UAC Whitelist Hole In Windows 7

David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"

If it was easy--

[Geoffrey.landis]

Hey, if security was easy, everybody would do it.

Re:If it was easy--

[schon]

It sounds like what you're saying is that UAC is only useful for people who know what they're doing. You are savvy enough to recognize when it's protecting you from mistakes, but the average user won't.

UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.

My first car was made by Isuzu. Like many (all?) imports, in order to lock the door from the outside of the car, you had to hold the handle up as you closed the door. I asked why this was, and was told that it was a mechanism to prevent you from locking your keys in the car. You couldn't just carelessly close the door, you had to actively hold the handle up.

One hot summer day, I got out of the car, took off my coat, and put it inside. Out of habit (because I needed to do it every time) held the handle up as I closed the door. A few minutes later I realized that the keys were in my coat pocket. And the door was locked.

The designers of this car though they were making it harder to lock your keys in the car, but in reality they were simply training people to hold the handle up when they closed the door.

UAC reminds me of the exact same thinking. It doesn't really prevent you from making mistakes, it just conditions you to click "OK".

Re:If it was easy--

[funkatron]

So what should Microsoft be doing?

The one thing that's always worked before. Design a new colour scheme and let the marketing department do the rest.

Re:If it was easy--

[rantingkitten]

If you ask that on Slashdot, you get either "switch to Linux hur hur" or "they should write a new OS from scratch and run NT in a VM." Neither of those is a realistic option.

How are these not realistic options? If you had a car that simply broke down every couple of days for no discernable reason, "get a different car" is a perfectly valid and realistic option -- a hell of a lot more reasonable than "continue with the car you have and make mostly random, incremental repairs hoping it'll get better."

To make things worse, when Microsoft makes UAC comprehensive (like in Vista) people whine that it's too annoying. When they make it looser (like in Windows 7) people whine that the protection on rundll isn't sufficient.

That's because Windows security is fundamentally flawed from the ground up and bolting on garbage like UAC isn't the answer, nor was it ever. If Microsoft can't get their stuff together, using a different OS is a perfectly reasonable answer.

..bungle, bungle....

[gadget+junkie]

I still think that Microsoft will have a very hard time prying customers away from the fiercer of its competitors: WIN XP.

In all the financial institutions I work with, or know, WIN XP is the validated standard, and as far as I know no one takes the XP "expiry date" seriously, so no plan B is in place.

This is still in Microsoft favour, since no one is actively pursuing things like ubuntu/open office or such, but it's anyone's guess how long this state of grace will go on; after all, many applications work in terminal emulation, which is an ancient technology by any standard; why use Vista of Windows 7 for that?

Re:Just rip off the band-aid

[Shados]

Its not a bandaid, since its basically a copy of what every other OS does and is considered critical. Run as a least priviledged user and elevate only when necessary. The only real differences is:

If you have an account thats not administrator, but is part of the administrator group, you still need to elevate.
Its awkward and sometimes not possible to elevate an explorer window or the control panel (so you would only need to elevate once for multiple operations)
You need to elevate an installer even if you only want to install a program for yourself, not computer wide.

If those 3 main things were fixed, it wouldn't be much different from sudo, and even has some advantages over it. But people spoiled by running constantly as administrator, or worse, being so arrogant that they think UAC is just "for noobs", would still disable it.

I don't understand the fuss over UAC

[rjmx]

First, let me say where I'm coming from. I've been using Linux for over twelve years; I have two full-time Linux servers at home, and a desktop and a laptop that both dual-boot Linux and Vista. I have an XP box and a Linux box at work, where I'm a Linux/Windows sysadmin and programmer, and I do most of my serious stuff there on the Linux box. At home, I stay in Linux most of the time, and I just boot into Vista when I want to run iTunes, or a game, or something else that only runs on Windows.

That said, I actually like Vista. As I see it, its main problem is that is needs a fairly hefty machine to run it. If you're trying to run it with less than 1G of memory, or a not-very-fast processor, forget it. It certainly works for me.

And I don't mind UAC at all. When it comes up, it's usually trying to tell me that I'm about to do something that may have serious consequences, and that I need to think about what I want Vista to do before I press OK. It just takes a moment, really.

So why is everybody complaining about it? Have I missed something?

Re:I don't understand the fuss over UAC

[Sycraft-fu]

People are bitching because they want to, as the saying goes, have their cake and eat it too. They want their OS to keep them safe. When something bad could happen, they want the OS to jump in and say "Hey there, this could have serious consequences, you sure?" However, they don't want to be bothered to think. They want this all automatic. They want the OS to magically know if things are bad, and thus only bother them in that case. They want security, but without any responsibility.

Also some bitch because it is Microsoft. There are more than a couple MS haters out there that will hate on any and every thing MS does. If someone else does it, it is good, if MS does it, it's bad.

