Linked by Thom Holwerda on Fri 30th Jan 2009 19:13 UTC
Privacy, Security, Encryption At OSNews, we usually do not report on individual security breaches, because there are websites specifically tailored to that sort of thing. Still, every now and then, an interesting security issue pops up that deserves some attention. How about this one: through a simple VBScript, you can completely disable UAC in Windows 7. The reason for this might surprise you. Update: Microsoft's response.
Order by: Score:
Appreciate the heads up
by WorknMan on Fri 30th Jan 2009 19:54 UTC
WorknMan
Member since:
2005-11-13

I personally don't mind when you guys post security-related stuff on here, especially if it's particularly nasty. And this one seems to be one of those ;) Even if it's aimed at a product still in beta.

Reply Score: 3

Hmm
by linumax on Fri 30th Jan 2009 20:10 UTC
linumax
Member since:
2007-02-07

"We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

What if I'm not running as an Admin account? Because that's always what I do, whether on Leopard or Vista.

Reply Score: 3

microsoft just doesn't get it
by TechGeek on Fri 30th Jan 2009 20:35 UTC
TechGeek
Member since:
2006-01-14

Microsoft just doesn't get it and apparently never will. The reason why this is dangerous is because most people run as Admin. Why? Well because its the default Microsoft account and because they never pushed their "developers developers developers" to write their software to only need user level permissions. This is the same thing as allowing your email program to execute code from emails. Who in their right mind thinks that is a good idea or a useful feature. And that is responsible for most of the viruses that propagate by email. Microsoft needs to be put down like the rabid dog it is.

Reply Score: 3

RE: microsoft just doesn't get it
by jbauer on Fri 30th Jan 2009 22:07 UTC in reply to "microsoft just doesn't get it"
jbauer Member since:
2005-07-06

There's nothing wrong with using an admin account in Vista, that's one of the goals of UAC.

I might be wrong, but the problem seems to be than in 7 changing UAC level does not cause an UAC prompt. I don't know why this couldn't be fixed by MS by simply forcing an UAC prompt in this particular case while keeping it as it is in the rest of them, thus staying less annoying that it is in Vista now.

Reply Score: 1

TechGeek Member since:
2006-01-14

There is EVERYTHING wrong with running as Admin. It is a better security design to run with the least privileges possible and have UAC elevate them only as needed. UAC gets shut down, then the end result is your user can't get admin and you have to fix it. As it is now, no UAC, full admin access by whatever you run.

Edited 2009-01-30 23:54 UTC

Reply Score: 5

kaiwai Member since:
2005-07-06

There is EVERYTHING wrong with running as Admin. It is a better security design to run with the least privileges possible and have UAC elevate them only as needed. UAC gets shut down, then the end result is your user can't get admin and you have to fix it. As it is now, no UAC, full admin access by whatever you run.


Unfortunately what we see now is a by-product of Microsoft's own business model - perpetual backwards compatibility and all the crap that ensues from it. When you make unrealistic promises to your customers, you are going to find that in the future that it limits what you can and can't do with your product.

What Microsoft needs to do first and foremost is plant a stake in the sad and say, "from this day forward - we're going to pull all the backwards compatibility out of the operating system, we're going to enforce proper security so that there are no longer nasty hacks like UAC. All backwards compatibility will be provided through a virtualisation session", then leave it at that.

The moment when Microsoft puts correctness above rushing a product to market, maintaining compatibility for 'Joey Spit Waters' for his 20 year old DOS application, will be the day when you'll see Windows make a giant leap forward and make the changes engineers in Microsoft have always wanted to make but due to this stupid doctrine of perpetual backwards compatibility, there has been limits in what they can do to improve the operating system over all.

Reply Score: 3

jbauer Member since:
2005-07-06

There is EVERYTHING wrong with running as Admin. It is a better security design to run with the least privileges possible and have UAC elevate them only as needed.


Err... that is precisely what UAC does when you're running as admin. What do you think the UAC prompt is for?

Reply Score: 2

wrocic Member since:
2008-07-10

Err... that is precisely what UAC does when you're running as admin. What do you think the UAC prompt is for?



UAC is for elevating processes or applications up from a user account, to a level needed to run under administrator privileges.
Much like SUDO under Linux.

Reply Score: 3

jbauer Member since:
2005-07-06

UAC is for elevating processes or applications up from a user account, to a level needed to run under administrator privileges.
Much like SUDO under Linux.


Inaccurate. Once again: admin accounts in Vista do not run with elevated privileges until an UAC prompt has been accepted. In Vista it does not matter if you are using an admin account or not, you're getting an UAC prompt anyway. The only difference is that if you are using a standard user account, you have to enter an admin's password and can't get away with only clicking the OK button.

2 years later and people still can't get it?

