Linked by Thom Holwerda on Fri 15th May 2009 07:11 UTC, submitted by Georgi Petrov
Windows Whenever we talk about Windows 7 on OSNews, you'll always hear me advise you to change the UAC settings by setting it to its highest level, since Windows 7's default simply isn't secure. You might wonder why you should deal with additional prompts - what is the security risk actually like? Well, it's pretty big.
Order by: Score:
Comment by Kroc
by Kroc on Fri 15th May 2009 07:43 UTC
Kroc
Member since:
2005-11-10

The linked video is incredible. The ease in which UAC is bypassed is impressive. What is more impressive is the outright incompetence of Microsoft to not update freaking Calc and Notepad to work with privileges correctly. Why does Notepad need to auto-elevate? If I was trying to save a text file to a system location, a UAC prompt wouldn’t be shocking to see.

This only confirms factually what I understood philosophically already: that UAC is just a 'patch' trying to add security on top of a system that—for backwards-compatibility’s sake—is totally insecure by design. The Windows user-space is one giant insecure mess. The NT kernal has all the features to implement a really, really tight and secure user-space, and Microsoft are still waving the Windows 95 flag.

Until Microsoft ditch all backwards-compatibility and move it into a VM, Windows security is never going to be properly secure, and we will always see inane, short-sighted and ineffective security systems tacked on top like UAC.

P.S. Also love how Flash can auto-install itself in IE8/Win7. You get a UAC-prompt, but none of the normal Active-X warnings. Cute. What’s your normal reaction when a web-page upon loading suddenly, out of nowhere, fires off a UAC-prompt??

Edited 2009-05-15 07:45 UTC

Reply Score: 3

RE: Comment by Kroc
by adkilla on Fri 15th May 2009 07:47 UTC in reply to "Comment by Kroc"
adkilla Member since:
2005-07-07

I never had Notepad asking for elevation when UAC was set as high. Some configuration problem maybe?

-Ad

Reply Score: 2

RE[2]: Comment by Kroc
by Thom_Holwerda on Fri 15th May 2009 07:49 UTC in reply to "RE: Comment by Kroc"
Thom_Holwerda Member since:
2005-06-29

I never had Notepad asking for elevation when UAC was set as high. Some configuration problem maybe?


I'd say it's related to saving and opening files in Notepad. Not sure though. It doesn't matter anyway - what matters is that it can auto-elevate itself, and that you can trivially abuse that.

Remember, the author of the proof-of-concept is just a programmer, not even a security researcher!

Reply Score: 1

RE: Comment by Kroc
by flanque on Fri 15th May 2009 09:13 UTC in reply to "Comment by Kroc"
flanque Member since:
2005-12-15

After learning of this a while ago I turned the UAC up to the maximum and I barely get irritated by prompts. It should be up to the max by default, I agree, because it causes very little problems if any.. at least so far for me.

I'm running the RC as well.

Reply Score: 4

v RE: Comment by Kroc
by gedmurphy on Fri 15th May 2009 19:45 UTC in reply to "Comment by Kroc"
RE[2]: Comment by Kroc
by renhoek on Sat 16th May 2009 10:26 UTC in reply to "RE: Comment by Kroc"
renhoek Member since:
2007-04-29

You clearly have little understanding of windows internals.

Could you please point out the mistakes kroc made? Because i agree with him. And so seems everybody else.

Reply Score: 3

RE[3]: Comment by Kroc
by gedmurphy on Mon 18th May 2009 07:37 UTC in reply to "RE[2]: Comment by Kroc"
gedmurphy Member since:
2005-12-23

Instead of me going into depth of explaining the inernals of UAC and why it isn't a 'patch' which is 'totally insecure by design', why usermode isn't a giant insecure mess and why Windows will always be insecure until they move historical stuff into a VM, maybe Kroc would care to explain where he gets these ideas from.

Quite frankly, it's absolute rubbish, and someone writing about this stuff should really know better.

As the article states, if you move the slider to the top then it becomes secure again. This is a case of Microsoft making a bad decision on default security (again), not a case of Windows being insecure and flawed.
If Windows is so insecure and flawed, let's see Kroc move the slider to the top and compromise the security. Surely it can't be hard if his claims are true.

It sounded like an uninformed Microsoft hater comment. Something Thom avoids which is why I expected him to comment.

