http://www.osnews.com/story/21653/Microsoft_Won_t_Fix_Windows_7_s_UAC

Well, at least it's over. Symantec employees cry of joy, their jobs are safe for at least five more years.

https://bugs.launchpad.net/ubuntu/+bug/127116

2 years, marked invalid 

You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

RoyalSchrubber said:

If it is any consolation to you, most linux distributions that use bash as default scripting language are vulnerable too..

https://bugs.launchpad.net/ubuntu/+bug/127116

2 years, marked invalid 

Not really, that bash "vulnerability" is dubious at best....

It's dissapointing to see Microsoft backing down on UAC, I think the majority of people aren't actually as bothered about the prompts as a handful of whiny bloggers would suggest, and whether they are prepared to admit it or not it certainly reduces the effectiveness of UAC (a quick scan of the MSDN forums reveals swathes of programmers trying to circumvent UAC, not because they're malicious, but because they don't see the need to fix LUA issues).

Naturally, I'll be running UAC at it's full setting and I'll just have to deal with the broken apps, because they will be inevitable. And Standard User Accounts will continue to be a pain in Windows because Microsoft continue to miss the point on this issue, albeit probably quite deliberatly in the face of yet another swathe of Vista-esque bad publicity.

Bass said:

Why does "not having root access" == security? I think people's personal files and information is FAR more important to be secured then some apps in \Program Files, and you don't need root access to manipulate the user's home directory, where they store most of their sensistive information, nor to open sockets, or access the keyboard and mouse.

You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

++

Bass said:

Why does "not having root access" == security? I think people's personal files and information is FAR more important to be secured then some apps in \Program Files, and you don't need root access to manipulate the user's home directory, where they store most of their sensistive information, nor to open sockets, or access the keyboard and mouse.

You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

Because those types of issues can be removed. A rooted system is a reinstall.

ManipUni said:

Bass said:

*snip*

Because those types of issues can be removed. A rooted system is a reinstall.

Once the most important thing on your system has been compromised, reinstalling is the last of your problems.

PaoloM said:

ManipUni said:

*snip*

Once the most important thing on your system has been compromised, reinstalling is the last of your problems.

So why bother with UAC at all? Why don't we just go back to a crappy single-user version of Windows and be done with it?

Yes, a user's data is the most valuable thing on the machine (to that user) but allowing the OS to be deeply compromised enables malware to do things other than just compromise the data on the machine and the end result may be far more harmful.

PaoloM said:

ManipUni said:

*snip*

Once the most important thing on your system has been compromised, reinstalling is the last of your problems.

Because people write spyware to destroy those pictures of your family trip? Give me a break...

By your logic we should just draw a line under Windows' security right now and assume that the second anything nasty is executed the entire show is over. Maybe in the next version Microsoft can work on faster format/reinstalls?

The Windows architecture needs a major update. Things running as a user should have significantly less access than they do today. But until UAC is in place it is pointless.

No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc).

ManipUni said:

PaoloM said:

*snip*

Because people write spyware to destroy those pictures of your family trip? Give me a break...

By your logic we should just draw a line under Windows' security right now and assume that the second anything nasty is executed the entire show is over. Maybe in the next version Microsoft can work on faster format/reinstalls?

The Windows architecture needs a major update. Things running as a user should have significantly less access than they do today. But until UAC is in place it is pointless.

No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc).

 

No, but people write spyware to lift "My Documents" and the internet cache.

ManipUni said:

PaoloM said:

*snip*

Because people write spyware to destroy those pictures of your family trip? Give me a break...

By your logic we should just draw a line under Windows' security right now and assume that the second anything nasty is executed the entire show is over. Maybe in the next version Microsoft can work on faster format/reinstalls?

The Windows architecture needs a major update. Things running as a user should have significantly less access than they do today. But until UAC is in place it is pointless.

No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc).

 

"No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc)."

Did you mean to say that Manip ... I'll give you a moment to think about this statement, you can go ahead and change it because I would if I was you! Because strong UAC is sure as heck not going to stop a whole load of other vulnerabilities that AV also protects against. 

The UAC is not there to help keep users secure. If you think about it, it is there to allow developers to keep writing the same security-busting code they have done since Windows95.

