Symantec: Vista's UAC prompts can't always be trusted

Symantec: Vista's UAC prompts can't always be trusted

Summary: Microsoft's implementation of the UAC (user account control) mechanism in Windows Vista continues to take a beating from security researchers.

SHARE:
TOPICS: Windows, Microsoft
72
Microsoft's implementation of the UAC (user account control) mechanism in Windows Vista continues to take a beating from security researchers.

Less than a week after Polish hacker Joanna Rutkowska raised an alert for design -- and implementation -- bugs in the default no-admin component, a member of Symantec's Advanced Threats ResVista's UAC promptearch team says the UAC prompts cannot be trusted to provide the end user with reliable warnings.

Ollie Whitehouse, a well-known researcher who joined Symantec with the @Stake acquisition, has discovered a scenario where UAC prompts can look like it's coming from Microsoft Windows -- when in fact the user is being asked to authorize admin rights for malicious code.

Whitehouse's discovery, detailed in an entry on Symantec's security response blog, effectively identifies a "chicken and egg situation" where the end user is making a decision based on a false sense of trust.

"The problem with this is that the arbitrary CPL files can be written to areas of the disk that non-administrative users can write to," Whitehouse explained.

He describes the following attack scenario:

  • The user gets infected by malicious code running as a restricted user – Trojan or exploit are two likely vectors
  • This malicious code drops a malicious CPL file to disk in a location that the restricted user can write to
  • The malicious code then calls RunLegacyCPLElevated.exe with the malicious CPL as a parameter
  • The user is presented with a UAC prompt that claims that Microsoft Windows needs to elevate permissions and not a third party application
  • The user authorizes and the malicious code obtains administrative privileges

When Whitehouse approached Microsoft with this issue, he said the company pointed him to a best-practices document (.doc) that makes it clear that UAC prompts should not be viewed as a security boundary because they don't offer direct protection.

This, in Whitehouse's mind, is not an acceptable response. "I believe Microsoft needs to start to take these a little more seriously than just pointing at best practice guidelines that have the same likelihood (not much) of being implemented or followed as telling people not to open arbitrary executables attached to e-mails," he argued.

[NOTE: Symantec plans to create technology that replaces UAC in Windows Vista so it's fair to say that these Symantec warnings may be tied to the the fierce rivalry between the two companies].

At this year's Black Hat Federal conference in Washington, DC, Whitehouse is on tap to give a two-part presentation on Microsoft's GS implementation and usage and the way ASLR (address space layout randomization) is implemented in Windows Vista.

Topics: Windows, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

72 comments
Log in or register to join the discussion
  • How is this a problem?

    So I'm writing a document in Word and up pops this UAC asking me to enter the admin password to install something. Well if I didn't initiate anything that was supposed to install the first thing I do is cancel it. How's that a problem.

    Also say I open an attachment in an email from some unknown user that claims the video attached is funny and suddenly I get UAC pop-up. I'd hit cancel again. In reality I wouldn't open the attachment in the first place.

    I don't see how this is a security problem.
    voska
    • The problem

      Is that you can make it a bit more clever than that by using a honeypot. Something
      that installs a legitimate program, and includes the virus as part of it.

      Most virus infections come from people visiting porn, gambling and warez sites. It's
      trivial to get someone to hit UAC so they can view their downloaded porn.
      frgough
      • Again how is this a problem?

        "Is that you can make it a bit more clever than that by using a honeypot. Something that installs a legitimate program, and includes the virus as part of it."

        These are called trojans and there's nothing an OS can do to prevent the user from installing them.
        ye
        • Again how is this a problem ....

          Simple, Have you ever seen some of the Email Malware that appears to come from Microsoft, some one clicks on the link and they think they are downloading something from Microsoft and UAC prompt appears to confirm it.
          So I don't see the UAC prompt fixing anything in this case.
          Now you may be smart enough to realize the email is fake but not everyone else is.
          mrlinux
          • Again how is this a problem?

            You're describing a weakness in the user, not the OS. The same "problem" exists in every OS. If the user is fooled into installing something then there's not much as OS can do to prevent it. IOW this is not a problem with Vista.
            ye
          • Re: Again how is this a problem?

            [i]If the user is fooled into installing something then there's not much as OS can do to prevent it. IOW this is not a problem with Vista. [/i]

            No. The UAC dialog states "Windows needs your permission to continue," implying that Windows opened the dialog. If the trojan can launch a dialog that misleads the user to thinking Windows launched the dialog then that's a problem with Vista.


            :)
            none none
          • And how is this different than OS X?

            .
            ye
          • UAC dialog is not being faked

            The UAC dialog is not being faked in Symantec's example. it is a genuine UAC dialog, purposely being triggered by malware to try and get elevated privileges.

            UAC in Windows has no way of knowing bad code from good code, it's just the gatekeeper for admin access.

            Welcome to the world of social engineering - something no operating system can defend against.
            toadlife
          • So then I guess what you're saying is

            If a criminal dressed as a water service employee knocks on someone's front door, and they open it and let him in without verifying who he actually was and he then robs the place, I guess it was an issue with the front door?

            So replacing the front door with something stronger would make people safer from this kind of attack?
            John Zern
          • Response to water company employee scenario...

            "If a criminal dressed as a water service employee knocks on someone's front door, and they open it and let him in without verifying who he actually was and he then robs the place, I guess it was an issue with the front door?"