Edited 2009-05-18 07:42 UTC

Reply Score: 1

RE: Comment by Kroc
by abraxas on Sat 16th May 2009 16:00 UTC in reply to "Comment by Kroc"
abraxas Member since:
2005-07-07

This only confirms factually what I understood philosophically already: that UAC is just a 'patch' trying to add security on top of a system that—for backwards-compatibility’s sake—is totally insecure by design.


I disagree. The default policies of Microsoft's MIC and some applications are insecure. This does not make it insecure by design. It just means that Microsoft yet again decided that compatibility is more important than security. It is even more frustrating considering the tools are in place to secure it.

Reply Score: 2

RE: Comment by Kroc
by sgtarky on Mon 18th May 2009 11:48 UTC in reply to "Comment by Kroc"
sgtarky Member since:
2006-01-02

I knew something had to be wrong when I didnt have to disable it. for me the fact UAC doesnt work is a good thing, but it needs to be there for the morons.

Reply Score: 1

RE: Comment by Kroc
by brandonlive on Wed 20th May 2009 17:27 UTC in reply to "Comment by Kroc"
brandonlive Member since:
2008-05-31

You misunderstand the system, and your ignorance leads you to incorrect conclusions. It's not like calc.exe is on some list saying it can auto-elevate. Calc.exe has no use for administrator privileges, which is why it does not request them. If you force it to run with them, you won't get prompted in the default UAC leve ("Notify me only when programs try to make changes to my computer") assuming that a series of requirements are met (it is the original, Windows signed binary, it is in a trusted location, etc).

The system makes sense. Yes, the "always notify" setting has some small security benefit for some users, which is why it exists. But for most users the default setting is a better trade-off of useability versus security, and it keeps the most important mitigations provided by UAC intact. It is MUCH safer than turning it off.

Reply Score: 1

Another problem with UAC prompts
by adkilla on Fri 15th May 2009 07:44 UTC
adkilla
Member since:
2005-07-07

The UAC prompts should also be easy to configure to request for the admin password to proceed with a 'yes'. Similar to what is done in OS X and Ubuntu.

This would give people with a common family PC to ensure that installed apps work as they are supposed to but grandma/kids don't accidentally install stuff.

I have found that anti-viruses and PC optimization tools don't work well when the active user isn't a Admin. So a standard user for everyone is not practical in every case.

-Ad

Reply Score: 2

Thom_Holwerda Member since:
2005-06-29

The UAC prompts should also be easy to configure to request for the admin password to proceed with a 'yes'. Similar to what is done in OS X and Ubuntu.


Run as a normal user, then you get the password dialogs. Run as administrator, and you get the clickthrough dialogs.

Reply Score: 4

adkilla Member since:
2005-07-07

The problem I am having is, when run as Admin the dialogs appear, but when run as user the dialogs don't appear at all and the app fails to run altogether.

I have had this problem with CCleaner, AVG, Kaspersky and F-Secure.

-Ad

Reply Score: 1

casuto Member since:
2007-02-27

I have had this problem with CCleaner, AVG, Kaspersky and F-Secure. -Ad


because these applications are poorly written and don't use the right UAC API

Edited 2009-05-15 09:50 UTC

Reply Score: 4

jabbotts Member since:
2007-09-06

- Why is Administrator allowed to log in directly?
- Can I still have a blank password for Administrator?
- Is the "home" version's admin account still crippled?

I'm still open to win7 being all it's supposed to be but the UAC bug being in place still is the first stumble it's hit.

Reply Score: 1

v Windows: Insecure by default(tm)
by kragil on Fri 15th May 2009 07:56 UTC
Skepticism
by Moredhas on Fri 15th May 2009 08:31 UTC
Moredhas
Member since:
2008-04-10

Microsoft must be getting a huge kickback fund from the security industry. Nobody can screw up security this badly on accident.

Reply Score: 4

RE: Skepticism - they've had practice
by jabbotts on Fri 15th May 2009 13:23 UTC in reply to "Skepticism"
jabbotts Member since:
2007-09-06

Like anything done well; you have to practice, all day, every day.

Reply Score: 1

Competition
by 3rdalbum on Fri 15th May 2009 09:59 UTC
3rdalbum
Member since:
2008-05-26

Mac OS X has had its really *dumbass* local security flaw:

tell application "ARDAgent" to run shell script "whoami"

And now Windows 7 has had a similar one involving rundll32.exe. Both allow the box to be rooted without waiting for any additional user input, or modifying memory or files.