Take a leaf out of Apple's play-book. If you don't keep your code up to date, then you don't get to play.

Sabot said:

ManipUni said:

*snip*

"No computer should NEED anti-virus. And UAC prompts should become the exception and not the rule, to such an extent that I can put my mom on a user account and she can use her computer happily without getting spyware (*updates auto applied etc)."

Did you mean to say that Manip ... I'll give you a moment to think about this statement, you can go ahead and change it because I would if I was you! Because strong UAC is sure as heck not going to stop a whole load of other vulnerabilities that AV also protects against. 

Well I am going too far. Anti-Virus will always have a place. But what I mean is that when something nasty is run as a user that is almost harmless to the safety of the system as a whole. If the user doesn't accept that UAC prompt they're safe. In an environment like that, some users could live without AV.

So for example on a system with no personal data (web-access slave system) without an admin account could very much live without AV. I'd still recommend it though

Ray7 said:

I've suddenly realised what Microsoft is talking about! We've been looking at it from the wrong side.

The UAC is not there to help keep users secure. If you think about it, it is there to allow developers to keep writing the same security-busting code they have done since Windows95.

Take a leaf out of Apple's play-book. If you don't keep your code up to date, then you don't get to play.

 

***DING*** ***DING***  Give the man a ceegar.

UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

Ray7 said:

I've suddenly realised what Microsoft is talking about! We've been looking at it from the wrong side.

The UAC is not there to help keep users secure. If you think about it, it is there to allow developers to keep writing the same security-busting code they have done since Windows95.

Take a leaf out of Apple's play-book. If you don't keep your code up to date, then you don't get to play.

 

Please watch and understand this: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

Learn.

C

http://blogs.msdn.com/uac/

"User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn."

Actually Within Windows has just written about this...

http://www.withinwindows.com/2009/06/10/uac-uac-go-away-come-again-some-other-day/

UAC in its "annoying" origional state was great. At this point I am not even sure Microsoft knows what they want to define UAC to be. I am pretty sure it is meant to be a security feature...

Larry Osterman said:

Ray7 said:

*snip*

***DING*** ***DING***  Give the man a ceegar.

UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

 

 

 Maybe that's Microsoft's problem right there.

Larry Osterman said:

Ray7 said:

*snip*

***DING*** ***DING***  Give the man a ceegar.

UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

 

 

"And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away."

---------------------------

Exploits with quotes around them? So, being able to break a boundary (for whatever reason it's there) with ease is *not* an exploit?

"The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration."

--------------

Hey, exactly! Let me quote Leo Davidson (the guy who discovered the UAC mess):

---

"Microsoft clearly realise that even the button-click prompts were too annoying for many users as that’s why they removed them for admin users (for their badly-written software which prompts too much only).

You cannot honestly thing that standard user accounts, as they stand today, are a solution that people will actually use after the reaction to Vista’s UAC.

Additionally, standard user accounts are not the default. You have to go out of your way to use them. Almost nobody will, except in businesses where they were already running locked-down accounts since the days of NT4 and where UAC elevation will barely be used at all.

Standard user accounts are a distraction and an excuse as far as Windows 7 goes. You might as well say “People should use Linux to be more secure” as it’s about as relevant and likely to happen. If Windows 8 (or whatever) actually makes standard user the default, and makes improves the user experience to one that people might actually put up with, then the argument will hold water.

The thing is, we’re only arguing about the stupidity (and unfairness on 3rd party developers) of Windows 7’s UAC because of the default settings. People can change to Always Prompt and make it like Vista… Unless we explain why Windows 7’s defaults are the worst of both worlds — annoying prompts for some applications combined with almost zero difficulty in bypassing the prompts for anything that really wants to — and inform people that they can either set UAC to always prompt or to silently elevate (for all apps), people are just going to use the defaults.

The one thing most people are not going to use in Windows 7 is standard user accounts. It’s more painful than what everyone complained about on Vista, not less."

----

http://www.withinwindows.com/2009/06/10/uac-uac-go-away-come-again-some-other-day/#comment-3851

He is basicaly saying the same thing as you, and THAT IS A BAD THING! Where do you go from here? UAC is now holey as cheese on the default setting, and, as you said, almost no one will run as standard user, because that's more annoying than the old Vista UAC behaviour.