            First off, we'd have to assume that the water company built the house (MS built the OS). We'd also have to assume that they gave the robber the uniform used to perpetrate the fraud (MS is responsible for the security holes that most trojans and worms have used to gain illicit entry into their OS). Finally, we'd have to assume that the water company told the owner of the house that they were sending someone over to fix a problem on their behalf (The warning clearly states that Windows is requesting the escalation, not a third party application). Given these assumptions, it would be fairly easy to say that the water company facilitated the robbery and should be held responsible. The only thing that protects MS from this kind of logic being used in a court of law is their EULA which basically insulates them from any liability if their OS is compromised. While there are a few states where this overly protective EULA doesn't stand up in court, the vast majority still view software as "buyer beware". There are almost no consumer protections available.
            jasonp9
          • Re: And how is this different than OS X?

            I never said it was different than OSX.


            :)
            none none
          • Re: UAC dialog is not being faked

            [i]Welcome to the world of social engineering - something no operating system can defend against. [/i]

            So UAC is more of a mechanism to put the blame on the user than to secure the computer?


            :)
            none none
          • re: none none

            No, it's to annoy users and in turn, to get ISVs to write their software properly.
            toadlife
          • Re: So then I guess what you're saying is

            [i]If a criminal dressed as a water service employee knocks on someone's front door, and they open it and let him in without verifying who he actually was and he then robs the place, I guess it was an issue with the front door?[/i]

            Yes, if the company I bought the front door from sold it on the basis of it's security and ability to resist trojans, which is what the water company guy would be.

            I'm not faulting MS for making UAC the way it is. But I am saying MS has made its bed and now must lay therein.

            Yes, users ultimately are responsible for their computing safety. But no, none of them are going to blame themselves when their vendor says this is the most secure OS ever. The claim is meaningless and MS deserves the wrath it will get for misleading people.


            :)
            none none
          • Windows did launch it

            That's what it does. I don't see the problem here. I suppose Vista could not warn you but what does that gain you? I'd prefer the choice be given to me and I'll click cancel. Others who don't care will supply the admin password. Not much you can do about people that don't care about security. You know the type that leave the keys in the car ignition while going into a store.
            voska
          • I agree but...

            ...is such a distinction really that important:

            ""Windows needs your permission to continue," implying that Windows opened the
            dialog."

            Does it really matter if it says "Windows" or "An Application"? In the end the UAC
            prompt was displayed by the user taking a specific action and thus probably doesn't
            care if it's Windows or an application that needs the elevated privileges. Or am I
            missing something?
            ye
          • But Vista DID open the dialog box...

            The UAC dialog box will pop up whenever an app requests something. That's what it's there for, and Vista did open it. Just like your firewall alerts you about network activity on your system - even though the firewall istelf did not [i]trigger[/i] the alert.

            Cleverly designed trojans can always pose as normal Vista apps and services. These can fool a firewall, the UAC, live anti-spyware software... anything. On any platform. So I refute your claim that the ploblem lies with Vista. The problem lies with the user who clicks "yes" (or indeed, "no") without checking if Rtvscann.exe is a real program or not first.

            These days, computing is a risky business and users need to be informed. They need as many safety nets as possible and the UAC is just another small layer of protection (and for many, another annoyance, but who said computing was fun!!?).
            A_Selby
          • It is the issue

            That the UAC Prompt may as well not be there since it doesnt accurately describe who is requesting the access
            mrlinux
          • Sure it does

            The Malware is first installed by the user into an area that the user can right to. The Malware is set to autorun which a basic user can do with thier account. Then when Vista, the OS, runs this it tries to escalate the privledges. So Windows is trying to run Malicous CODE X. The third party app that didn't need privs already ran and put this in place for Vista to run.

            So me as a user. I find I accidentally ran something I shouldn't have. No immediate effect and I don't notice but the next time I logon the UAC warning pops up. Well I know I didn't install something or at least I don't think I did and in both those case the automatic best practice is to deny the install. Then one should think about updating thier AV software and scanning thier PC because this behavior could mean a virus or possibly some malware.

            Now where this is going to get really annoying is when spyware which is detected by the likes of Symantec loads and asks to esculates privledges every time you log on. Get a couple dozen UAC warnings for the boat loads of spyware you get everytime you logon and what is the user going to do? I'm betting they supply the Admin password to get rid of it or turn off the security entirely.
            voska
          • Response to asonp@ (On picking nits)

            Then I will rephrase that: How is this the Home Builder's Issue?

            Like anything in life, I can nitpick anything I want to the point where I am not to blame in any way, shape, or form for damage or injury from the item, it'll allways be the items fault and never mine.

            To blame everything on the OS when it should be the user's ignorance or foolishness that should be called into question is wrong as nothing will measure up to perfection, the End user MUST take responsiability for their actions sometime. If I run a trojan on a MAC (in the form of an executable, is it's The OS's fault for not catching it, or mine?) If you aren't installing something and the box comes up, "Think: Hit cancel!"

            When a program is downloaded and run on Linux, does the OS tell you if the program will purposely do damage to the system?

            With the thinking of shifting the blame away from the user to the OS, lets take it one step further and say that the OS should be fine the way it is as it's the hackers and malware writers who are at fault.
            John Zern