So there isn't going to be any shutting up either group, unfortunately. You can't have magic security that keeps you safe, but never asks you questions. Personally, I was hoping MS would stick to the real security route: Have UAC a true privilege separation, with no exceptions. Yes this means you have to click a button when you want to do something as admin. Deal with it, it isn't as though it is that often in normal use, and it isn't as though it's a big deal. However, they are apparently caving in and making it less frequent by making things that don't have to obey the rules. Well guess what? When something can go around the rules, something else can use that hole to sneak through.

It would be like having a security checkpoint for weapons. Everyone gets scanned and searched. However you decide "Well little old ladies aren't a threat, they wouldn't bring a weapon, so let's not inconvenience them, we'll let them go through." Then someone uses a little old lady to sneak a gun in. Maybe it is even done with out said lady's knowledge. They are able to circumvent your system because of your exception.

The problem

[Sycraft-fu]

Is that whiny users want something that magically protects them, but doesn't bother them. That's a nice idea and all, but you can't have that. You can't have it both ways with something like this: Either it is a real separation of privileges like it is in Vista, or there's going to be holes.

Well, they gave people the real security that they'd been crying about with Vista. When UAC is on it is a no bullshit, you have to escalate to do things as admin. There aren't exceptions or the like, you escalate when you need admin. This does mean it asks in a lot of situations. Well, there's no avoiding that. Like I said, no exceptions. It is also very granular. It isn't one of these "Oh just click it once and we'll escalate everything for the next few minutes," things. That again would be insecure. No, it is per item. That thing and that thing only gets the elevated privilege.

But people whined and bitched, including many of the same people who whined and bitched in the first place, so now they are backing off. Well, as part of that, you open up some potential holes. Sorry, but that's just life. If there are exceptions to the rules, then something can make use of those exceptions.

You can't have a system that magically knows what the bad apps are, and only asks permission on those, well at least you can't without some sort of draconian trusted computing BS. That's what users want, but they can't have it, it isn't possible. Thus you've got three choices:

1) Allow everything for administrators. Assume the admin knows what they are doing, and let them do whatever they want. Don't ask for permission for any action. This is the Windows XP method. It's very convenient, but also means that you'd better be careful.

2) Have truly separate permissions, and require escalation. Everything has to go through the procedure, no exceptions. This is the Vista method. Means you get asked a lot (though personally I don't find it bad at all) but it is secure. Nothing gets to slide through because there aren't special cases.

3) Have separate permissions, but allow exceptions to make things easier. Ask only in certain situation, or only so often. Just let everything else go by. This is the Windows 7 method (and also several variants of Linux I've seen). Fairly convenient, and more secure than #1, but only superficially so. Because there are exceptions, there are back doors for things to sneak through.

So really, users have to come to terms with what they really want. The "I want it to protect me from bad things, but not bother me," doesn't work. That is akin to saying "I want security to make sure nobody sneaks a weapon on a plane but I don't want to go through a security checkpoint." No, sorry, doesn't work that way. If it is really going to work, then it has to be consistently applied to everyone or everything.

Re:Good thing it's a beta

[rsmith-mac]

Unfortunately it's not a bug, or even a design flaw. Microsoft's in the position of trying to placate as many customers as they can. They tried doing security the "correct" way with Vista, only for the loudmouths of the world to run around telling everyone else that Vista sucked because they kept getting "those damned prompts." Hell, Apple even got in on the action and made TV advertisements about it lambasting Microsoft for doing security right*. So Microsoft does something about it: they scale back the security and scale up the convenience.

Now Peter makes a good point in the article that Microsoft should have stuck to their guns, and I agree with him. Users won't do the right thing unless it's also the easy thing, so now and then you're going to have to club them over the head and make them do the right thing anyhow. But if Microsoft isn't going to do this, then they're in effect (back to) designing an insecure OS, because that's what people want. At some point you have to trade some convenience for some security, it turns out most people (or at least the loudest of them) will trade away every bit of security for every bit of convenience they can get.

This isn't something that's going to be fixed. It's a design choice. It's what the people - in all their infinite stupidity - want.

* OS X has a pretty big hole: any admin user account can write to the Applications directory willy-nilly. Just like with Windows, people tend to use admin accounts for day-to-day work. From a high-level perspective, Vista does more things right than OS X does

Re:Good thing it's a beta

The problem is that when the UAC box pops up 4 times for the same file copy, people will naturally start ignoring it / not paying attention to it / turning it off. They habitually start clicking yes to everything because clicking yes means they get to do what they want, whereas clicking no stops them from doing what they want.

This doesn't mean users want to trade "all security for convenience". It means users, shock and horror, actually want to use their computers to do what they want to do. If Microsoft cannot find a better way than to shove multiple nag boxes in your face every time you try and do one little thing, then they should immediately give up, because they are lost.

I remember a study done ages ago that said that most people don't even read the text in a message box. They choose the option that allows them to do what they want to do. Nobody wants to pick the option that prevents them from doing the action they initiated - why else would they have initiated it?

So why even pay attention to the box at all? After you've seen 50 of them, they are completely ignored. Users are not in the wrong here. It is not stupid to want to use your computer for something you want to do without being annoyed to death by idiocy.

