LG Split Screen Software Compromises System Security

jones_supa writes: The Korean electronics company LG ships a split screen tool with their ultra wide displays. It allows users to slice the Windows desktop into multiple segments. However, installing the software seriously compromises security of the particular workstation. The developers required administrator access for the software, but apparently they hacked their way out. The installer silently disables User Account Control, and enables a policy to start all applications as Administrator. In the article there is also a video presentation of the setup procedure. It is safe to say that no one should be running this software in its current form.

UAC - A Double Edged Sword

[some1001]

I realize that the software probably shouldn't have disabled UAC out of the box without at least informing the user, but having worked on some out-of-process COM applications (yes, legacy) in Windows Vista/7/8/10, UAC can be extremely frustrating. The biggest issue is that having UAC on creates a different user context between user and admin. If I execute a program as myself with admin privileges, it is not exactly the same as executing the program as myself without admin privileges.

For example, if your user with admin priveleges creates a COM component, that component may not be able to be accessed by a non-admin context even though your user may be in the local administrators group, DCOM Users group, etc.

I wouldn't be surprised if LG ran into a COM issue with Windows and decided to make the program for reliable for the user by disabling UAC instead of resolving the problem in a different way.

Re:UAC - A Double Edged Sword

[thegarbz]

since most Windows programs are written incorrectly

What a load of garbage. I rarely if ever see UAC prompts other than installing software. This goes for programming tools both well written and poorly hacked together, all manner of internet related things (reads browsers, Acrobat, flash, etc) remote administration tools, games, office productivity applications, even my explorer replacement program doesn't bug me with a UAC prompt.

In fact the only program I've ever used that needed UAC prompts was a custom VPN tool, and it only needed UAC because it had the ability to tie into windows settings and modify the system's own L2TP VPNs on top of providing an OpenVPN client, something that requires elevated privileges to do.

What you're saying I haven't experienced since maybe 2-3 months after Vista was released. So please share some more details on what exactly you are doing that makes a UAC prompt appear every time you move the mouse, and which of the many millions of programs on the PC actually require administrator to run?

Re:UAC - A Double Edged Sword

[dAzED1]

As others have said...the "problem" you're describing is *exactly the farking point of UAC* - it's *intentional*. of course the context is different - that is almost completely the entire design concept of UAC, and as an infosec and 20+ year UNIX guy, I personally appreciate UAC in windows when I'm forced to use that OS (which is all too often). UAC isn't a bad thing, it's a *good* thing. And if you can't get your program to work with UAC, either you're bad at design, or your program shouldn't exist.

Reminds me of Sony's rootkit

The installer silently disables User Account Control, and enables a policy to start all applications as Administrator.

Holy fucking incompetence, Batman. This reminds me of Sony's rootkit, the one that tried to hide itself from AV software, but in doing so, opened up a huge hole that any malicious program could exploit. How does shit like this make it past any kind of review? What CIO/CTO says "hmm OK, gutting security on every customer's PC sounds like a great idea!" This approaches criminal levels of negligence.

UAC is for idiots

[duke_cheetah2003]

As what I'd consider a 'power user', one of the first things I do is turn that obnoxious thing off. I understand it's purpose for being there, it's to protect idiots. Though if you've been reading the studies related to 'security popups', they're pretty ineffective anyway.

A program that magically turns it off for you is definitely a bad thing. However, from a power user perspective, its like.. 'um i don't care, it was already off.'

Windows simply wasn't built from the ground up to insulate the user space from the root space, and frankly I don't know if it ever can properly do that. The fact some program that can change the UAC settings is pretty huge example of why Windows has issues separating userspace from root space. It just simply can't do it right. Who's brilliant idea at Microsoft was it to provide any sort of API that can let any program (besides the control panel widget that lets you adjust UAC settings) adjust UAC settings? Some majorly FUD there. I think this is more Windows' fault than this stupid dual monitor program. No program should be permitted, regardless of it's permissions, to touch things like UAC settings.

Re:UAC is for idiots

[whoever57]

As what I'd consider a 'power user', one of the first things I do is turn that obnoxious thing off. I understand it's purpose for being there, it's to protect idiots.

