's guess how long this state of grace will go on; after all, many applications work in terminal emulation, which is an ancient technology by any standard; why use Vista of Windows 7 for that?

Re:..bungle, bungle....

[myxiplx]

Yup, Microsoft have a real fight on their hands retiring XP. I think Windows 7 is a huge improvement over Vista, I really like the thought that's gone into the new task bar (and can name probably a dozen users at our company who will benefit as they never did grasp the difference between a button to launch a program, and one to switch to the existing copy).

The new drive encryption stuff sounds promising too, as does AppLocker (provided you don't look too hard at it...).

But then I found that we don't get drive encryption without the full blown enterprise product, and associated subscription costs. AppLocker sounds painfully hard to implement, and while the task bar is nice, it's not really £50+ per user nice. So even though I think they're finally getting things right with Windows 7, I still can't see any good reason for us to upgrade. So far there's absolutely nothing that we can't achieve with XP.

And that's the crux of the problem: This is a business decision, it's straightforward cost/benefit analysis. Right now I can't see any benefit that even comes close to justifying the cost of the upgrade.

Re:..bungle, bungle....

He's talking about use in a business. They're not going to have a deifferent OS on every desktop. They either keep buying XP with each new PC or they upgrade all existing PCs.

Re:..bungle, bungle....

[myxiplx]

Go google Winternals Protection Manager sometime. That *was* UAC (and then some) for Windows XP.

Strangely enough, a couple of months after it launched, Microsoft bought the company producing it, and promptly buried the product. After all, you can't have good security getting in the way of Vista sales.

That's yet another example of Microsoft making my life harder, and putting marketing ahead of good tech. I might be a Windows admin, and I've been running, supporting and recommending Microsoft products for a while, but I am *not* impressed with Microsoft these days.

Futurama Analogy

[nurhussein]

Microsoft's approach to security is like putting too much air into a balloon! And when exploiters find a way around their measures, it's like.. a balloon, and... something bad happens!

Good thing it's a beta

[Nimey]

Aren't you glad this was caught in testing? Yeah, I am too.

Re:Good thing it's a beta

[rsmith-mac]

Unfortunately it's not a bug, or even a design flaw. Microsoft's in the position of trying to placate as many customers as they can. They tried doing security the "correct" way with Vista, only for the loudmouths of the world to run around telling everyone else that Vista sucked because they kept getting "those damned prompts." Hell, Apple even got in on the action and made TV advertisements about it lambasting Microsoft for doing security right*. So Microsoft does something about it: they scale back the security and scale up the convenience.

Now Peter makes a good point in the article that Microsoft should have stuck to their guns, and I agree with him. Users won't do the right thing unless it's also the easy thing, so now and then you're going to have to club them over the head and make them do the right thing anyhow. But if Microsoft isn't going to do this, then they're in effect (back to) designing an insecure OS, because that's what people want. At some point you have to trade some convenience for some security, it turns out most people (or at least the loudest of them) will trade away every bit of security for every bit of convenience they can get.

This isn't something that's going to be fixed. It's a design choice. It's what the people - in all their infinite stupidity - want.

* OS X has a pretty big hole: any admin user account can write to the Applications directory willy-nilly. Just like with Windows, people tend to use admin accounts for day-to-day work. From a high-level perspective, Vista does more things right than OS X does

Re:Good thing it's a beta

[rsmith-mac]

The only correct way is the secure way. Anything that allows code to run with admin privileges without user confirmation is a problem.

Re:Good thing it's a beta

Bull-Shit

People do not tend to use "admin accounts" for day to day tasks on OSX. You have no idea what you are even talking about. OSX uses a sudo mechanism to elevate privileges (after authentication) for processes.

It is not annoying, and fairly secure. The design is possible since they are based on a proper multi-user OS (BSD) and multi user and privilege separation is not an afterthought.

Re:Good thing it's a beta

[Hal_Porter]

This shows the benefit of Microsoft's development model. They have an (effectively) open beta so everyone interested will have downloaded the beta and tested it. Closed source, signed binaries and software that phones home (or DRM as slashdot inaccurately calls it) means that they can give away the beta and be confident that most (note: not all) people will stop using it when it expires and buy the full version.

In the meantime the software is going to be widely used and people will check for exploits like this. Many eyeballs make all bugs shallow as ESR pointed out. There are more eyeballs on Windows 7 than Linux, and more programmers working to fix the bugs the eyeballs find, because Windows is a multibillion dollar product. Even more profoundly, it's not just bugs that getting fixed. Any features in Vista that irritate people, like UAC are getting changed as well. That can only happen with commercial software. If it was FOSS the developers would just tell us that security was important and we mere users were idiots for not understandind this. With Windows they were forced to change things improve security in Vista and userfriendliness in 7.

Windows isn't even a monopoly either. Vistas flaws have seen the OS X market share increase. In response to that they are working hard to fix those flaws for 7.