Edited 2009-01-31 18:19 UTC

Reply Score: 3

TechGeek Member since:
2006-01-14

If that were true, then when UAC is shut off, you would no longer have Admin rights. But that isn't the case if you are running as the administrator. They need to model this like Linux. I run as a normal user, not root. But if I need root privileges, I get a password prompt to start the application.

EDIT: to clarify, the difference is in what the user account type is normally. In Windows, you run as Admin and UAC, if its running, prompts you when you do something that requires admin rights. Problem is, no UAC, no prompting, you can do everything as an Admin. On Linux, you run as a user, and get prompted when you need Admin rights. On linux, no prompt, and you get no Admin rights. Its just a safer route to the same goal.

Edited 2009-01-31 17:56 UTC

Reply Score: 2

darknexus Member since:
2008-07-15

Personally, I like what Mac OS X does--it uses Sudo underneath, but ads a bit on top of it. If you're running under an admin account, you get prompted for your password. If you're running under a non-admin account, you get prompted for an admin account and the password associated with that account.
I'm not so sure about the default settings in distros like Ubuntu. It seems to me that entering my own password to perform administrative tasks isn't very secure, if the idea is to have the account restricted. If someone did hack in under that account, the entire system would be open to them as they would have already obtained my password. Further, the password is cached. So, if I use an admin program, walk away, and someone else quickly uses my computer, they are elevated without needing to know my password. They would not be able to do this if they were able to get into my restricted account on my Macbook--and further, even having physical access to the keyboard wouldn't allow them to elevate even if they new my account password. My admin account name is not obvious, and my admin password is not even remotely related to my restricted account's password. Further, the OS X GUI doesn't cache my admin credentials. Other distros, such as OpenSUSE, demand the root password for administrative tasks, which also makes sense. I just don't see how Ubuntu's defaults are secure in any way, and I see a lot of people here touting them as being the right way to go, which I cannot understand.
Edit: I'm referring, above, to the administration commands that are executed via sudo in Ubuntu. There are other commands, such as the user/groups and services manager, that require you to unlock them with both an admin username and password, similar to OS X's system preference pains. This unlock approach makes sense to me from a security standpoint, whereas the sudo approach does not.

Edited 2009-01-31 22:55 UTC

Reply Score: 2

benhonghu Member since:
2008-08-24

I'm not so sure about the default settings in distros like Ubuntu. It seems to me that entering my own password to perform administrative tasks isn't very secure, if the idea is to have the account restricted. If someone did hack in under that account, the entire system would be open to them as they would have already obtained my password.

From my understanding the sudo command is basically the good old "su" on steroid.

So instead of doing
$su
#sys-config
#exit

you would just do
$sudo sys-config

Makes perfect sense to me.

Further, the password is cached. So, if I use an admin program, walk away, and someone else quickly uses my computer, they are elevated without needing to know my password.


I guess it's a simple matter of locking the account whenever you leave your console unattended. While you're leaving your Mac book unattended, I could, say, set up a malicious program, rename it to "ls", change your $PATH too so that next time you ls with admin privilege it'll spoil your day.

Reply Score: 1

Delgarde Member since:
2008-08-19

From my understanding the sudo command is basically the good old "su" on steroid.


Not entirely. It *can* be configured that way, running any program as root if you provide the right password. But it can also provide more fine-grained security which 'su' cannot.

With 'su', to allow a user to run one command as another user, you would have to give them that user's password, allowing them to run *any* command as that user.

With 'sudo', you can authorise one specific user to run a specific command as another specific user - using their own password to identify themselves, not that of the target user.

That said, be *very* careful when configuring sudo in this way. If you want to be secure, you need to think through all the ways someone could use the privileges they're given to get more. For example, if you're letting them run a specific shell script as root, set and export the PATH at the top of the script - otherwise the user can use their own PATH to make commands behave differently than intended (e.g 'cp' is actually /tmp/cp, which is actually a symlink to /bin/bash - instant root shell).

Reply Score: 1

darknexus Member since:
2008-07-15

I guess it's a simple matter of locking the account whenever you leave your console unattended. While you're leaving your Mac book unattended, I could, say, set up a malicious program, rename it to "ls", change your $PATH too so that next time you ls with admin privilege it'll spoil your day.

No, you couldn't. Because, as I run in a restricted account, I cannot sudo to admin from that account. I must first su to my admin account, then sudo if I need to use a root command, and as I always su with the - parameter that would block your little tactic. ;) To be clear, I don't have a problem with sudo. I have a problem with its default configuration in some distros.

Reply Score: 2

3rdalbum Member since:
2008-05-26

I like what Mac OS X does as well - it silently gives anyone root access if you type in a short Applescript command (no prompting) and when you move files from one disk to another, it deletes the source file before the destination file is complete.