What now? What is the future of Windows security? Will it be now "forever" that users will work as administrators with a broken UAC? Or will you force in Windows 8 that the default user will be a standard account user? But if you do that, people will be extremely annoyed! After  Windows 7, with its reduced UAC dialogs, people WON'T ACCEPT a standard user account in Windows 8 - because on a standard account there will be much more UAC prompts than on the default administrator account on win7 with its broken UAC.

UAC was a good tool to prepare people for the "standard account future", but now.. it's less likely that normal users will accept that future, after they use win7.

It seems that you guys maneuvered yourselves into a pretty naster corner, just to please the blogosphere.

But I get the feeling they are in a corner a bit, they would probably want to fix it purely to avoid the confusion, but its likely that they can't fix it because stopping 'dll injection' would damage 'legit scenarios'.. this or its far too late in the dev cycle to make this kinda change given the amount of app testing that would need to be done.

stevo_ said:

Don't know what I think about this scenario anymore, to me if MS could fix this without dumping the entire auto elevated signed apps thing then they should do it, purely on the basis that it would calm the panic (regardless if the panic is legit or not).. and would avoid the usual zillion articles of how 7 sucks more than xp now because of the this one thing..

But I get the feeling they are in a corner a bit, they would probably want to fix it purely to avoid the confusion, but its likely that they can't fix it because stopping 'dll injection' would damage 'legit scenarios'.. this or its far too late in the dev cycle to make this kinda change given the amount of app testing that would need to be done.

It doesn't suck more than XP. It sucks in the same way as XP.

I think Microsoft (and some people on here) are playing a short game. While the people calling BS are playing the long game.

In Microsoft's short game they know full well that an admin-user account with UAC enabled fully has holes and they cannot fix them in Windows 7, so what is the point in UAC? They're thus turning it off, presenting even more holes.

The long game is to leave UAC on, have users getting used to it, have programs getting used to it and look at removing admin-user accounts entirely in the future. They also need to look at what rights user-user processes have in order to avoid some common hyjack escalations scenarios.

wastingtimewithforums said:

Larry Osterman said:

*snip*

"And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away."

---------------------------

Exploits with quotes around them? So, being able to break a boundary (for whatever reason it's there) with ease is *not* an exploit?

 

"The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration."

--------------

Hey, exactly! Let me quote Leo Davidson (the guy who discovered the UAC mess):

---

"Microsoft clearly realise that even the button-click prompts were too annoying for many users as that’s why they removed them for admin users (for their badly-written software which prompts too much only).

You cannot honestly thing that standard user accounts, as they stand today, are a solution that people will actually use after the reaction to Vista’s UAC.

Additionally, standard user accounts are not the default. You have to go out of your way to use them. Almost nobody will, except in businesses where they were already running locked-down accounts since the days of NT4 and where UAC elevation will barely be used at all.

Standard user accounts are a distraction and an excuse as far as Windows 7 goes. You might as well say “People should use Linux to be more secure” as it’s about as relevant and likely to happen. If Windows 8 (or whatever) actually makes standard user the default, and makes improves the user experience to one that people might actually put up with, then the argument will hold water.

The thing is, we’re only arguing about the stupidity (and unfairness on 3rd party developers) of Windows 7’s UAC because of the default settings. People can change to Always Prompt and make it like Vista… Unless we explain why Windows 7’s defaults are the worst of both worlds — annoying prompts for some applications combined with almost zero difficulty in bypassing the prompts for anything that really wants to — and inform people that they can either set UAC to always prompt or to silently elevate (for all apps), people are just going to use the defaults.

The one thing most people are not going to use in Windows 7 is standard user accounts. It’s more painful than what everyone complained about on Vista, not less."

----

http://www.withinwindows.com/2009/06/10/uac-uac-go-away-come-again-some-other-day/#comment-3851

He is basicaly saying the same thing as you, and THAT IS A BAD THING! Where do you go from here? UAC is now holey as cheese on the default setting, and, as you said, almost no one will run as standard user, because that's more annoying than the old Vista UAC behaviour.