The people who claimed that Linux was no more secure than Windows should be eating hats right now.

Reply Score: 3

RE: Competition
by Thom_Holwerda on Fri 15th May 2009 10:02 UTC in reply to "Competition"
Thom_Holwerda Member since:
2005-06-29

And now Windows 7 has had a similar one involving rundll32.exe. Both allow the box to be rooted without waiting for any additional user input, or modifying memory or files.


Do note, though, that THIS article is NOT about the rundll32.exe flaw. This is a DIFFERENT case.

Just to clarify.

Reply Score: 1

RE[2]: Competition
by WereCatf on Fri 15th May 2009 11:05 UTC in reply to "RE: Competition"
WereCatf Member since:
2006-02-15

Do note, though, that THIS article is NOT about the rundll32.exe flaw. This is a DIFFERENT case.

Just to clarify.


I was planning to try Win7 RC myself, but it's kinda off-putting that there's these absolutely ridiculous security issues there. I mean, I can't for the life of me understand why the f*ck would a calculator need admin rights? O_o The programmers themselves probably know how idiotic that is, but some drooling monkey higher-above in the salary chain thought that it was a good idea..

Anyhow.. I understood these issues can be atleast partially worked-around by using UAC at max, but does that also work for the rundll32 flaw?

Reply Score: 2

RE[3]: Competition
by Thom_Holwerda on Fri 15th May 2009 11:07 UTC in reply to "RE[2]: Competition"
Thom_Holwerda Member since:
2005-06-29

The rundll flaw is already fixed separately from this case.

Reply Score: 1

RE[3]: Competition - I know why
by jabbotts on Fri 15th May 2009 13:28 UTC in reply to "RE[2]: Competition"
jabbotts Member since:
2007-09-06

It's Microsoft generating good will with the info sec industry. After all, with higher privileged in calc.exe and notepad.exe helps when your looking for a process to hide meterpreter behind. ;)

Reply Score: 2

RE[3]: Competition
by wjscott on Sat 16th May 2009 08:29 UTC in reply to "RE[2]: Competition"
wjscott Member since:
2009-05-16

I can't for the life of me understand why the f*ck would a calculator need admin rights? O_o The programmers themselves probably know how idiotic that is, but some drooling monkey higher-above in the salary chain thought that it was a good idea..


So the incompetent manager driven programmer renegades can calculate complicated formulas for their own exploits(?) As Windows 7 calc comes with extra modes.

Reply Score: 1

Couldn't edit this, sorry
by wjscott on Sat 16th May 2009 09:12 UTC in reply to "RE[3]: Competition"
wjscott Member since:
2009-05-16

Never mind the unit conversion and mortgage calculator, calc has always allowed easy cut and paste, like any application.
MS always focused on automating this, ie. the IBM/MS DDE/OLE/Active X/COM+.

Is there anyway to forgo this programming style while making it easy to convert old Active X code.

Some of these security risks which UAC is supposed to manage (read some of the IE 8 blog and comments) need to be redeveloped and revolutionised.

Reply Score: 1

RE: Competition
by kaiwai on Fri 15th May 2009 15:07 UTC in reply to "Competition"
kaiwai Member since:
2005-07-06

Mac OS X has had its really *dumbass* local security flaw:

tell application "ARDAgent" to run shell script "whoami"

And now Windows 7 has had a similar one involving rundll32.exe. Both allow the box to be rooted without waiting for any additional user input, or modifying memory or files.

The people who claimed that Linux was no more secure than Windows should be eating hats right now.


What on earth has that got to do with the UAC issues? the ARDAgent vulnerability was NEVER a structural flaw but an flaw primarily the result of social engineering and/or code itself

This UAC flaw within the article shows that Microsoft do not take security seriously because of the fundamental design flaw of UAC itself - instead they use a band-aide solution instead of facing the reality that win32 is long in the tooth and designed in an era where security was never from the perspective of computers being connected to a massive network.

