Hacker, Microsoft duke it out over Vista design flaw

Hacker, Microsoft duke it out over Vista design flaw

Summary: Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore.

Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out -- from Microsoft officials -- that the default no-admin setting isn't even a security mechanism anymore. Joanna Rutkowska

Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.

"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator."

This, in Rutkowska's mind, is a "very severe hole in the design of UAC."

"After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can’t under Vista, which is a bit disturbing," she added.

A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.

Russinovich, a technical fellow at Redmond, writes:

As you experiment you’ll find that your actions are limited, but there are some design boundaries that you should be aware of. First, with the exception of processes and threads, the wall doesn’t block reads. That means that your low-IL command prompt or Protected Mode IE can read objects that your account (the standard-user version if you’re a member of the administrator’s group) can.
This potentially includes a user’s documents and registry keys. Even the ability of a process at low IL to manipulate objects of a higher IL isn’t necessarily prevented. Since processes running at different integrities are sharing the same desktop they share the same “session”. Each user logon results in a new session in which the processes of the user execute. The session also defines a local namespace through which the user’s processes can communicate via shared objects like synchronization objects and shared memory.
That means that a process with a low IL could create a shared memory object (called a section or memory-mapped file) that it knows a higher IL process will open, and store data in the memory that causes the elevated process to execute arbitrary code if the elevated process doesn’t properly validate the data.
That kind of escape, called a squatting attack, is sophisticated and requires the user to execute processes in a specific order and requires knowledge of the internal operation of an application that is susceptible to manipulation through shared objects.

Russinovich pegged it as a tradeoff between application compatibility and ease of use, explaining the weakness as a "design choice."

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

That explanation isn't sitting well with Rutkowska. In an e-mail interview, the Polish malware researcher said she was "pissed off" by what she perceived as Russinovich's flippant attitude to the potential risk.

"It seems like Microsoft realized that implementing UAC would be hard, so they decided not to call it a security mechanism anymore and that 'potential avenues of attack, regardless of ease or scope, are not security bugs'," she said, quoting directly from Russinovich's essay.

"I don't think it's fair after all this Vista security campaign we observed in 2006, where Microsoft was boasting about this new security model in Vista. This is not a proper way to solve security problems. Microsoft, instead of trying to diminish the problem, should work on the solutions (even if they expected to see a dozen of new attacks against UAC)," she added.

Rutkowska also took issue with this line from Russinovich's argument:

"[H]aving your elevated AAM processes run in the same account as your other processes gives you the convenience of allowing your elevated processes access to your account's code and data, but at the same time allows your non-elevated processes to modify that same code and data to potentially cause an elevated process to load arbitrary code..."

"This is not valid," Rutkowska declared. "If we followed this reasoning, then we would not be able to talk about security in our email clients nor web browsers, because they all also access data and code which are not trusted."

Her final thought: "I believe that the Vista security model is a good thing and that users can benefit from it, but Microsoft must change their attitude and start treating them as security mechanisms."

[UPDATE: February 13, 2007] Rutkowska wrote in to clarify a few things that appear confusing in the article above:

There are two different things, which should be distinguished:

1. The fact that UAC *design* assumes that every setup executable should be run elevated.

2. The fact that UAC *implementation* contains bugs, the one noted in the original blog entry that allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.

I was "pissed off" not because of #1, I was "pissed off" because Microsoft employee -- Mark Russinovich -- declared that all *implementation* bugs in UAC are not to be considered as security bugs (see fact #2).

True, I also don't like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but, I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote my follow up titled "Vista Security Model - A Big Joke".

Topics: Microsoft, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Vista is all about DRM

    This Polish hacker is p*ssed off, huh? Seems they have only just cottoned on to the fact that Vista is a system for extracting revenue from end-users, and anything else - security, stability, useability etc - is completely irrelevant. As long as every PC can be sold with a copy of Hollywood Vista already welded to it, Microsoft don't give a rat's ass whether its secure or not. Flippant? Of course they are flippant, they are a global monopoly!
    • no matter how cynical you get it's impossible to keep up

      shhhhhh, don't make too much noise. Microsoft is still trying to get it's stock over 30
      a share. Without this software it's a house of cards about to collapse along with a
      huge bunch of stock portfolios that the baby boomers are depending on for their
      retirement income.
      Right now if you convince Monkey Boy there's a big profit in donuts they will go out
      and buy a bunch of donut shops. And as far as Gates not imitating Jobs the latest is
      that Gates thinks DRM should be thrown out. But like he says, they only copy the
      best. Copying is one thing, a sincere form of flattery, but making it work as well is
      something else.
      broadway al
    • Same song, millionth verse...