What now? What is the future of Windows security? Will it be now "forever" that users will work as administrators with a broken UAC? Or will you force in Windows 8 that the default user will be a standard account user? But if you do that, people will be extremely annoyed! After  Windows 7, with its reduced UAC dialogs, people WON'T ACCEPT a standard user account in Windows 8 - because on a standard account there will be much more UAC prompts than on the default administrator account on win7 with its broken UAC.

UAC was a good tool to prepare people for the "standard account future", but now.. it's less likely that normal users will accept that future, after they use win7.

It seems that you guys maneuvered yourselves into a pretty naster corner, just to please the blogosphere.

http://www.codeproject.com/Messages/3045414/Setting-System-Clock-in-Vista-7-UAC-problem.aspx

Larry Osterman said:

Ray7 said:

*snip*

***DING*** ***DING***  Give the man a ceegar.

UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

 

 

Ah now come on that's not true. MS has touted UAC as a security feature.

UAC blog "User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn."

MSDN "In this webcast, we explore Windows User Account Control (UAC), a new security feature in the Windows Vista operating system."

MSDN "User Account Control (UAC), introduced in Windows Vista, is a security feature"

But of course strictly speaking it's not, but that's a technical definition. That's like saying that SQL server isn't a relation database because it doesn't meet all of the strict relational criteria that Codd set out (it's not, not all views are updatable)

Until Windows installs force the creation of an admin and a least privilege user it's the best there is.

blowdart said:

Larry Osterman said:

*snip*

Ah now come on that's not true. MS has touted UAC as a security feature.

UAC blog "User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn."

MSDN "In this webcast, we explore Windows User Account Control (UAC), a new security feature in the Windows Vista operating system."

MSDN "User Account Control (UAC), introduced in Windows Vista, is a security feature"

But of course strictly speaking it's not, but that's a technical definition. That's like saying that SQL server isn't a relation database because it doesn't meet all of the strict relational criteria that Codd set out (it's not, not all views are updatable)

Until Windows installs force the creation of an admin and a least privilege user it's the best there is.

True. They were calling it a security feature right up to the point when Windows 7's UAC vulnerabilities were discovered, and then suddenly it wasn't about security anymore. We've had this discussion before. There's a lot of bull about UAC and Windows security in general, let's not add to it with this "when we called it security we actually meant not security at all" stuff.

Larry Osterman said:

Ray7 said:

*snip*

***DING*** ***DING***  Give the man a ceegar.

UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

 

 

Larry Osterman said:

that acts as a forcing function to convince software developers to get their act together.

Except now it doesn't. We're back to the bad old days where the path of least resistance is to assume users have Administrator rights. Sure you have to hack around UAC, but that's relatively trivial compared to properly architecting your application. Sure, your app will then break horrendously if someone runs as a Standard User or changes the default settings, but that's their own fault right? Nobody bothered worrying about that with XP, so why should they with 7?

And the amazingly dumb thing is that all Microsoft have to do is follow their own guidelines[1] and change the default UAC setting to the highest level. They can leave the slider in place, they can even leave the dubious "Microsoft signed code elevates silently" as long as it isn't the default behaviour and we'll all be a lot better off for it.

Sure UAC has never been a security boundary and shouldn't be thought of as one, but it is still a security feature (it even appears under the Security options in Action Center FFS!) so it ought to be set at the most restrictive level by default. That's what Trustworthy Computing was supposed to be all about and it's disturbing to see that thrown out of the window so quickly in response to a minority of whingers who are going to make noise whatever you do.

I really hope the voice of reason hits home at the eleventh hour, I honestly do. I don't think it'll happen though and that's bad for everyone. Windows 7 will ship with a dumb UAC default and nothing seems likely to change that now.

[1] The Trustworthy Computing Security Development Lifecycle

Larry Osterman said:

Ray7 said:

*snip*

***DING*** ***DING***  Give the man a ceegar.

UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

 

 

Yeah, okay Larry. UAC is marketed as a security feature on various Microsoft sites. The fact that no one really knows what UAC is anymore is your problem, not ours. There's a lack of consistency across the board and you guys should be embarassed.