Microsoft could do something about it but it require them to take a tough line, it would require them to look long term, and it would require them to stand with some conviction with the decisions they make - they could chuck out large portions of code that they know are unsafe, they could force VM down the collective throats of end users (both using software and built in virtualisation) and force Intel/AMD's hand to expand VM support beyond a small niche of their product line up. Again, it would require Microsoft to stand up with a strong sturdy voice announce a new course - the problem is that there isn't a single manager within Microsoft willing to locate that wonderful thing called a backbone and put it to some good use.

Edited 2009-05-15 15:25 UTC

Reply Score: 3

RE[2]: Competition
by Thom_Holwerda on Fri 15th May 2009 15:11 UTC in reply to "RE: Competition"
Thom_Holwerda Member since:
2005-06-29

Microsoft could do something about it but it require them to take a tough line, it would require them to look term, and it would require them to stand with some conviction with the decisions they make


It's important to make clear that Microsoft took that approach in Windows Vista. And held on to it strictly.

The world cried foul. Including all the anti-MS people.

The changes applied in Windows 7 are the DIRECT CONSEQUENCE of whiners - people who had no idea what they were talking about but threw hissy fit after hissy fit because they saw a few dialogs while setting up their computer. Well, boo-friggin' hoo.

Microsoft listened to their customers. Too bad most of those customers are stupid.

Doesn't make this decision any less braindead, though.

Edited 2009-05-15 15:11 UTC

Reply Score: 2

RE[3]: Competition
by kaiwai on Fri 15th May 2009 15:32 UTC in reply to "RE[2]: Competition"
kaiwai Member since:
2005-07-06

[q]It's important to make clear that Microsoft took that approach in Windows Vista. And held on to it strictly.

The world cried foul. Including all the anti-MS people.[/quote]

They cried fowl because it was crap; GDI was moved to unaccelerated when it should have been ripped out, torn up and burnt. UAC should never have been implemented and instead all users are put as limited user mode and all applications that fail to work in that mode - simply fail. They moved to a new printing system - no attempt should have been made to accommodate the old drivers or way of interacting.

Microsoft did a half assed, half baked attempt to fix the problem. I might have the slightest bit of 'pride' in their decision if they removed the old garbage and did what they said they were going to do. The simple fact is that they never did anything radical; Windows Vista was a half baked operating system whose legion of apologists latch onto anything to legitimise the poor quality of it.

Reply Score: 2

RE[3]: Competition
by StephenBeDoper on Fri 15th May 2009 20:15 UTC in reply to "RE[2]: Competition"
StephenBeDoper Member since:
2005-07-06

It's important to make clear that Microsoft took that approach in Windows Vista. And held on to it strictly.

The world cried foul. Including all the anti-MS people.


I'm as cynical of the "Anything But Microsoft" crowd as anyone - but UAC is one of the (several) reasons I've avoided Vista like the plague.

IMO, the sensible approach would have been:

- keep the existing XP/2k/NT4 security model (permissions based on account type/ACLs)
- make the default user non-Admin on new installations
- add the ability to prompt for elevation when a user tries to do something without sufficient permissions (E.g., when a normal user tries to change network settings)

And voila - no need for UAC.

Reply Score: 4

RE[4]: Competition
by brandonlive on Fri 15th May 2009 21:43 UTC in reply to "RE[3]: Competition"
brandonlive Member since:
2008-05-31

That results in a whole mess of compatibility and useability problems. When you run as a standard user and then launch a single program as an adminstrator account, the program running as an admin will have the admin user's profile, settings, permissions, etc. That's problematic for many scenarios.

The UAC model offers many advantages, both in useability/compatibility and in security. It allows Windows to securely prompt for *consent* (i.e. Continue / Cancel) versus asking for a password. Asking for a password for elevations is risky, as it will always be susceptible to spoofing and logging (unless you require a Secure Attention Sequence, i.e. Ctrl+Alt+Del press for every password entry).

UAC also provides the ability to easily *reduce* the privileges of a process, like Protected Mode IE (just one example) running on the same desktop, and to track objects/files created by those "low integrity" processes.

Lots of people think they know better than the Windows engineering team, but 99% of the time they are looking at a very small piece of the puzzle.