This is the closed source empire, striking back. Don't expect Window's market share to drop by much if they keep behaving like this.

Re:Good thing it's a beta

The problem is that when the UAC box pops up 4 times for the same file copy, people will naturally start ignoring it / not paying attention to it / turning it off. They habitually start clicking yes to everything because clicking yes means they get to do what they want, whereas clicking no stops them from doing what they want.

This doesn't mean users want to trade "all security for convenience". It means users, shock and horror, actually want to use their computers to do what they want to do. If Microsoft cannot find a better way than to shove multiple nag boxes in your face every time you try and do one little thing, then they should immediately give up, because they are lost.

I remember a study done ages ago that said that most people don't even read the text in a message box. They choose the option that allows them to do what they want to do. Nobody wants to pick the option that prevents them from doing the action they initiated - why else would they have initiated it?

So why even pay attention to the box at all? After you've seen 50 of them, they are completely ignored. Users are not in the wrong here. It is not stupid to want to use your computer for something you want to do without being annoyed to death by idiocy.

Regardless of intent, UAC does not work for humans. The human mind actively circumvents it as noise, just as it does with thousands of other distractions we deal with every day. Since Vista is presumably being marketed exclusively to humans at this point, it must either fit with the way human minds work, or perish entirely.

The idea that UAC is great because of all those popups is ridiculous. The idea that users should enjoy those popups and actually be thankful of them is ignorant in the extreme. Microsoft has never made a worse UI decision in their entire history.

You can claim the users are 'infinitely stupid' if you want, but from where I sit, the only stupid person is you.

Re:Good thing it's a beta

[salesgeek]

No. People piled on Microsoft because UAC was a nuisance and did little to improve security because even experienced users became conditioned to click on continue whenever they heard "bing".

It was the world's largest exercise in Pavlovian conditioning. The Unix sudo model tends to work much better, and there are far fewer points where root access is required to get a particular task done.

Re:Good thing it's a beta

[MadAhab]

Wow, I had better throw away my BSD and Linux boxes then. They have suid programs that run code with admin privileges without user confirmation!

Re:Good thing it's a beta

[goombah99]

* OS X has a pretty big hole: any admin user account can write to the Applications directory willy-nilly. Just like with Windows, people tend to use admin accounts for day-to-day work. From a high-level perspective, Vista does more things right than OS X does

It's true admin users can write to the app folder and even some worse stuff. Which is why people should not run as admin users all the time.

The difference in my experience is that running as a non-admin user on a mac is pleasant. If you have both an admin and non-admin account then life is good when you run as non-admin. anytime you need privledges it asks you for the admin user id and password. it's not disruptive.

I have not tried win 7 so I don't know if things have gotten better but it used to be that On windows doing simple things (like changing the clock time) often required admin access. Worse, many install applications would simply go belly up and die unless you were running as admin.

in otherwords being non-admin was the excpetion to the rule on windows to the point where it was painful to even try.

Now *nix folks have a bit of this problem as well. I've had many an makefile that would not run correctly unless you were root. (and many of those fail on NFS because of rootsquashing!).

On macs people tend to frequently run as admins by default not because they need to but because that's how an out of the box mac sets up the first account. The nice thing is that it's well worked out for the non-admin user.

Re:Good thing it's a beta

[drsmithy]

UNIX, Linux, BSD, and Apple got the security model right; Microsoft didn't. That's why in Windows, security and usability is a zero sum game. Had Microsoft gotten the security model right in the first place, UAC wouldn't be an issue.

From a low-level perspective, the security model in Windows is far superior to classic UNIX.

From a high-level perspective, the security model in Windows is the same.

What's your problem, again ?

Re:Good thing it's a beta

[Darkness404]

When I do day-to-day tasks on Linux, the only time I ever have to type in my password is when I am updating my software. On Windows I needed to use UAC for all kinds of daily things, some programs just *HAD* to be ran as admin, certain non-critical settings HAD to be clicked through a UAC prompt. Oh, and the fact that all UAC did was annoy me. The entire OS stopped until you clicked OK, the dialogue didn't even say why you had to be an admin nor did the program documentation, for most Linux programs a quick search in the man page would tell you why you need to be root, for Windows, nothing did.

The fact that UAC pops up out of nowhere, doesn't give you any intelligent advice on to if you should click it or not, and basically if you don't, the program just fails, just conditions people to click OK to everything, everything from day-to-day programs to the latest worm or malware.

Re:Good thing it's a beta

[Stormwatch]

There are more eyeballs on Windows 7 than Linux, and more programmers working to fix the bugs the eyeballs find, because Windows is a multibillion dollar product.

No, because the "eyeballs" law does not refer only to testers, but also developers.