One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. There are other human behavior factors which were discussed in our earlier blog posts (post #1 and post #2).

UAC also helps software developers improve their programs to run without requiring administrator privileges. The most effective way to secure a system against malware is to run with standard user privileges. As more software works well without administrator privileges, more people will run as standard user. We expect that anyone responsible for a set of Windows 7 machines (such as IT Administrators or the family helpdesk worker (like me!)) will administer them to use standard user accounts. The recent feedback has noted explicitly that running as standard user works well. Administrators also have Group Policy at their disposal to enforce the UAC setting to “Always Notify” if they choose to manage their machines with administrator accounts instead of standard user accounts.

C

Larry Osterman said:

Ray7 said:

*snip*

***DING*** ***DING***  Give the man a ceegar.

UAC has never been a security feature.  Microsoft has NEVER claimed that UAC was a security feature.  It's a convenience feature that acts as a forcing function to convince software developers to get their act together. 

And if you don't like the default settings, you can make a trivial change to increase your prompting level back to where it was in Vista and all these "exploits" go away.

The ONLY secure scenario is to run as a standard user (with no admin privileges) and use fast user switching to switch to an admin account when you need to make configuration changes to the machine.  But most users won't put up with that level of security.  Heck, look at how much people complained about the UAC prompts.  Imagine how annoyed they'd be if MSFT forced them to log into another account to change their system configuration.

 

 

If UAC is not a security feature, you need to let the people writing about it on Technet know (because, last time I checked, Technet was the definitive source for technical information about Windows):

http://technet.microsoft.com/en-us/library/cc709691.aspx

Technet said:

User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.

[...]

To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.

Uxtheme Rafael said:

Larry Osterman said:

*snip*

Yeah, okay Larry. UAC is marketed as a security feature on various Microsoft sites. The fact that no one really knows what UAC is anymore is your problem, not ours. There's a lack of consistency across the board and you guys should be embarassed.

Everyone that has responded in this thread thus far ought to know what UAC is and does by now. This has been debated on countless occasions.

Yes they got the messaging to us wrong, I blame marketing and over zealous security PM's.

The fact of the matter is that most computers needs an expert to maintain them, that is fine if you are a developer or computer enthusiast, but a general user finds it difficult. Foisting this upon billions of users is not commercially adriot - look at XP!

 If you were in charge of a multi-billion product, and one of the chief complaints was security prompts what would you do? Obviously that complainant is a fool, but it is better to sell the product (like XP sold in droves), and leave that individual under the control of AV companies. It is less complicated that way, and you have less complaints - far less by the way.

If users get a virus or their security is compromised, Microsoft's response will be elevate UAC, you complained when we had it high, now see what happened.

This is an economical descicion, and totally, wholly incontrovertibly the correct one!

vesuvius said:

Uxtheme Rafael said:

*snip*

Everyone that has responded in this thread thus far ought to know what UAC is and does by now. This has been debated on countless occasions.

Yes they got the messaging to us wrong, I blame marketing and over zealous security PM's.

The fact of the matter is that most computers needs an expert to maintain them, that is fine if you are a developer or computer enthusiast, but a general user finds it difficult. Foisting this upon billions of users is not commercially adriot - look at XP!

 If you were in charge of a multi-billion product, and one of the chief complaints was security prompts what would you do? Obviously that complainant is a fool, but it is better to sell the product (like XP sold in droves), and leave that individual under the control of AV companies. It is less complicated that way, and you have less complaints - far less by the way.

If users get a virus or their security is compromised, Microsoft's response will be elevate UAC, you complained when we had it high, now see what happened.

This is an economical descicion, and totally, wholly incontrovertibly the correct one!

 

vesuvius said:

this is an economical descicion, and totally, wholly incontrovertibly the correct one!

It's undoubtedly a marketing decision, but even then I don't think it's the right one. UAC got complaints because it was seen as annoying AND switching it off (the only choice exposed in the UI) caused Windows to nag you to switch it back on. Having the default remain as Vista but providing the UI to tone it down, if you wanted to, would have kept the security without making individuals feel they didn't have control over there computer any more.

vesuvius said:

Uxtheme Rafael said:

*snip*

Everyone that has responded in this thread thus far ought to know what UAC is and does by now. This has been debated on countless occasions.