Reply Score: 3

RE[4]: Competition
by Drumhellar on Sat 16th May 2009 06:49 UTC in reply to "RE[3]: Competition"
Drumhellar Member since:
2005-07-12

IMO, the sensible approach would have been:
- keep the existing XP/2k/NT4 security model (permissions based on account type/ACLs)

UAC is basically based on the old security model. Only now, it's actually enforced. For nearly 10 years Microsoft has been telling developers to write programs the new way. Some didn't, and now their programs break. UAC is meant to lesson the impact of that, while providing a new way for developers to keep the old, antiquated mind-set and allow things to run (mostly) smoothly.

make the default user non-Admin on new installations

Good idea. Users also need to be taught to be more security minded, not just the developers.

Reply Score: 2

RE[5]: Competition
by abraxas on Sat 16th May 2009 16:14 UTC in reply to "RE[4]: Competition"
abraxas Member since:
2005-07-07

UAC is basically based on the old security model. Only now, it's actually enforced. For nearly 10 years Microsoft has been telling developers to write programs the new way. Some didn't, and now their programs break. UAC is meant to lesson the impact of that, while providing a new way for developers to keep the old, antiquated mind-set and allow things to run (mostly) smoothly.


UAC elevates privileges based on a new access control system introduced with Vista called MIC. UAC requests privileges based on the integrity level of an object. If the integrity level required to access an object is higher than your current integrity level UAC is invoked.

Reply Score: 2

v RE[3]: Competition
by wjscott on Sat 16th May 2009 09:22 UTC in reply to "RE[2]: Competition"
RE: Competition
by DavidSan on Sat 16th May 2009 16:37 UTC in reply to "Competition"
DavidSan Member since:
2008-11-18

Mac OS X has had its really *dumbass* local security flaw:

tell application "ARDAgent" to run shell script "whoami"

And now Windows 7 has had a similar one involving rundll32.exe. Both allow the box to be rooted without waiting for any additional user input, or modifying memory or files.

The people who claimed that Linux was no more secure than Windows should be eating hats right now.


That is completely different. Mac OS X had a bug, that was resolved:
http://support.apple.com/kb/HT2647

This is not a bug, it seems like a design decision. A feature... I do not know what to call it.

It is beyond a bug. A bug is the result of bad implementation. But this is a failure in the whole idea of security. It seems more like a business decision: Make all legacy code work and do not touch Norton and "security" firms necessity and revenue, this is a whole ecosystem we have to maintain here, boys. If Microsoft looses installed base of legacy apps, it opens the door for Mac and Linux.

Reply Score: 1

Comment by darknexus
by darknexus on Fri 15th May 2009 11:14 UTC
darknexus
Member since:
2008-07-15

Please tell me this is some kind of late April Fools joke. Please tell me Microsoft didn't screw up security again...
I don't know why I'm surprised. MS has never been one for eating their own dogfood. It's the classic "do as I say, not as I do" philosophy for them. Their products don't have to conform to the standards they set out for everyone else... well, why not? They're hypocritical everywhere else, why not in their software too?
Leaving aside the complete stupidity of this flaw in the first place... why, exactly, would calc.exe need to be elevated? I just can't think of anything that would require elevated privileges in a *calculator*. Notepad I can understand needing elevation sometimes if you're editing a system file...
I guess it's typical MS: great kernel, braindead userland. Move along folks, there's nothing to see here... yet. I can't wait to see what's going to happen if they don't fix this by release time, it will certainly be one hell of a show to watch.
These stupid (deliberate?) flaws are the reason I will never use Windows as my primary os again, no matter how well it runs or how good it looks.

Reply Score: 2

RE: Comment by darknexus - you can relax..
by jabbotts on Fri 15th May 2009 13:29 UTC in reply to "Comment by darknexus"
jabbotts Member since:
2007-09-06

They haven't screwed up security again.. they'd need to get it correct first before it can be screwed up. ;)

Reply Score: 3

darknexus Member since:
2008-07-15

They haven't screwed up security again.. they'd need to get it correct first before it can be screwed up. ;)


Lol, good point there. ;)

Reply Score: 3

My solution
by John.Gustafsson on Fri 15th May 2009 12:27 UTC
John.Gustafsson
Member since:
2005-08-08

My solution is simple to turn everything off, never have anything actually important in Windows and simple don't care if it goes *poff* as I will just reinstall when it happens. Stuff like Valve's Steam really is a <deity> send in this case as it is so easy to reinstall. Just wish they could save my saved games as well.

Then I just do everything actually important, such as files I want to save, online banking, etc on a computer with a less screwed up system. One can dual boot or better yet have two computers. Which better OS to run I will not go into, those flamewars only add to global warming.