Microsoft has a legion of unpaid beta-testers, sure. But those people are not allowed to read the code. They can't fix stuff by themselves. To use a popular car metaphor: even those with mechanical skills can't fix the "Windows car" because the hood is welded shut. They can say: "it won't start if I turn the key and the radio at the same time", or something like that, but they can't really say why. The "Linux car" is the opposite: everyone so inclined can look under the hood and find just why something is not working right.

Re:Good thing it's a beta

[int69h]

The problem with the doors on my house is I have to unlock them whenever I want to enter my house after I come home from work. I just want to enter my house, I don't want to mess with door locks. Locks do not work for humans.

Re:Good thing it's a beta

[Simetrical]

On windows doing simple things (like changing the clock time) often required admin access.

I never got why everyone always complains about this. Every multiuser operating system I know of requires you to be admin to set the system time:

$ date 02071828
date: cannot set date: Operation not permitted

Using the Ubuntu GUI requires you to enter your password too. An unprivileged user with the right to set the system time arbitrarily could completely mess up the system, such as stopping critical system cron/at jobs from running or throwing log analyzers into a state of continuous bafflement. That's exactly what ordinary users are not supposed to be able to do.

Besides, how often do you need to set the time? Most people's timezone doesn't change too often, and the rest should be handled by NTP.

Just rip off the band-aid

[dgr73]

I had my try with UAC and came to the conclusion that it's just a lose/lose situation for Microsoft.

Lose 1. They're basically advertising to users that "The feature you're about to use is buggy as hell and totally insecure, so you'll have to accept the responsibility for using it". Great way to sell a product.

Lose 2. It's so annoying, people just turn it off completely, thus negating any "security" it supposedly provides

The only upside is that they insulate themselves legally by having the user do the "not recommended" thing whenever they use the OS. Then again, they've never been much to accept responsibility for security problems anyways, it's kind of a moot point.

Re:Just rip off the band-aid

[Shados]

Its not a bandaid, since its basically a copy of what every other OS does and is considered critical. Run as a least priviledged user and elevate only when necessary. The only real differences is:

If you have an account thats not administrator, but is part of the administrator group, you still need to elevate.
Its awkward and sometimes not possible to elevate an explorer window or the control panel (so you would only need to elevate once for multiple operations)
You need to elevate an installer even if you only want to install a program for yourself, not computer wide.

If those 3 main things were fixed, it wouldn't be much different from sudo, and even has some advantages over it. But people spoiled by running constantly as administrator, or worse, being so arrogant that they think UAC is just "for noobs", would still disable it.

Re:Just rip off the band-aid

[similar_name]

But people spoiled by running constantly as administrator

I don't know if users are more spoiled or programmers are. Most users don't know the difference until a program request it. I find it interesting that you can install Mozilla as a user into a user folder but then you can't install Adobe Flash for it unless you're an Admin.

Mend it or end it?

[Igarden2]

Let's see, how long did it take for M$ to realize many users weren't thrilled with IE and it's so called security? I'm betting UAC is here to stay for a loooooong time. They will just keep trying to patch it and in the process further irritate users.

I don't understand the fuss over UAC

[rjmx]

First, let me say where I'm coming from. I've been using Linux for over twelve years; I have two full-time Linux servers at home, and a desktop and a laptop that both dual-boot Linux and Vista. I have an XP box and a Linux box at work, where I'm a Linux/Windows sysadmin and programmer, and I do most of my serious stuff there on the Linux box. At home, I stay in Linux most of the time, and I just boot into Vista when I want to run iTunes, or a game, or something else that only runs on Windows.

That said, I actually like Vista. As I see it, its main problem is that is needs a fairly hefty machine to run it. If you're trying to run it with less than 1G of memory, or a not-very-fast processor, forget it. It certainly works for me.

And I don't mind UAC at all. When it comes up, it's usually trying to tell me that I'm about to do something that may have serious consequences, and that I need to think about what I want Vista to do before I press OK. It just takes a moment, really.

So why is everybody complaining about it? Have I missed something?

Re:I don't understand the fuss over UAC

[Sycraft-fu]

People are bitching because they want to, as the saying goes, have their cake and eat it too. They want their OS to keep them safe. When something bad could happen, they want the OS to jump in and say "Hey there, this could have serious consequences, you sure?" However, they don't want to be bothered to think. They want this all automatic. They want the OS to magically know if things are bad, and thus only bother them in that case. They want security, but without any responsibility.

Also some bitch because it is Microsoft. There are more than a couple MS haters out there that will hate on any and every thing MS does. If someone else does it, it is good, if MS does it, it's bad.

So there isn't going to be any shutting up either group, unfortunately. You can't have magic security that keeps you safe, but never asks you questions. Personally, I was hoping MS would stick to the real security route: Have UAC a true privilege separation, with no exceptions. Yes this means you have to click a button when you want to do something as admin. Deal with it, it isn't as though it is that often in normal use, and it isn't as though it's a big deal. However, they are apparently caving in and making it less frequent by making things that don't have to obey the rules. Well guess what? When something can go around the rules, something else can use that hole to sneak through.

