Larry Osterman said:
longzheng said:
*snip*

Long, the situation in Win7 is unchanged from Vista.  In Vista if you were running with UAC enabled, it was possible for an RCE vuln to gain administrative privileges on your desktop without you approving it.  In Win7 if you are running with UAC enabled it is posible for an RCE vuln to gain administrative privileges on your desktop without your approving it.

UAC was not a security boundary in Vista, it's not a security boundary in Win7.  This is an unpleasant truth but it's one that MSFT has been making for 3 years.  Our messaging on this issue hasn't changed over all this time.

I was incorrect in my comment above about UAC btw - it is a security feature.  It's just not a security boundary.  It's a convenience feature only, there simply are too many ways for malware to bypass it for it to be considered a defendable security boundary.

The only difference between Win7 and Vista is that on Win7 it is marginally easier for malware to auto-elevate.  But that any malware that exploits that "marginally easier" mechanism is trivial to defeat - just set your UAC defaults to be the same as they are for Vista.

The internet->local machine IS a defended security boundary both by Microsoft and 3rd parties.  And Microsoft actively defends that boundary - you know that because of the monthly security fixes that are issued by both Microsoft AND 3rd parties (think Adobe, Mozilla, Google and Apple) - these are all examples of those vendors patching holes in their applications to defend this boundary. 

The goal is that there be no way for malware to get on your machine without your permission, we're not there yet and we may never get there. 

The internet->local machine boundary IS a defendable boundary because the internet is (hopefully) sandboxed in a web browser thus there's a controllable interface between the two that can be defended (although it is VERY hard to defend this boundary due to the amount of code that runs in the browser). 

On the other hand, UAC/IL is NOT a defendable boundary (UAC as a feature is useless without IL) - there's simply too much shared state between applications running in the  same session to defend the boundary.  This is true for ALL graphical operating systems, btw - the instant you run an application at a higher level of privilege malware running in the lower privilege level can take over the higher level process.

As I've said before, there's only one safe configuration for both Windows AND *nix - run as a standard user and switch to an administrative user running in a different session whenever you need to perform an elevated operation.  Most users (of both *nix AND Windows) aren't willing to put up with that level of inconvenience.

 

"Long, the situation in Win7 is unchanged from Vista.  In Vista if you were running with UAC enabled, it was possible for an RCE vuln to gain administrative privileges on your desktop without you approving it.  In Win7 if you are running with UAC enabled it is posible for an RCE vuln to gain administrative privileges on your desktop without your approving it."

The situation has changed. Talking about the default settings in both cases:

- In Vista an RCE vuln had to successfully attack a process with admin rights, or wait for / trick the user into clicking a particular UAC prompt. There are far fewer processes with admin rights, and those processes tend to have a lot more attention paid to them w.r.t. vulnerability testing than your average piece of software.

- In Windows 7 an RCE / buffer-overflow vuln has to successfully attack any process (except for low-integrity ones, i.e. IE) and can then immediately and silently gain full admin rights. As soon as the RCE is on the machine it can hide itself as a rootkit and potentially never be discovered.

In the first case the attack surface is smaller and the user (or their anti-virus if it is updated in time) may be alerted to suspicious / unusual acivity. It can still succeed, of course, and once it has admin it can also install a rootkit, but are you honestly trying to claim that those two situations are equivlent?

To claim they are equivalent seems no different to saying that "all operating systems have security flaws, and you can trick most users anyway, so there is no point fixing any more security flaws ever." If that is Microsoft's policy then it's disapointing.

Given that the Win 7 defaults make the prompts so easy to bypass why do we have them at all? And why can't third-party code be added to the whitelist? MS simultaneously claim it's a non-issue that the prompts can be bypassed and that it would be too dangerous to allow users to choose to whitelist third-parties apps (at least for COM elevation). How does that work? Isn't that anti-competitive?

The argument that it's to force developers to change their code does not wash when Microsoft have done such an awful job of changing their own code. The only reason this silent-elevation hack had to be put into Windows 7 is that Explorer and the Control Panels spam people with so many prompts (and the utterly braindead prompts-about-prompts!).

Speaking of prompts which irritate users too much, that fact has not really changed in the standard user case. That brings into question the commitment that MS have to getting everyone to run as a standard user. It also exemplifies the hypocrisy of MS inflicting UAC prompts on third-party software to force developers to do what MS themsevlves cannot be bothered to do properly while MS give themselves a backdoor to make the prompts go away at the cost of reducing the default robustness of UAC.

You can't really say that third-party code cannot be trusted with whitelisting when MS's own code used whitelisting in a way which blew UAC wide open to immediate, silent bypasses.

(And standard users are still vulnerable to RCEs which spoof elevation requests. Does that mean that standard user is no more secure than running as admin with UAC turned off, by your logic?)