The sad thing is that if Microsoft had actual leadership and far less internal fighting, they could make a version of Windows that would shine.

Reply Score: 2

RE: My solution - Unison and a flashdrive
by jabbotts on Fri 15th May 2009 13:32 UTC in reply to "My solution"
jabbotts Member since:
2007-09-06

get yourself a flashdrive and PortableUnison (may have to search if not listed on portableapps). Install Unison on the flashdrive and create a root folder for your save game archive.

\ProgramFiles\PortableUnison\
\GameFiles\gameA
\GameFiles\gameb

Then your Unison will sync changes to the flashdrive and after you restore your system and games, it should sync the game save files back to the desktop. No need to involve an untrusted third party for more than the software dump.

Reply Score: 3

Comment by FealDorf
by FealDorf on Fri 15th May 2009 13:27 UTC
FealDorf
Member since:
2008-01-07

I'm not surprised that MS does something like this.. It's not uncommon for them to be lazy to redesign their software. I'm sure the reason Win32 still exists is that MS developers are the ones stubborn to try learn a new API.
On a sidenote, I'm happy that OSNews is posting articles on technology nowadays. The lack of in-depth tech related feature articles on Ars Technica made my spirits low..

Reply Score: 1

jabbotts Member since:
2007-09-06

I suspect the developers are more encumbered by the company culture. Even if they want to put out good design work and code, they have budgets, delivery dates and marketing/management mandates like continuing to support everything back to Dos virus code.

Reply Score: 3

license_2_blather Member since:
2006-02-05

Maybe, but this looks like they went out of their way to mess this up. I know Microsoft has some security-minded people working for them, and they are probably screaming about this. But, incredibly, they are ignored. Let's just hope that security by public outcry prevails and once again convinces Microsoft's management to pull their heads from their a**es.

Reply Score: 1

kaiwai Member since:
2005-07-06

I suspect the developers are more encumbered by the company culture. Even if they want to put out good design work and code, they have budgets, delivery dates and marketing/management mandates like continuing to support everything back to Dos virus code.


You're right; when I hear managers within Microsoft say that 'legacy code is an asset' - I know they've lost touch with reality. An asset as anyone knows can eventually turn into a liability. This idiotic idea of code being an asset forever simply ignores the reality of situation - it helps no one promising backwards compatibility indefinitely because it results in castrating any possible future improvements to the operating system itself. Windows in its current half-baked state is a by-product of this policy - it has nothing to do with a lack of smart people within Microsoft and everything to do with management placing unrealistic limitations in programmers on what they can do by virtue of this backwards compatibility fixation of theirs.

Edited 2009-05-15 15:21 UTC

Reply Score: 3

bousozoku Member since:
2006-01-23

I suspect the developers are more encumbered by the company culture. Even if they want to put out good design work and code, they have budgets, delivery dates and marketing/management mandates like continuing to support everything back to Dos virus code.


It's more likely that they're too busy shooting rubber bands at each other than designing and coding good software. It takes too much effort to do things correctly.

Not directed to you, but why should the operating system bother the user to death to avoid disaster? Why shouldn't the UAC require a password even when the Administrator is using the machine to do certain things? The company seems to have a skewed view of how things should work to be correct and effective.

Reply Score: 2

brandonlive Member since:
2008-05-31

Requesting a password for OTS elevations is dangerous. Such things are VERY easily spoofed.

Edited 2009-05-15 21:55 UTC

Reply Score: 1

UAC is NOT a security bondary
by po134 on Fri 15th May 2009 14:30 UTC
po134
Member since:
2009-05-15

I'd like you all to watch the Windows Security Bodnaries talk by Mark Russinovich (from sysinternals). UAC has never been defined as a security bondary (if it was it would receive critical security updates and such). It is a nice feature but it was never designed to be unbeatable (See mark's demo at the end)

here the description:
In this session, learn what constitutes a security boundary; get a tour through core Windows technologies, including user sessions, Code Integrity, PatchGuard, Service Security Hardening, and User Account Control, to learn where Windows currently defines such boundaries; and gain insight into why application compatibility and user experience make defining boundaries much more difficult than it might seem.

and the link for the technet spotlight video (I highly recommendall videos from mark !): http://www.microsoft.com.nsatc.net/spain/technet/spotlight/sessionh...