It would be like having a security checkpoint for weapons. Everyone gets scanned and searched. However you decide "Well little old ladies aren't a threat, they wouldn't bring a weapon, so let's not inconvenience them, we'll let them go through." Then someone uses a little old lady to sneak a gun in. Maybe it is even done with out said lady's knowledge. They are able to circumvent your system because of your exception.

No Script Bragging -- please stop

[blahbooboo]

It has great documentation and with NoScript I feel safe everywhere on the Internets.

You "no script" people are so funny with your need to Slashdot brag about using the internet without scripts. Yes, we get it, you're so amazing! The internet without scripts, wow that's so neat!

Re:No Script Bragging -- please stop

[meist3r]

The internet without scripts, wow that's so neat!

You're doing it wrong. It's not about "No"Script it's about "Only those that are actually useful for the experience" Script but that would make a terrible extension name.

Re:No Script Bragging -- please stop

[mysticgoat]

You don't know anything of what you speak.

No Script is about MY having the choice of whether to run an arbitrary program on MY computer. I set up the whitelist, and I decide whether to make an exception.

My ruff & reddy rules of usage:

1. On first visit to any trustworthy site, add all its javascript sources that I also think are trustworthy to my white list. A one-time overhead of maybe 3 seconds.
2. When following a /. lead to a site that I don't know anything about, assess whether any useful content is being hidden by a NoScript block
   • If so, unblock the bolded item in NoScript's list of javascript sources being used on the page. If the page smells worthy of it, I'll add this source to the whitelist, otherwise I'll do the unblock as a one-time thing. Reassess whether useful content is still being hidden, and if so repeat until good.
   • Else, leave all script sources blocked since I can get what I came for without them, and I'm unlikely to come back.
3. When mucking about in the web's darker corners, do as above, except never permanently add a javascript source to the whitelist. Do it all as one-time only.

Web pages that are using scripts from three different sources are not uncommon any more. Web pages that are using scripts from 5 or 6 sources are not rare. There are web pages that are using sources that in turn draw on other sources. When running NoScript, I decide not only whether I trust the developer of this web page, but whether I trust his judgment about the scripts that he is importing from elsewhere. I decide how wide I will let the circle of trust get.

It's really a no-brainer. If you recognize the possibility that you might do something of value with the computer you are using, then use NoScript or something like that as a low cost method of protecting that potential. Otherwise, I would appreciate it if you would disconnect your virus infected, zombied machine from the internet, because your negligence is diminishing the common good.

Re:No Script Bragging -- please stop

[jawtheshark]

NOscript is like wearing a condom when you're married..no real poin

Contraception is quite a nice side effect of condoms, even when married.... Some women don't support the pill well.

Re:No Script Bragging -- please stop

No Script is about MY having the choice of whether to run an arbitrary program on MY computer.

Yeah, an "arbitrary program" that is already sandboxed by the browser anyway. The worst it could do is use up some system resources [...]. Those people need to learn to chill and trust their browser sandbox.

[ ] You know that most security holes needing little to no user interaction require JavaScript to function properly.
[ ] You know that NoScript can also block other techniques (Flash, Java) that are posing security risks.

No?

Re:No Script Bragging -- please stop

[Lennie]

It's not uncommon for people to get a STD because their spouse sleeps around.

Re:No Script Bragging -- please stop

[tkinnun0]

You know that most security holes needing little to no user interaction require JavaScript to function properly.

Yes, and even more security holes need HTTP to function properly. I hear you can surf the web using daemons and email; I'd rather use Firefox.

The problem

[Sycraft-fu]

Is that whiny users want something that magically protects them, but doesn't bother them. That's a nice idea and all, but you can't have that. You can't have it both ways with something like this: Either it is a real separation of privileges like it is in Vista, or there's going to be holes.

Well, they gave people the real security that they'd been crying about with Vista. When UAC is on it is a no bullshit, you have to escalate to do things as admin. There aren't exceptions or the like, you escalate when you need admin. This does mean it asks in a lot of situations. Well, there's no avoiding that. Like I said, no exceptions. It is also very granular. It isn't one of these "Oh just click it once and we'll escalate everything for the next few minutes," things. That again would be insecure. No, it is per item. That thing and that thing only gets the elevated privilege.

But people whined and bitched, including many of the same people who whined and bitched in the first place, so now they are backing off. Well, as part of that, you open up some potential holes. Sorry, but that's just life. If there are exceptions to the rules, then something can make use of those exceptions.

You can't have a system that magically knows what the bad apps are, and only asks permission on those, well at least you can't without some sort of draconian trusted computing BS. That's what users want, but they can't have it, it isn't possible. Thus you've got three choices:

1) Allow everything for administrators. Assume the admin knows what they are doing, and let them do whatever they want. Don't ask for permission for any action. This is the Windows XP method. It's very convenient, but also means that you'd better be careful.