      How can MS be a "global monopoly" when they don't own every single computer operating system, and all means to creation of an operating system?

      The biggest problem with Leftist rhetoric is, that it's so friggin' ignorant.
      • Leftists are ignorant?

        A monopoly doesn't mean EVERY computer operating system (or barrel of oil, or
        mile of railroad track) it just means MOST of the market, and acquired in a way
        that inhibits competition. That does describe MS. (For example, if you as a
        hardware manufacturer opt not to include XP on your machine but an alternative
        system instead you have to pay MS a fee. That's the kind of thing we lefties - read
        "smart and educated as opposed to right wing idiots" - understand as a trade
        violation that fits into to definition of a monopoly.

        Now, what was leftist about the post you objected to? From this I suspect you see
        yourself on the right. And like all other right-wingers you don't even understand
        a simple definition.
        • Fees??

          What is the amount of Fees that say HP would have to pay to MS if they chose to sell desktops loaded with Linux instead of Windows? I've never heard of the fee. I thought it was the other way around, that they pay a licesning fees to HAVE the software, not to not have it.
          • Per machine, not per Windows license

            As I understand it, companies buying OEM versions of Windows are required by MS to purchase it for [i]every[/i] machine they sell, whether or not it will have Windows installed. That means that if I want a Dell (yeah, right!) without an OS, Dell still has to pay for a license. Which means I have to pay for a license, since at some point all of Dell's costs are factored into the purchase price. I know that this was true in the past, but not if it's still true now.

            That definitely qualifies as monopolistic behavior on MS's part. Imagine if computer manufacturer had to pay Intel for every system they built, even if it had an AMD processor. Or to Seagate, even if a Maxtor drive was used. For that matter, outside the computer industry, Ford having to pay Firestone even if they use Pirellis. So why should MS get a cut of every PC sale?
          • Correction

            Sorry, I meant to say that larger OEMs that have entered into particular licensing deals with MS have to pay for a license for each machine. It's still wrong, given that this often prevents people from having the option to buy a computer with another OS, since the manufacturer isn't going to be inclined to offer anything but Windows. Regardless of what the customer's want. Unless demand is overwhelming, but how is demand supposed to grow, with almost everyone under MS's thumb?
          • Proof?

            Again, I'd like to se the proof of Microsoft charging a licensing fee for every computer that leaves Dell, whether or not it has an operating system. The fact is, Dell pays Microsoft for every key code sticker that they put on a machine.

            It's pure economics for Dell and sour grapes for you. Dell recognizes the fact that people like you are very much the minority. Most people that go to Dell to buy a computer, want Windows installed. If there was a market for systems without an installed operating system, trust me, Dell would be selling them.

            Dell is not disninclined to sell systems without other operating systems becuse of fear of Microsoft, they don't offer it because for the most part, there is no market for it.

            Look, if you go to the grocery store to buy Mac and Cheese. Don't be upset with Kraft and the store because all they carry is Kraft brand. Be mad at the masses who demand Kraft brand and make it unfeasible for the store to waste shelf space for a product that only a small minorityof consumers want. That is what you effectively have Dell do.

            If you don't like it, go to a specialty store that carries what you want (where do you find a pc preloaded with Linux?) or build it yourself.

            The fact is, no one is under MS's thumb. Consumers have made their choice and for the vast majority of consumers, their choice is Windows. I have the means with which to buy competitors products. I bought a Powerbook a couple months before Vista came out to help medecide if I should upgrade or go with another brand altogether. Plain and simple fact? I'm comfortable with MS and the Apple felt like being in a foreign country; it was a neat, new perspective, but in the end, I went home to what I was familiar with. And not because I'm under anyone's thumb.
          • Why they agreed to that.

            They did that so the cost of windows install *per machine* would be 10 dollars, rather than a full license. It's a trade off. Microsoft takes a huge hit they really don't have to on profits, and hp occasionally has to shell out 10 dollars (actually, currently 5.62 USD) on a system that doesn't run windows, which is an absurdly small percentage of machines.