Reply Score: 2

A question
by license_2_blather on Fri 15th May 2009 14:57 UTC
license_2_blather
Member since:
2006-02-05

Since I don't program Windows at a very low level, can someone explain why code injection into a running process is a required feature in Windows? A good OS is supposed to protect processes from each other, after all.

Reply Score: 2

Sadly typical
by StephenBeDoper on Fri 15th May 2009 16:00 UTC
StephenBeDoper
Member since:
2005-07-06

From TFA:

As the writer of the proof-of-concept code explains, the UAC API is a good API, but code does require refactoring to provide a good user experience; to not flood users with prompts. Microsoft did not do this right in Vista, and instead of addressing this issue properly in Windows 7, they took the easy way out by creating UAC backdoors for their own code and programs (the UAC whitelist) as to reduce the number of prompts. This list isn't configurable by the user.


I think that sort of "easy way out" approaches characterizes UAC from conception to implementation.

They had a more-than-sufficient security model as far back as Win2k (and probably back further). Anecdotally, I was able to keep a lab of a dozen Win2k PCs malware-free (in a middle school, no less) by configuring them to use a non-admin account.

There were only two real problems with that security model: it was braindead in some areas (didn't prompt you to elevate when you tried to perform a task without the necessary permissions) and it was effectively off by default.

And rather than addressing those two issues, they give us a security model that errs to the opposite extreme and asks for elevation whether it's needed or not. I have an idle suspicion that UAC is not so much a security model, but a research project to provide real-world proof of the concept of "authentication fatigue."

Reply Score: 3

RE: Sadly typical
by license_2_blather on Fri 15th May 2009 19:10 UTC in reply to "Sadly typical"
license_2_blather Member since:
2006-02-05

They had a more-than-sufficient security model as far back as Win2k (and probably back further). Anecdotally, I was able to keep a lab of a dozen Win2k PCs malware-free (in a middle school, no less) by configuring them to use a non-admin account.

There were only two real problems with that security model: it was braindead in some areas (didn't prompt you to elevate when you tried to perform a task without the necessary permissions) and it was effectively off by default.


Agreed (it came about in NT I think), though I'd argue that if you don't have a general idea when you need elevated privileges, you shouldn't be mucking around with those privileges. But I guess I understand the UAC approach for the unwashed public.

I just got through cleaning a pretty nasty virus from a friend's PC. "Cleaning" is a rather loose term; it actually meant reformatting and reinstalling Windows. I decided he needed to run as a limited user (the virus got by his scanner), so I set him up that way and sat him down and gave him a 15-minute class on the how and why. He's an intelligent guy, and pretty savvy with the applications he uses, but he lacks knowledge of (and interest in) system admin in general. Yet he seemed quite comfortable with the concept.

I find it disturbing that Microsoft and some of its supporters blame the security issues in Windows on 3rd-party applications, and then Microsoft turns around and makes Calculator and Notepad, their own apps, run with the same admin privileges they decry the ISVs for wanting -- and not telling users. What utter hypocrisy.

After half a day of trying to find out why my Workstation service takes 2 minutes to start up (and hangs the machine the entire time), because there is nothing in the system logs, I was thinking of running Windows only in a VM from now on (I'm not a gamer). That way I could restore it to a pristine state with ease by copying over the VM image or rolling back the disk snapshots. But this latest bit of news has cemented that decision. Now I just need a laptop that will take 4GB of RAM.

Reply Score: 2

RE: Sadly typical
by Drumhellar on Sat 16th May 2009 06:55 UTC in reply to "Sadly typical"
Drumhellar Member since:
2005-07-12

They had a more-than-sufficient security model as far back as Win2k


UAC is a means to try to enforce that security model without breaking software that, for nearly 10 years, ignored that model.

Reply Score: 2

Eh, the real fix is more "simple"...
by looncraz on Fri 15th May 2009 16:31 UTC
looncraz
Member since:
2005-07-24

I, too, find it incredibly awkward that simple text editor and basic calculator programs somehow need elevated privileges - at any point.

The text editor makes a bit more sense - edit an .ini file in the system folder - UAC comes up. BUT, that shouldn't have anything to do with the editor - but with the file access regardless of program.