2) Have truly separate permissions, and require escalation. Everything has to go through the procedure, no exceptions. This is the Vista method. Means you get asked a lot (though personally I don't find it bad at all) but it is secure. Nothing gets to slide through because there aren't special cases.

3) Have separate permissions, but allow exceptions to make things easier. Ask only in certain situation, or only so often. Just let everything else go by. This is the Windows 7 method (and also several variants of Linux I've seen). Fairly convenient, and more secure than #1, but only superficially so. Because there are exceptions, there are back doors for things to sneak through.

So really, users have to come to terms with what they really want. The "I want it to protect me from bad things, but not bother me," doesn't work. That is akin to saying "I want security to make sure nobody sneaks a weapon on a plane but I don't want to go through a security checkpoint." No, sorry, doesn't work that way. If it is really going to work, then it has to be consistently applied to everyone or everything.

UAC was an interesting experiment

[Eric+Desrosiers]

Microsoft went an interesting way with UAC and security in Vista. If you are running as a normal user, then if you attempt to do an operation that requires elevated priviliges, then you get prompted for an admin user id and password. Which is what you want.

Where it goes weird is if you are running as administrator then it prompts you with the allow or deny box. This is silly for power users, but for people who only used the older versions of windows and don't know much about the other user rights model in other OSes, then at least it does provide some information that some software is trying to do something significant.

I always thought the point of UAC was to push people to run as a normal user for their day to day operations. However, I don't believe Microsoft attempted to do even a little bit of education and the UAC prompt itself is not very informative.

However, I don't think Microsoft should be blasted for UAC: They tried something new and interesting to attempt to make their OS more secure.

As for the story, as long as the behavior when running as a normal user is not affected, then I don't really think it matters.

Mend it or end it.

[ciderVisor]

"Ending is better than mending. The more stitches, the less riches; the more stitches ..."

Human error

[mc1138]

Microsoft's problem is that they tried to fix human stupidity with a technical solution. The problem with UAC is that people would either just click ok without reading, or turn it off entirely. Then, complain that windows was insecure. What Microsoft failed to really come to terms with, is that there are a lot of dumb users out there that will circumvent everything, go to all the nasty porn sites they can, and get viruses that they will then blame on something other than their own user error.

The end of the empire?

[Trip6]

I'm mostly an office user and switched to Mac - there's no way I'll run Vista or, at this point, W7 (which looks like a Vista retread). I'm not at all alone. How fast will MS OS share decline if W7 doesn't stop the bleeding?

It's all a workaround

[AnalPerfume]

Windows was designed as a single user system with the user sitting at the box. As soon as you connect it to other boxes via a network it's dead. All of Microsoft's plans for Windows security are based around trying to get a level of multi-user protection into a system not designed for it. They are desperately trying to apply a band aid to a broken leg with solutions like UAC; some of the damage may be limited but it's not a great solution and will never be, no matter how much they work on it.

The only solution is to scrap Windows altogether and build a new multi-user OS from scratch.....or do what Apple did; take the BSD kernel, add a few bells and whistles with a fancy skin and pretend they invented it. The two areas they have a problem if they go that route, is that they are hemorrhaging money on the products they do have on the market since more and more people are deciding that they don't want what Microsoft are offering them, and that they have the world convinced that the Microsoft way is king, that any change is bad because it's confusing and means relearning.....which would be an issue if they changed Windows with another OS.

Companies only put work into a product if that somehow feeds results back into the profits. Like any company, they want to do as little for the most gain. Constantly tinkering with the security applications is much easier and cheaper than a complete rewrite. It also helps when you have a software sector which rely soley on your incompetence. The anti-malware companies wouldn't exist if you did your job right, they also have to compete with each other as to who can cover your ass the best; which also lets you cut back on spending money to really make it secure.

As the internet evolves, as people find new ways to use and abuse it, Windows gets more and more obsolete. The more FOSS improves, evolves and continues to offer users flexibility, freedom, security and stability, Windows gets more and more obsolete. It's only a matter of when, not if it becomes a minority player.

Re:It's all a workaround

[ettlz]

The only solution is to scrap Windows altogether and build a new multi-user OS from scratch....

And what might they call this... this New Technology?

OWAIT

Re:It's all a workaround

[drsmithy]

That depends on how you define "multi user".

Indeed. If you define it the same was as computer scientists and OS developers, then Windows NT is multiuser.

If you define it like an anti-Windows troll, then it isn't.

A multiuser OS is one that can run processes in different user contexts. Everything above that is userspace gravy. An OS doesn't even need to be capable of supporting interactive logins *at all* to qualify as multiuser.

If you mean it can have multiple user accounts but only one can be logged on at any one time on the same box then it is. This is what Microsoft define as "multi user".

No, they don't.

