What the UAC 'hole' is really about
Summary: Fellow blogger Ryan Naraine had a blog "Hacker, Microsoft duke it out over Vista design flaw" where he reported on a disagreement between elite researcher Joanna Rutkowska (Singapore-based Coseinc) and elite programmer Mark Russinovich (formerly Sysinternals and acquired by Microsoft). I've spoken with both of these people and I have a lot of respect for both of them.
Fellow blogger Ryan Naraine had a blog "Hacker, Microsoft duke it out over Vista design flaw" where he reported on a disagreement between elite researcher Joanna Rutkowska (Singapore-based Coseinc) and elite programmer Mark Russinovich (formerly Sysinternals and acquired by Microsoft). I've spoken with both of these people and I have a lot of respect for both of them. Rutkowska did some ground breaking research on Hypervisor-based Rootkits that hijack an operating system by sticking them in a hardware-based virtual "Matrix" prison. Russinovich is one of the elite programmers with Sysinternals which cranked out a lot of really powerful and well coded utilities for managing and maintaining Windows.
I had a hard time believing some of the characterizations of Rutkowska's positions and that prompted me to contact Rutkowska first hand. It turned out she had already notified Ryan Naraine to correct her positions and you'll see her clarifications on the end of Naraine's blog. What Rutkowska was upset over was the Russinovich's position that UAC implementation issues were not to be considered security bugs.
From where I stand, I don't see either party as wrong. Rutkowska sees a design weakness in Vista UAC where it can be made much better with a little more granularity of control, and Russinovich doesn't want to see this characterized as a bug in the software when this is clearly a design issue. Plenty of these types of design issues have been inaccurately played up as if Microsoft screwed up the code again and I can understand Russinovich's and Microsoft's defensiveness on the issue. Rutkowska actually goes as far as saying that she understands the design decision as a compromise between security and usability. David Maynor also joined in on the debate and added that if you are prompted for an admin password to install an app on a Mac or you use sudo to elevate privileges in Linux to make install something, then it's no different from what Vista UAC is doing. So it seems to me that all parties involved here pretty much agree.
[Update] - Joanna adds this clarification.
Please, note that Russinovich's post referred to *implementation* bugs in UAC and that they should not be treated as "security bugs" (and this is what shocked me!). I don't see how his post tells anything about the "elevated-installs" issue - which has nothing to do with *implementation* bugs in UAC.
UAC has taken a lot of bashing from the blogsphere and media and it isn't even handed considering the fact that it is no different from Mac or Linux privilege escalation mechanisms. In Rutkowska's blog, she writes:
Many people complain about UAC, saying that it’s very annoying for them to see UAC consent dialog box to appear every few minutes or so, and claim that this will discourage users from using this mechanism at all (and yes, there’s an option to disable UAC). I strongly disagree with such opinion - I’ve been running Vista more then a month now and, besides the first few days when I was installing various applications, I now do not see UAC prompt more then 1-2 times per day. So, I really wonder what those people are doing that they see UAC constantly appearing every other minute...
While it's true that Vista UAC is no different from Mac or Linux privilege escalation, we must remember that the old argument that "everyone else is doing it" just doesn't cut it when you're the most dominant desktop operating system in the world and the biggest target for Malware. While Vista's security record in the first three months (referring to enterprise and MSDN rollout) in public has been stellar by any standard on any operating system, we have to expect that Malware pushers will be using a lot more social engineering as their weapon of choice against Vista once it inevitably becomes the dominant operating system led by the retail sector. There are simply too many people downloading "warez" (pirated software), applications and games that people think will be cool to try out, and "free" adult videos that require one of those "special" root me Codecs in order to "play" and your average Joe or Jane won't know any better. While one might be tempted to say "it's their problem", it eventually becomes everyone's problem because those suckers become a massive army of zombies that can spew spam and DDoS (Distributed Denial of Service) attacks.
What Rutkowska suggests is that UAC should have more than just a yes/no option on privilege escalation but a yes, limited yes, and no option. Under Windows XP, Rutkowska is able to run as a limited user with add only privileges to the "Program Files" directory and the HKLM Software registry hive but Vista takes this choice away from her because of the way that UAC works. I would add to that add only permissions list the "Public Desktop" so that launch icons can at least be installed for everyone. The vast majority of applications shouldn't need any more privileges than what's listed here and they certainly shouldn't ever have the ability to modify the OS kernel unless they're signed by a trusted Certificate Authority. If Microsoft would adopt this as the standard permission model for the vast majority of applications then it would vastly improve the Trojan Malware situation. People will essentially be able to more safely "taste" applications without the risk of nuking their entire OS. As for the "disagreement" among the parties involved here, no one's really wrong and I think we may be talking past each other when everyone's positions is a lot closer than we think.
[Update 2/16/2007]: Microsoft blogger Stephen Toulouse's response on this issue
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I disagree...
I cannot agree with a "limited yes" option. The only account who should have permission to write to system wide locations (Program Files directory, HKLM, and the shared desktop) is the administrator (through UAC elevation). If you're worried about about trashing the whole system then install the application in user writeable locations (users home directory, HKCU, and the users desktop). Providing a "limited yes" would allow application developers to continue poor programming habits.