Took Apple 4 years to fix the first one, and they had the attitude of "smart people don't use the 'move' function" that is similar to how Microsoft is reacting.

Reply Score: 1

Does Apple "get it"?
by MollyC on Mon 2nd Feb 2009 02:29 UTC in reply to "microsoft just doesn't get it"
MollyC Member since:
2006-07-04

Last I checked, Mac OS X's default account level is admin as well. Does Apple "just doesn't get it" either? Or is it you that doesn't get it? Let's see, two billion-dollar companies vs one random poster on a message board? I'd wager the former put more thought into this than the latter.

BTW, in Vista processes launched from neither "admin" nor "standard" accounts have actual "admin" privileges without going through UAC to elevate the privileges. The only difference between "admin" and "standard" accounts is that the latter's UAC prompts require a password. Your rant indicates that you think that the processes launched via "admin" accounts in Vista have actual admin privileges without going through UAC. That's not the case.

For Windows 7, my understanding is that this behavior's been modified such that apps that come with the system and are signed by Microsoft can elevate privileges without going through UAC. I think this is stupid. Microsoft caved into the howls of those claiming that they ran into UAC prompts every 2 minutes; these claims were shameless hyperbole meant to badmouth Vista, and it even got to the point that Apple had ads lying about how often UAC prompts came up. I think Microsoft should've left UAC as it is in Vista. The "power users" that change the system's settings every 15 minutes already know how to disable and then re-enable UAC, so what's the point of changing the behavior other than pandering to the likes of Dvorak?

Reply Score: 3

Natural order has returned
by Verenkeitin on Fri 30th Jan 2009 22:06 UTC
Verenkeitin
Member since:
2007-07-01

Seems that one sign of end of times is fading.

First we herd that Windows 7 would come in hordes of different versions and now that it might have sucking security.

Now it just needs to get Intel core i7 to its knees and eternal recurrence of Windows is complete.

Reply Score: 0

Good catch, easy fix
by google_ninja on Fri 30th Jan 2009 22:23 UTC
google_ninja
Member since:
2006-02-05

This is the reason that people release betas, so the community can respond. This particular thing is very easily fixed, just make changing UAC settings something you always prompt for.

Reply Score: 1

RE: Good catch, easy fix, really?
by Earl Colby pottinger on Fri 30th Jan 2009 23:31 UTC in reply to "Good catch, easy fix"
Earl Colby pottinger Member since:
2005-07-06

But while the fix is simple, will Microsoft have the brains to fix it before shipping out it's release version? The original UAC in Vista does not seem to indicate that they listened that well to the beta testers then.

Yes, beta testing is good, but it is no good if you don't pay attention to the testers.

Reply Score: 6

RE: Good catch, easy fix
by Brendan on Sat 31st Jan 2009 02:42 UTC in reply to "Good catch, easy fix"
Brendan Member since:
2005-11-16

Hi,

This is the reason that people release betas, so the community can respond. This particular thing is very easily fixed, just make changing UAC settings something you always prompt for.


If Microsoft weren't smart enough to realize this problem existed when they were writing the code, then how many other security holes do you think there are that beta testers haven't found yet?

- Brendan

Reply Score: 5

Vista will be the new XP
by Googol on Sat 31st Jan 2009 01:20 UTC
Googol
Member since:
2006-11-24

that's my feeling. Now where everyone has at least 2 GB + Dual-CPU, plus all the fixes added, it is actually ok. Better than jumping into the next experiment at.

Reply Score: 0

RE: Vista will be the new XP
by wrocic on Sat 31st Jan 2009 17:48 UTC in reply to "Vista will be the new XP"
wrocic Member since:
2008-07-10

that's my feeling. Now where everyone has at least 2 GB + Dual-CPU, plus all the fixes added, it is actually ok. Better than jumping into the next experiment at.



Maybe where you live, but in the rest of the world, that is classed as a major PC.

Reply Score: 2

Why UAC really sucks
by IndigoJo on Sat 31st Jan 2009 09:10 UTC
IndigoJo
Member since:
2005-07-06

I've used Linux, Mac OS X and various Linux distros and the reason UAC sucks is because it frequently offers more than one dialog and blanks the screen so that it can give you that darkened effect for one of them, and the machine hangs during the process, sometimes for several seconds. Of course, to do admin jobs on Unix you need a password, but I have never found that half as annoying as Vista's UAC because it's better implemented and it only asks you once per job.

Reply Score: 3

Vista, XP, Linux does not matter
by pcunite on Sat 31st Jan 2009 19:22 UTC
pcunite
Member since:
2008-08-26

Run with Software Restriction Polices for Windows and SELinux for Linux if you care about security! Everything else is bloggers to chat about!

It is a real pain to configure SELinux but SRS for Windows XP or Vista/Win7 is easy to setup. A virus can't even execute on my box.

Reply Score: 0