In the non-Windows world "multi user" means that multiple users can be logged on at the same time; Windows has never been able to do this. This is vintage Microsoft problem solving at work; just redefine the terms rather than fixing the real problem.

Firstly, NT has always been able to handle, say, multiple users telnetted in - if you want to use that definition of "logged in". If you want to use another definition, "Run As" has always existed and when you "Run As" a program as another user, that user account is logged in. If you want to use the "GUI login" definition, then multiple GUI logins have been around since NT 4.0.

Secondly, by your wrong definition, the only thing you need to turn a single user OS into a multiuser OS is a telnet server (or something similar). Do you seriously want to try and argue that Windows 95 running a telnet server is a multiuser OS ?

Thirdly, by your wrong definition, running Linux on embedded hardware that has no ability to facilitate interactive logins, makes it a single user OS. Do you really want to argue that when you can't login to it, Linux is a single user OS ?

This means that even if you do try to modify your Windows box to something resembling a more secure *nix like model, every app will be fighting you on it, demanding admin rights for the simplest, most menial things.

Actually it's nowhere near that bad. I've been running Windows NT as a regular user since early 1996, and even back then it was unusual to find something "Run As" (or some judicious filesystem permissions mangling) couldn't make work.

UAC is an attempt to glue in a kinda *nix sudo function which is long overdue, but it's never going to work that well.

UAC is basically an attempt to put a prettier and more automated face on "Run As". The underlying technology to facilitate has been there since the first version of NT, back in 1992.

This is the reason why *nix boxes would never have the same malware problem if they had Windows market share.

Yes, they would (especially if they'd had that marketshare through the same time period - do you have any idea how common UNIX exploits were in the 90s ?). User privilege separation is almost completely irrelevant to malware. A piece of malware can do basically anything it needs to from a regular user account.

Full Featured Windows API

[Sponge+Bath]

...APIs such as WriteProcessMemory and CreateRemoteThread.

At first glance I was wondering why Microsoft would supply and API function CreateRemoteThreat().
Even for Windows, that would be a little out there.

The first thing I will do after getting Win 7...

[sam0737]

...is to re-configure the UAC to make it as strict as Vista.

Hell, UAC is good. It's better than sudo. With sudo I will be tempted to use "sudo -s".

The most common scenario to meet an UAC dialog for me is when installing new apps or drivers. Other than that, you shouldn't really see an UAC dialog...
Most of the apps I came across have adopted to require no admin privileges. After all, it's the App fault to requires UAC in the first place for those doesn't really need admin privileges.

BTW, I think in Win 7, AFAIK all Microsoft signed EXE are exempted for UAC prompt by default. There isn't a whitelist but simply all MS signed binaries are exempted.

OSX UAC

[goombah99]

OSX has both the unix permissions and something like the UAC.

I find the UAC so mind boggling I don't use it. Some applications seem to respect it and some don't. e.g. if you can't do something in a Finder window, sometimes you can do it in a terminal window. I have not figured out what the pattern is or if the UAC are there to allow actual secure protection or just guard railings to keep the riff raff from doing stupid things.

I suspect the Windows folks would say the UAC is just guard railings not actual security.

Re:OSX UAC

[e4g4]

As best I can tell from what this guy is saying, there are some places (like, for example, deleting a file in the /System or /Library directory) where the Finder would prompt you for a password. As OS X matures, there are still some times where the Finder simply doesn't do it right - and simply refuses permission, when it should prompt you for permission. This happens less frequently in Leopard than it did in Tiger. There is nothing separate from the POSIX permissions in OS X, there is nothing like UAC that can be turned on and off. If you have permissions, you can do something, if you don't, you can't, or you are prompted for a password (the gui equivalent of 'sudo').

Re:OSX UAC

[blueg3]

Actually, what it has is essentially like sudo but with a graphical authentication system. (The authentication controls allow a fairly large amount of flexibility, but one of its major purposes is a gateway to setuid.)

If you've ever written these sorts of programs, it's not "mind-boggling" at all. The Terminal will let you sudo-run any command you want; of course you can do it through the Terminal. They haven't covered in the Finder every possible situation you might need privilege escalation -- they have to call the authentication and escalation themselves.

Re:OSX UAC

[that+this+is+not+und]

Maybe he's talking about MacOS 7.5.3 and the command prompt you can get in classic MacOS if you install Gnu Emacs and do a ' X shell' to get the command prompt.

(yes- a command prompt reachable on MacOS 7)

I have a mind the flips to the opposite automatically. I hear 'finder' and automatically think 'loser' for some reason....

Re:OSX UAC

[spitzak]

It does appear that an "administrator" has the file system privledges to modify the /Applications directory, and thus commands typed at the shell will work (so will the system calls to mess with those files so any program can mess it up, but running prorams in /bin from the shell is the easiest way to do it).

For some reason they decided to instead have the Finder do a "is this guy Administrator?" test before doing things that the Finder decided were illegal.