Yes they got the messaging to us wrong, I blame marketing and over zealous security PM's.

The fact of the matter is that most computers needs an expert to maintain them, that is fine if you are a developer or computer enthusiast, but a general user finds it difficult. Foisting this upon billions of users is not commercially adriot - look at XP!

 If you were in charge of a multi-billion product, and one of the chief complaints was security prompts what would you do? Obviously that complainant is a fool, but it is better to sell the product (like XP sold in droves), and leave that individual under the control of AV companies. It is less complicated that way, and you have less complaints - far less by the way.

If users get a virus or their security is compromised, Microsoft's response will be elevate UAC, you complained when we had it high, now see what happened.

This is an economical descicion, and totally, wholly incontrovertibly the correct one!

 

Everyone that has responded in this thread thus far ought to know what UAC is and does by now. This has been debated on countless occasions.

I ought to know what? Who's right here? As previous posters have clearly mentioned, there is not one de facto standard definition on UAC. Am I to take your definition? Technet's? Mark's? Windows Help? MSDN?

Microsoft marketed it as a security feature, which means the general consensus amongst consumers -- you know, whom Windows is built for -- is that it's a security feature. Period. These other bloggers can claim otherwise, but it's too late. Their focus should now be huddling up internally to figure out how, in Windows 8, they'll present UAC as merely the "convienence feature" it was originally designed to be.

EDITS: Purely for display purposes.

Uxtheme Rafael said:

vesuvius said:

*snip*

I ought to know what? Who's right here? As previous posters have clearly mentioned, there is not one de facto standard definition on UAC. Am I to take your definition? Technet's? Mark's? Windows Help? MSDN?

Microsoft marketed it as a security feature, which means the general consensus amongst consumers -- you know, whom Windows is built for -- is that it's a security feature. Period. These other bloggers can claim otherwise, but it's too late. Their focus should now be huddling up internally to figure out how, in Windows 8, they'll present UAC as merely the "convienence feature" it was originally designed to be.

 

EDITS: Purely for display purposes.

 

Well to be fair WinFS was marketed as the next generation file system, so it's not like MS hasn't changed its mind before

Uxtheme Rafael said:

vesuvius said:

*snip*

I ought to know what? Who's right here? As previous posters have clearly mentioned, there is not one de facto standard definition on UAC. Am I to take your definition? Technet's? Mark's? Windows Help? MSDN?

Microsoft marketed it as a security feature, which means the general consensus amongst consumers -- you know, whom Windows is built for -- is that it's a security feature. Period. These other bloggers can claim otherwise, but it's too late. Their focus should now be huddling up internally to figure out how, in Windows 8, they'll present UAC as merely the "convienence feature" it was originally designed to be.

 

EDITS: Purely for display purposes.

 

Your average user couldn't care less that Microsoft got it's UAC knickers-in-a-twist. If you work in a software environment, one of the prime areas of concern are complaints. If people are complaining a lot about UAC (its a case of the lowset common denominator here), then you placate them.

 That is a prime function and responsibility as a software vendor. There are far more general users than Windows developers and enthusiasts like you. Think of it as having to listen to you local commercial radio station. If they play NIN or even the Beatles nowadays, people will say it's not Katie Perry.

That is this thread in a nutshell!

Rather than complain, teach people to elevate their UAC, and that is is good for them. This descicion will not ruin Windows Se7en, as XP and running as admin ostensibly demonstrates.

blowdart said:

Uxtheme Rafael said:

*snip*

Well to be fair WinFS was marketed as the next generation file system, so it's not like MS hasn't changed its mind before

True, but I'd appreciate it if they didn't pretend that they never really presented it as a security feature.

Charles said:

From Jon DeVaan (source = E7 blog):

One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed. This part of UAC is in full force when the “Notify me only when…” setting is used. UAC also prompts for other system wide changes that require administrator privileges which, considered in the abstract, would seem to be an effective counter-measure to malware after it is running, but the practical experience is that its effect is limited. For example, clever malware will avoid operations that require elevation. There are other human behavior factors which were discussed in our earlier blog posts (post #1 and post #2).