I also believe permissions should be highly granular - never elevate a program, simply create a virtual copy of a secured object ( file, registry hive, whatever ) upon modification - once permission is granted. At that point a versioning system ( like SVN ) should be employed in order to permit back-pedaling in a full-grained manner. Takes less room to track the changes from the original state than it does to make blind copies of everything System Restore currently does.

A really secure system would employ the versioning system on every object on the system full-time, either not have a registry or limit registry access to specific hives - and write exclusively to an automatic set of locations per application. It would also control all disk writes such that any application's disk commits were fully reversible - allowing for perfect uninstalls.

There is more in my mind that words fail to convey, but I believe applications and all data written from hat application should be treated as a single entity - almost like .dmg files in OS X, except more extreme.

There should be NO reason for virtually any application to require elevated privileges to accomplish something - especially something as simple as a calculator. If there is, it is the OS's fault more often than the developer's. The easy way should always be the right way, these features should not require application rewrites - though new applications will be written differently.

Fine grained security is generally just fine grained control with intelligent defaults. I should be able to open a security panel for any program and disable its access to the clip-board, or to any given folder or registry hive. I should even be able to sand-box some portions and provide false inputs & false write-paths. Granted that is a lot of work - but it isn't hard work... just a LOT of grunt work - Microsoft has the manpower.

--The loon

Reply Score: 4

well
by Nex6 on Fri 15th May 2009 19:45 UTC
Nex6
Member since:
2005-07-06

well, one of the posters above said: that the loosening of UAC was becuase of the whinners. well,
that poster was dead on right.

Microsoft tryed to go into a more secure mode. ppl you all complained. so, they loosened it up.

so, you can all pat yourelfs on the back now.

-Nex6

Reply Score: 3

Very misleading article
by brandonlive on Fri 15th May 2009 21:37 UTC
brandonlive
Member since:
2008-05-31

This article bugs me a lot. It's very misleading to users to claim that the default UAC level is "insecure" or that you "might as well turn it off."

This is COMPLETELY false.

The most useful boundary provided by UAC is the Low Integrity Level isolation feature, used by Protected Mode IE, the shell, and other apps, to create a sandbox around a process working with untrusted data.

This functionality works EXACTLY the same as Vista even in the default setting, and none of the "problems" referenced in this article affect it. However, if you turn UAC off, you lose this important defense.

Please do more research before posting sensational stories like this one and giving users dangerous / misleading advice.

Reply Score: 1

I cranked it up
by Phloptical on Fri 15th May 2009 22:17 UTC
Phloptical
Member since:
2006-10-10

No big deal. So I have to click to allow a few more message boxes......life's a b**tch. Guess I should try the whole logging in as normal user, thing, and putting in the admin password when needed. Probably would be better.

Reply Score: 2

I would turn it up all the way
by deathshadow on Sun 17th May 2009 03:20 UTC
deathshadow
Member since:
2005-07-12

If it didn't ask me time and time again on applications I know are completely safe and unlikely to be hijacked - like say... pspad, notepad++, crimson editor.

It needs a box 'do not ask again for this application' before I'll consider turning it on. If it's a legitimate application I've installed and don't want it to ask me about every freaking time I start it - an application as simple as a god **** text editor...

Reply Score: 2

Ufff... said that long ago...
by TBPrince on Sun 17th May 2009 12:08 UTC
TBPrince
Member since:
2005-07-06

When news about a "relaxed" UAC on Windows7 first came out, I wrote a post here saying that I would prefer the Vista way and there was no need to relax UAC.

UAC saved me a couple of times on my Vista notebook by signaling that something "administrative" was about to happen and allowing me to cancel that. Those 2 times were the only problems I had on Vista since its launch. It's a pretty good damn thing.

So why should we relax it? UAC is perfect: when something elevated is about to run, you will be notified and, if you expected that, you can just click on Continue. Easy, simple AND effective.

After years of complaining about security now we have something which is quite effective AND pratical (a lot more pratical than SUDOing, for example, since you don't need to type anything) and we're going to "relax" it? Nonsense!

I hope MS will keep UAC the way it works in Vista. Plain and simple.

If they want to improve, they just need to set a way to stop installers to require Administrative rights to execute if they don't really need it. They could also work on developers requiring Administrative rights to run their programs when it's not really needed.

P.S. And this bug proves that "relaxing" is not the way to go... hope they will fix it soon!

Reply Score: 2