I agree this sounds stupid. The user should not be able to do thise things without sudo! And the Finder should simply get those permission-denied errors from the system and use them to decide if sudo is needed, rather than having to keep it's own model of how system permissions are laid out.

Almost certainly they did this so that applications could be installed/removed, but it does seem like there are better ways. Perhaps if you tried to drag an application to /Applications, the Finder could not do it, but it could recognize the attempt and run a setuid program that refuses to allow overwrite but will add the file.

Yes... but...

[TerranFury]

I agree in spirit, but the implementation is bad.

I once tried to write a "sudo for Cygwin" that would bring up the UAC confirmation box and run a program with associated elevated permissions in Vista. (Other people have written programs that they call "sudo for Vista," but none of them do what I want. In particular, they don't run programs in the same console.) In the process of poking through the security APIs, I learned a little about what a mess UAC is uder the hood.

Windows NT/XP has a perfectly good security model, if only people would use it. In some ways it's more sophisticated than Linux's: For instance, file permissions are more fine-grained on NT. The problem really hasn't been with XP/NT; it's been "social:" it was the culture of software development on Windows to too often require, unnecessarily, that users have administrative rights.

Microsoft's solution in Vista was to restrict the rights of administrators and add GUI confirmation boxes. This was the wrong solution, I think. In my (admittedly armchair-quarterback's) judgment, the right one would have been to,

1 - Keep traditional XP-style administrator and user accounts, with roughly the same privileges as they'd always had.

2 - Require OEMs to ship computers with user, rather than admin accounts, enabled. Randomly-generated default admin passwords should be written on a sticker on the front of the PC's case.

3 - Add a "sudo" mechanism, perhaps with the following modifications from 'nix sudo to make it easier for novices:

... a - The sudo prompt pops up automatically when a program attempts to do certain classes of things for which it does not have privileges. This differs from Linux, in which a program will simply fail with an "Insufficient permissions" error; this would be pretty opaque to novice users I think.

... b - "sudo" could be configured (and perhaps should be by default) so that it is sufficient to click a "confirm" button in lieu of typing in a password.

This is almost what UAC is. But the devil is in the details. What Microsoft actually did was make "Administrator" accounts into something more like "user" accounts, and add a level of privilege yet higher than administrator. But it feels tacked-on, and not really "at home" in the NT security model, which in fact provides plenty of control on its own over what rights different users and groups have, if only it were used correctly.

In other words, Microsoft shouldn't have restricted Admin accounts in this poorly-documented way; it should have instead added a sudo mechanism to make it more feasible to run as a User, and kept the nicely-documented and well-designed security model that NT has always had but people have simply never used.

Summary of the stupidity

[v1]

In the original Vista release, this activity would cause an annoying back-to-back double elevation: once to create the folder, and again to rename it to its intended name. Service Pack 1 streamlined this a little, reducing it to only a single elevation, but Microsoft clearly wanted to get this down to zero.

NO! Bad monkey, no cookie! There is NO reason to allow ANYTHING to write to my /Program Files (or /Applications if you prefer) folder without my permission. None. Zero. I want a prompt. Yes, just one, but I want a prompt!

And that passes right into the hands of an almost unbelievable standard method in windows:

Unfortunately, the "Microsoft-signed application" restriction is easily bypassed using a standard Windows trick that allows one process to insert code into a second process, as long as both processes are being run by the same user. The limitations of the file management component are probably unavoidable (it can only do the things it has been programmed to do, after all), but it turns out it doesn't really matter. The file management component can place files into various locations on the system that an unelevated user cannot; an auto-elevate program can then be tricked into loading those files and executing code from them.

The result is, just as with the rundll32 problem, silent and automatic elevation, able to do anything.

WHY ON EARTH would you arbitrarily allow any random program a user is running to pass commands to a signed application that by its signature can walk right through locked doors?? I'll admit there probably are instances where you would like to pass commands (requests) to another app to handle something, you either (1) have to severely restrict the scope of the requests it will process, or don't sign it to give it rights to do whatever it pleases. This is like a mall security guard being given the keys to the maintenance halls, and the guard letting any joe public in that asks him. Either give him some common sense or take away his keys. A filemanager that has the power to do anything you ask it to, and will do so blindly and willingly, is just a jaw-dropper.

Sometimes the scope of Windows security stupidity astounds me. And yet they consistently keep finding ways to top themselves.

Another way to mess with UAC

[Myria]

Before Vista came out, during its beta phase, I already thought of a way to get around UAC using a form of social engineering. First, two background facts:

1. When you run a signed program as Administrator, the UAC dialog box you get is colored differently, such that it looks more legitimate.

2. Explorer runs as an unprivileged account, and as such can be injected into (same as TFA).

The idea is rather simple. Have your malware inject into Explorer and wait. When the user finally does something that requires elevation, intercept the request.