            Also, please note that agreement only applies to consumer machines, corporate workstations and servers are exempt.
        • You've proven his point

          >>(For example, if you as a hardware manufacturer opt not to include XP on your machine but an alternative system instead you have to pay MS a fee.<<

          Where did you come up with that gem? ROTFLMAO! Only sertain manufacurers that signed special "sweetheart" deals with MS have that clause. Typical leftist. Look at the hype instead of the facts.
        • Monopoly - definition

          mo?nop?o?ly /m&#601;&#712;n&#594;p&#601;li/ Pronunciation Key - Show Spelled Pronunciation[muh-nop-uh-lee] Pronunciation Key - Show IPA Pronunciation
          ?noun, plural -lies.
          1. exclusive control of a commodity or service in a particular market, or a control that makes possible the manipulation of prices. Compare duopoly, oligopoly.
          2. an exclusive privilege to carry on a business, traffic, or service, granted by a government.
          3. the exclusive possession or control of something.
          4. something that is the subject of such control, as a commodity or service.
          5. a company or group that has such control.
          6. the market condition that exists when there is only one seller.
          7. (initial capital letter) a board game in which a player attempts to gain a monopoly of real estate by advancing around the board and purchasing property, acquiring capital by collecting rent from other players whose pieces land on that property.
          Dr. John
        • Odd...

          "For example, if you as a hardware manufacturer opt not to include XP on your machine but an alternative system instead you have to pay MS a fee."

          Odd. I've been an OEM for going on 14 years now, and not once have I had to pay MS for NOT using their products.
          Dr. John
          • It's not an agreement everyone has

            Nor is it in their tos, or eula. It's available to large scale manufacturers who want to save money by reducing the cost of an oem license of windows to a mere pittance. Generally, they do, and microsoft collects a smaller portion of profits for each copy of windows installed, and occsaionally a company has to pay out on a system that isn't using windows because they're agreed to include a license to windows with every system, even if the customer doesn't order it.

            And as stated above, this doesn't apply to all classes of systems for largescale oems, there are also different agreements depending on which company it is.

            In no way shape or form does this amount to a vendor lockout.
        • wow...where is rod serling... cuz we must be in the twilight zone

          or MS has started to pay an awful alot of people to troll these boards and reply.

          I don't know if it's true anymore, but in the 90's large OEMs most certainly did have to pay MS per pc and not per license. That is, consumers paid for windows on their pc whether or not the pc was going to use it. It was dubbed the "ms tax" and what started the anti-trust hoopla.

          For or against MS has nothing do with it. i myself am about as neutral as they come, i use whatever works best for a particular situation and don't give a rat's @$$ about ANY SW vendor (i detest them all, equally). But facts are facts, and denying them doesn't change history.

          where have all you people been working the last 15+ years?
      • Re: same song, millionth verse

        I just can't figure it out. Is this satire, or are you just ignorant of basic economics?
  • Typical MSFT Attitude

    If it's not directly related to a code execution problem, blame the user.

    Just keep up that snobby, arrogant attitude and keep sticking your remaining customers with higher and higher bills. It's more money in the bank for those of us working both sides of the software fence. Those two sides being MSFT and everyone else.
  • There are plenty of programs that don't need installation

    I just copied a 10 GBs of Counter Strike and played it without an install or ever triggering UAC. I downloaded uTorrent (the best BitTorrent client) and it ran without needing a UAC elevation. I just downloaded a putty client that doesn't require an install. Plenty more examples of applications that don't require installers that can run in standard user space. I'm not sure why it's Vista UAC's fault if people write installers that invoke system level privileges.
    • Just a question...

      Is Microsoft Office 2007 an application (suite) that does not happen to require administrator privileges?
      • Installer needs admin, runtime does not

        This has been a design requirement since Windows XP and 2000; that programs NOT require administrative privileges. This is why something like QuickBooks is so messed up when some recent version of it isn't Vista compatible because it never tried to get official XP logo compliance.
    • That's the problem: stupid installers

      That is the problem in the first place. No installers, save for antivirus installers and firewall installers, as well as other security software, should need to run under administrator rights.

      The problem is that the people making the installers haven't realized that yet, so Microsoft has to go with "We will allow all installers to run under Admin priveledges, because the idiots are making Admin-level installers even for games, file-sharing programs, and other things that shouldn't need Admin-level access."