UAC also helps software developers improve their programs to run without requiring administrator privileges. The most effective way to secure a system against malware is to run with standard user privileges. As more software works well without administrator privileges, more people will run as standard user. We expect that anyone responsible for a set of Windows 7 machines (such as IT Administrators or the family helpdesk worker (like me!)) will administer them to use standard user accounts. The recent feedback has noted explicitly that running as standard user works well. Administrators also have Group Policy at their disposal to enforce the UAC setting to “Always Notify” if they choose to manage their machines with administrator accounts instead of standard user accounts.

 

C

I say again, from the UAC Blog.

http://blogs.msdn.com/uac/

User Account Control (UAC) is a core security feature..

vesuvius said:

Uxtheme Rafael said:

*snip*

Everyone that has responded in this thread thus far ought to know what UAC is and does by now. This has been debated on countless occasions.

Yes they got the messaging to us wrong, I blame marketing and over zealous security PM's.

The fact of the matter is that most computers needs an expert to maintain them, that is fine if you are a developer or computer enthusiast, but a general user finds it difficult. Foisting this upon billions of users is not commercially adriot - look at XP!

 If you were in charge of a multi-billion product, and one of the chief complaints was security prompts what would you do? Obviously that complainant is a fool, but it is better to sell the product (like XP sold in droves), and leave that individual under the control of AV companies. It is less complicated that way, and you have less complaints - far less by the way.

If users get a virus or their security is compromised, Microsoft's response will be elevate UAC, you complained when we had it high, now see what happened.

This is an economical descicion, and totally, wholly incontrovertibly the correct one!

 

"XP sold in droves"

-------------

Not that much.

Google stats from 2003:

http://web.archive.org/web/20030401082712/http://www.google.com/press/zeitgeist.html">http://www.google.com/press/zeitgeist.html">http://web.archive.org/web/20030401082712/http://www.google.com/press/zeitgeist.html

Windows 98 - 36%
Windows XP - 28%
Windows 2000 - 21%

XP became dominant only in 2004 or so.  Three years after release. What made XP such a success is the fact that it had more than five years to spread. No other windows had that long no successor.

Vista has now 24.35% market share:

http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10

After around two and half years of market availability (since january 2007) that's not that bad, considering how entrenched XP is, and the negative image that Vista has. The reason Microsoft destroyed UAC is because of the whiney blogosphere, and the statistics show me, that the blogosphere has much less influence on the market than they think they have.

wastingtimewithforums said:

vesuvius said:

*snip*

"XP sold in droves"

-------------

Not that much.

Google stats from 2003:

http://web.archive.org/web/20030401082712/http://www.google.com/press/zeitgeist.html">http://www.google.com/press/zeitgeist.html">http://web.archive.org/web/20030401082712/http://www.google.com/press/zeitgeist.html

Windows 98 - 36%
Windows XP - 28%
Windows 2000 - 21%

XP became dominant only in 2004 or so.  Three years after release. What made XP such a success is the fact that it had more than five years to spread. No other windows had that long no successor.

Vista has now 24.35% market share:

http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=10

After around two and half years of market availability (since january 2007) that's not that bad, considering how entrenched XP is, and the negative image that Vista has. The reason Microsoft destroyed UAC is because of the whiney blogosphere, and the statistics show me, that the blogosphere has much less influence on the market than they think they have.

The reason Microsoft destroyed UAC is because of the whiney blogosphere, and the statistics show me, that the blogosphere has much less influence on the market than they think they have.

Ignoring the fact your statement contradicts itself, I just wanted to make note that Microsoft made changes to UAC -- whether you view them as good or bad -- based on user feedback from various channels, including their Customer Experience Improvement Program. To blame UAC's changes, and their perception, on us bloggers is just wrong.

Uxtheme Rafael said:

wastingtimewithforums said:

*snip*

Ignoring the fact your statement contradicts itself, I just wanted to make note that Microsoft made changes to UAC -- whether you view them as good or bad -- based on user feedback from various channels, including their Customer Experience Improvement Program. To blame UAC's changes, and their perception, on us bloggers is just wrong.