Instead of running the application the user intended, elevate a Microsoft program that can easily be told to run another program; simple examples are cmd.exe and rundll32.exe. The UAC dialog box will come up, as the user expected. The program name will say "Windows Command Processor" instead of whatever Control Panel feature the user was actually trying to use.

But how many non-expert users know the difference? They were expecting to have to elevate and will click Yes. "Windows Command Processor" sounds legitimate enough.

After your malware takes control, run the original program the user wanted to run, keeping the illusion that everything is normal.

By the way, Administrator access is overrated. You can be a botnet node, steal bank account passwords, and still WoW passwords all without needing to ever access the Administrator account in Windows. Those passwords are the items of real value now, and they're in unprivileged processes within the reach of unprivileged malware.

Re:Another way to mess with UAC

[mysidia]

The authentication process to run a debugger should be different.

When a user logs in, they should be unable to run debuggers, they should have to perform another authentication, before they can do things like that.

If they're SSH'd in or in a text-based terminal, they have to run a command like 'sudebug gdb' which authenticates much like 'su' does, and runs the 'gdb' process with ptrace bits enabled.

Also, 90% of the population aren't computer programmers. Debugging should simply be disabled, by default, and require installation of additional userland tools and root/Administrator privileges to ENABLE the capability (not necessarily Administrator privileges to exercise the capability once it's enabled on a system).

Keeping it off by default is enough to reduce the incentive of malware developers to attempt to use the debugging facilities, since they will normally be worthless.

Why security sucks in Windows

[140Mandak262Jamuna]

The main problem is that most app developers in Windows world hard wire stuff and assume the users will have admin privileges. On the unix side, because it was used in multi user env from the get go, and it was real pain to get the sysadmin to install something for you, most unix apps are designed to run without admin privileges. If an unix app asks for extra privilege it immediately sets of alarm bells and people ask "why do you need root access?" and the app developer has to convince the user that the process really needs root privilege. It is easier for the app developer to work around the problem by not requiring root privlege. And the system has been poked and probed for years in college campuses and almost all the privilege escalation hole has been found and patched.

In the windows side, people rarely ask the question "Why do you need admin privilege?" Till the app developers learn to write code that lives comfortably in user space with user privilege, you will have problems.

The problem is not users blindly klicking UAC dialogs or MS's auto privilege elevation is not perfect. The problem is users not asking the question, "why the hell you want to be root?".

What Microsoft should do

[TheLink]

They should be doing this:

https://bugs.launchpad.net/ubuntu/+bug/156693

http://slashdot.org/comments.pl?sid=1152645&cid=27105713

Summary:
UAC is like getting users to solve the "halting problem", e.g. figure out whether the program will halt or not (aka screw up your PC or not) without having the program's source code, or knowing all the inputs. Google the "halting problem" to see how hard it is.

My suggestion is analogous to:

Program: "Hi, I'm a flash demo, I want 30 seconds of real time"
User: "Sounds reasonable. OK",

The O/S then runs the program, and if the program is still running 30 seconds later, the O/S kills it.
So no need to figure out whether it will halt or not. The program will halt - the O/S ensures it.

If the program says "Hi, I'm a flash demo, I want infinite time", it should be far easier to train the user to go: "No" or "Too bad, you only get two minutes to do your stuff, that's all I'm willing to give you".

AFAIK, Microsoft has lots of very very smart people working for them. I'm sure they have already figured out something far better than my idea, after spending 6 billion dollars and thousands of man-years on Vista.

So UAC is either institution incompetence, or malice (they just want to shift blame to the users, or they don't actually want increased security).

Re:What Microsoft should do

[Blakey+Rat]

It looks like you're suggesting sandboxing applications, like Vista and Windows 7 already do with IE. The problem is that sandboxed applications are terrible for backwards-compatibility, there are hundreds or thousands of applications that expect to be able to do things outside their "sandbox." It's potentially possible for Microsoft to create custom sandbox parameters for every piece of software on Windows, but again, that's not a realistic solution.

And anybody who's used the sandboxed IE will tell you that the user experience suffers. Even simple tasks like dragging an image file from a webpage to the desktop require you to give permission for IE to break outside the sandbox. Imagine how hard it would be to drag an image from one sandboxed application to another, and that's a basic tasks that millions of people do every day.

(I'm assuming your time-based solution is just an example, since 99.99% of applications on Windows are interactive and a time limit would make no sense.)

So UAC is either institution incompetence, or malice (they just want to shift blame to the users, or they don't actually want increased security).

Yes, it's impossible that the problem is more complex than you've thought about. It must just mean incompetency, eh? Or maybe a paranoid conspiracy!!! (This is why I hate having these discussions on Slashdot.)

Yes, Microsoft has smart people. But this is a HUGE problem, probably a uniquely huge problem in the industry. It's not like "smartness" is some superpower that instantly solves the problem, it takes years of work, research, etc.