You never heard of "drive-by installs"? And don't reply with "but I don't go to that type of website", because we have often seen that both ordinary websites and ad networks can be compromised to install malware.

Re:UAC is for idiots

[spire3661]

I dont mind UAC. Its just like sudo warning you 'think before you type'. Its a clear sign you are initiating a system level action.

Re:UAC is for idiots

[DigitAl56K]

The fact some program that can change the UAC settings is pretty huge example of why Windows has issues separating userspace from root space. It just simply can't do it right. Who's brilliant idea at Microsoft was it to provide any sort of API that can let any program (besides the control panel widget that lets you adjust UAC settings) adjust UAC settings?

I hope you realize what you are saying here is the equivalent of a Linux user saying "The fact that some program can change permissions after I launched it as root is an example of a huge security hole. Whose brilliant idea was it to provide any sort of mechanism that can let any program I run as root do things a user who is root can do?".

This is an example of why UAC exists, in fact: A program that is not UAC elevated could not change your UAC settings (if you hadn't turned them off already).

Re:UAC is for idiots

[reikae]

A dialog that pretty much only appears when (un)installing software is hardly obnoxious in my opinion. Security popups may well be ineffective for most people, but as a power user I know when UAC prompts should and shouldn't appear; getting a prompt when one shouldn't pop up is a useful warning sign.

Re:UAC is for idiots

[Rhywden]

Anyone who still insists in writing Microsoft as "M$" just shows that you can't take him seriously.

Re:I'll run it if I want, thanks

[holostarr]

You must be thick in the head, that statement isn't ordering you to comply, it is simply advising users against running it. So by all means go ahead and run it and stop looking for reasons to complain!

Re:Brian Fox is a Black Man

[hcs_$reboot]

What is informative, that he is a Black man, or that he wrote Bash? I'm happy to know that Brian Fox is the author of bash, a nice addition to sh that I'm using every day, but why the need to specify he is a Black man? Is it an American thing?

Re:Chinese or Indian Devs?

[fisted]

No, I have seen some utterly substandard garbage code written by Ameriancs, so according to my anecdote it's probably from there.

Re:Brian Fox is a Black Man

[wbr1]

It's in response to the trolling,racist, parent comment. That is why his race is mentioned. It to s not obvious the comment has a parent since the author removed the re and changed the title. Click parent on that post and see for yourself the anus of society.

Re:s/split/slit/

There are no nigger programmers.
If a black person is a programmer, than they are most likely educated and decent human.

Nigger is a state of the mind.
Unfortunately 90% of black people have it (and 10%-20% of white people as well).
Hence the stereotypes for black and white people (which are not racist, they are just statistics).

So, Linux has no security thought?

[cbhacking]

Uh, no offense, but you don't know much about Linux, I take it?

There's a bunch of options, ranging from "mark everything setuid and owned by root" (the least efficient, but you could do it in a few lines of shell script) to simply making each user be UID 0 (which is a trivial edit to /etc/users).

Frankly, you kin of sound like you're mouthing off without knowing anything of what you're talking about (Windows or Linux. Windows NT (which everything since XP has been, in kernel and core components) was very much designed from the beginning with security options in mind. The fact that everybody then ran as Admin instead of running as a normal user unless a program needed admin is unfortunate, and is partially Microsoft's fault, but only somebody utterly ignorant would think that Windows security is an afterthought.

To be the kind of person who would be utterly ignorant and then open your damn fool mouth is... well, I'm sorry. Nobody wants to be that person. You do deserve to be modded down, but what you say is not true at all. I have mod points, as it happens, but chose to reply instead. Maybe somebody else will take care of you and your unfortunate attitude...

For what it's worth, here's some more info: It's true that mandatory integrity control (MIC), which has security impacts, is relatively new (Vista) to Windows, but at least Windows uses it at least slightly; a typical Linux distro doesn't use it at all (though it is available). Speaking of afterthoughts, though, Windows (NT family) has supported ACLs since its initial release, while Linux only supported basic Unix permissions (which are a small subset of the control that ACLs give you unless your group count balloons absurdly) until 2002.