Regardless of intent, UAC does not work for humans. The human mind actively circumvents it as noise, just as it does with thousands of other distractions we deal with every day. Since Vista is presumably being marketed exclusively to humans at this point, it must either fit with the way human minds work, or perish entirely.

The idea that UAC is great because of all those popups is ridiculous. The idea that users should enjoy those popups and actually be thankful of them is ignorant in the extreme. Microsoft has never made a worse UI decision in their entire history.

You can claim the users are 'infinitely stupid' if you want, but from where I sit, the only stupid person is you.

Yes... but...

[TerranFury]

I agree in spirit, but the implementation is bad.

I once tried to write a "sudo for Cygwin" that would bring up the UAC confirmation box and run a program with associated elevated permissions in Vista. (Other people have written programs that they call "sudo for Vista," but none of them do what I want. In particular, they don't run programs in the same console.) In the process of poking through the security APIs, I learned a little about what a mess UAC is uder the hood.

Windows NT/XP has a perfectly good security model, if only people would use it. In some ways it's more sophisticated than Linux's: For instance, file permissions are more fine-grained on NT. The problem really hasn't been with XP/NT; it's been "social:" it was the culture of software development on Windows to too often require, unnecessarily, that users have administrative rights.

Microsoft's solution in Vista was to restrict the rights of administrators and add GUI confirmation boxes. This was the wrong solution, I think. In my (admittedly armchair-quarterback's) judgment, the right one would have been to,

1 - Keep traditional XP-style administrator and user accounts, with roughly the same privileges as they'd always had.

2 - Require OEMs to ship computers with user, rather than admin accounts, enabled. Randomly-generated default admin passwords should be written on a sticker on the front of the PC's case.

3 - Add a "sudo" mechanism, perhaps with the following modifications from 'nix sudo to make it easier for novices:

... a - The sudo prompt pops up automatically when a program attempts to do certain classes of things for which it does not have privileges. This differs from Linux, in which a program will simply fail with an "Insufficient permissions" error; this would be pretty opaque to novice users I think.

... b - "sudo" could be configured (and perhaps should be by default) so that it is sufficient to click a "confirm" button in lieu of typing in a password.

This is almost what UAC is. But the devil is in the details. What Microsoft actually did was make "Administrator" accounts into something more like "user" accounts, and add a level of privilege yet higher than administrator. But it feels tacked-on, and not really "at home" in the NT security model, which in fact provides plenty of control on its own over what rights different users and groups have, if only it were used correctly.

In other words, Microsoft shouldn't have restricted Admin accounts in this poorly-documented way; it should have instead added a sudo mechanism to make it more feasible to run as a User, and kept the nicely-documented and well-designed security model that NT has always had but people have simply never used.

Re:No Script Bragging -- please stop

[mysticgoat]

You don't know anything of what you speak.

No Script is about MY having the choice of whether to run an arbitrary program on MY computer. I set up the whitelist, and I decide whether to make an exception.

My ruff & reddy rules of usage:

1. On first visit to any trustworthy site, add all its javascript sources that I also think are trustworthy to my white list. A one-time overhead of maybe 3 seconds.
2. When following a /. lead to a site that I don't know anything about, assess whether any useful content is being hidden by a NoScript block
   • If so, unblock the bolded item in NoScript's list of javascript sources being used on the page. If the page smells worthy of it, I'll add this source to the whitelist, otherwise I'll do the unblock as a one-time thing. Reassess whether useful content is still being hidden, and if so repeat until good.
   • Else, leave all script sources blocked since I can get what I came for without them, and I'm unlikely to come back.
3. When mucking about in the web's darker corners, do as above, except never permanently add a javascript source to the whitelist. Do it all as one-time only.

Web pages that are using scripts from three different sources are not uncommon any more. Web pages that are using scripts from 5 or 6 sources are not rare. There are web pages that are using sources that in turn draw on other sources. When running NoScript, I decide not only whether I trust the developer of this web page, but whether I trust his judgment about the scripts that he is importing from elsewhere. I decide how wide I will let the circle of trust get.

It's really a no-brainer. If you recognize the possibility that you might do something of value with the computer you are using, then use NoScript or something like that as a low cost method of protecting that potential. Otherwise, I would appreciate it if you would disconnect your virus infected, zombied machine from the internet, because your negligence is diminishing the common good.

Re:No Script Bragging -- please stop

[jawtheshark]

NOscript is like wearing a condom when you're married..no real poin

Contraception is quite a nice side effect of condoms, even when married.... Some women don't support the pill well.

Re:No Script Bragging -- please stop

No Script is about MY having the choice of whether to run an arbitrary program on MY computer.

Yeah, an "arbitrary program" that is already sandboxed by the browser anyway. The worst it could do is use up some system resources [...]. Those people need to learn to chill and trust their browser sandbox.

[ ] You know that most security holes needing little to no user interaction require JavaScript to function properly.
[ ] You know that NoScript can also block other techniques (Flash, Java) that are posing security risks.

No?