What you're describing would effectively eliminate the benefit of limited privileges. One of the key aspects of malware is to write to the HKLM|run key so that it starts up when the system boots. A "limited yes" would provide the end user a false sense of security.
OS X has a similar "feature" by allowing administrators to write to the /Applications folder without so much as a peep. Malware could add, modify, or delete files in this directory and the user would be none the wiser.
Plain and simple this would be a bad idea.
Good steps from MS
The problem is that this is new to Microsoft
What treatment?
My question is, how do OSX and Linux handle this? If an installation asks for privilege escalation, do they give full privileges also? If not, what level of privilege do they give? If so, how is what MS is doing any different, and why is MS being criticized for it?
Carl Rapson
Re: What treatment?
I don't know about OSX, and I don't know about the so-called easy to use (Windowsesque) Linux distros. But I suppose that if the user is only using point and click to configure their Linux computer then probably they have as fine control over it as does a Windows user: ham-handed.
In Linux there are 2 privilege levels. All and none. (None being you are only allowed the privileges you are given.) There are ways to give some users more privileges than other users but it's kind of not important to the home user who usually is the only user.
It's relevant though because /opt is the standard directory to add local system resources and you certainly can intall to there without root privileges.
I haven't come across a Linux "installer" per se but I believe they are out there for the Windowsesque distros. On my computer I'm the installer! :)
:)
It's all of none on Linux and OS X too.
Not necessarily
Most Linux varients have an all or nothing...
I agree
All too true
Real complaint was about "boundaries"
It is a classic symptom ...
It also explains the high rate of MS vapourware.
That's not what they're saying
Not at all. The security is still there, it's just not as granular as some would like. What they're saying is that the decision to give full administrative privileges, as opposed to a more limited set of privileges, upon escalation was a design choice. The choice being, if a more granular privilege escalation were implemented, it is likely the number of UAC prompts would become prohibitive, causing many users to simply turn off UAC. How would that help anyone?
It's interesting how so many who first chided MS for bothering users with so many popup security prompts are now complaining that it isn't giving enough of them.
Carl Rapson
Re: That's not what they're saying
Are you sure it wasn't the beta testers who were chiding them? The hardcore Windows users?
What I find interesting is how some want to compare it to Linux, as if this isn't an entirely intramural issue.
I've been running Linux since Windows users were typing "win" at the command prompt to get into the GUI shell and I've never been prompted by an application for my root password. Ever.
You will never hear anybody saying this about Linux:
[i]What they're saying is that the decision to give full administrative privileges, as opposed to a more limited set of privileges, upon escalation was a design choice.[/i]
In Linux the user makes those decisions. There's no way to compare this with the Linux experience.
:)
Still same number of prompts, just 1 more choice
There will still be the same number of UAC prompts, just 1 more choice of Yes, Partial yes, No instead of yes/no. Partial means I'm not so sure I trust this application. Joanna's point which I fully agree with is that 99% of plain old applications out there really only need partial privileges.
Not about UAC prompts
From one of her blog entries:
[i]Interestingly, UIPI implementation is a bit ?unfinished? I would say? For example, in contrast to design assumption, on my system at least, it is possible for the Low integrity process to send e.g. WM_KEYDOWN to e.g. open Administrative shell (cmd.exe) running at High IL and gets arbitrary commands executed.
One simple scenario of the attack is that a malicious program, running at Low IL, can wait for the user to open elevated command prompt ? it can e.g. poll the open window handles e.g. every second or so (Window enumeration is allowed even at Low IL). Once it finds the window, it can send commands to execute? Probably not that cool as the recent ?Vista Speech Exploit?, but still something to play with ;)[/i]
Just code name the UAC hole "Shimmer"
Linux
I may be wrong but it sounds to me like the UAC won't let you install anything without you agreeing to escalate user privs.
That's not how Linux works. Yes, you do have to su to root if you want to install into sytem directories. But Linux doesn't make you su to root to install in any directories where you have write priviliges like $HOME. I do it all the time. I install in my $HOME to "taste" some app because deleting it from $HOME is much easier than deleting it from system directories.
:)
An interesting point
Or, I guess more to the point, would your average computer user know not to? Would they understand when to allow this, or would it simply confuse them?
I watch the Mac users at work type their credentials into just about anything that asks. Apple updates, shareware trials, stuff they download off the net.
Users understand that if they don't allow the installer (or whatever software) whatever it wants, it won't install or work. They have that figured out pretty well.
Re: An interesting point
I may be wrong but I don't believe that would happen. I believe the installer would only ask for privileges if it received a privileges error message.
But no, I would not. I would know I wouldn't need root privileges to install to my $HOME. Your average computer user would not be using Linux. You can't just walk into a store and come out with a Linux computer, which is how the average user gets his or hers.
BTW if your coworkers are installing stuff they got off the Internet then your employer has a worse problem than promiscuous users.
:)