 

"Ignoring the fact your statement contradicts itself"

----

How so? Okay: the blogosphere has much less influence on the market than they (and Microsoft!) think they have

Now it makes more sense.

"including their Customer Experience Improvement Program"

How so? That thing is automatic:

http://www.microsoft.com/products/ceip/EN-US/default.mspx

---

Can I review the information before it is sent to Microsoft?
Unfortunately the information can't be reviewed for a couple of reasons:

----------------

How does it measure how much the user is annoyed by UAC?

intelman said:

Charles said:

*snip*

I say again, from the UAC Blog.

http://blogs.msdn.com/uac/

User Account Control (UAC) is a core security feature..

Well, as you can see that is a defunct blog... Is this debate about how Microsoft misrepresented UAC in the Vista timeframe or is it about UAC and the distinction between running as a standard user by default and core security boundaries of the underlying system? This is an argument about the past, right? Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7. I've lost track of the problem, exactly. What's the issue again?

C

Charles said:

intelman said:

*snip*

Well, as you can see that is a defunct blog... Is this debate about how Microsoft misrepresented UAC in the Vista timeframe or is it about UAC and the distinction between running as a standard user by default and core security boundaries of the underlying system? This is an argument about the past, right? Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7. I've lost track of the problem, exactly. What's the issue again?

C

Charles said:

Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along?

Not really. Either UAC is a security feature and the default setting is wrong or this dialog is broken:

AndyC said:

Charles said:

*snip*

Not really. Either UAC is a security feature and the default setting is wrong or this dialog is broken:

UAC is not a security boundary. I'm sorry I used the term "feature". UAC is not a security boundary.

C

Charles said:

intelman said:

*snip*

Well, as you can see that is a defunct blog... Is this debate about how Microsoft misrepresented UAC in the Vista timeframe or is it about UAC and the distinction between running as a standard user by default and core security boundaries of the underlying system? This is an argument about the past, right? Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7. I've lost track of the problem, exactly. What's the issue again?

C

If the application that does the code injection needs to pass a UAC prompt before it can be installed, the users agrees the application is trust wordy so it does not need to prompt when it is doing admin stuff?

Am I right? Or doens't the applcation doing the injection need a UAC prompt to install? It doens't need one to boot in any UAC mode i guess because otherwise we would not have this discussion.

Charles said:

intelman said:

*snip*

Well, as you can see that is a defunct blog... Is this debate about how Microsoft misrepresented UAC in the Vista timeframe or is it about UAC and the distinction between running as a standard user by default and core security boundaries of the underlying system? This is an argument about the past, right? Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7. I've lost track of the problem, exactly. What's the issue again?

C

So you mean that it's now a "convenience feature" - in what way is it more CONVENIANT to have an extra 1 - 4 clicks along the way? You can argue that it helps to limit admin functionality access which makes the machine more secure (which is not true as users ignore the dialogs and just click through) but it certainly doesn't make your use of the machine more convenient.

Charles said:

AndyC said:

*snip*

UAC is not a security boundary. I'm sorry I used the term "feature". UAC is not a security boundary.

C

Agreed. UAC is not a security boundary. It is a security feature. The whole Trustworthy Computing/SDL thing is supposed to mean you ship security features in the most secure setting - Secure by Design, Secure by Default, Secure by Deployment+Communication. That appears to have been forgotten.

Charles said:

intelman said:

*snip*

Well, as you can see that is a defunct blog... Is this debate about how Microsoft misrepresented UAC in the Vista timeframe or is it about UAC and the distinction between running as a standard user by default and core security boundaries of the underlying system? This is an argument about the past, right? Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7. I've lost track of the problem, exactly. What's the issue again?

C

"Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7."

------------------

So you had it wrong all these years and now you guys saw the light? Just when the UAC issues with Win7 appeared?

fortunate coincidence! Seriously, I am disappointed. I've read all the anti-MS hate posts on slashdot and various other internet holes and was never impressed by their stupid arguments, but, reading this inane responses from you guys... I've lost a substantial amount of respect for MS. This move could be the biggest negative advertising in the tech community for Microsoft EVER.

Look how much noise it generates:

http://www.google.com/search?hl=en&q=%22windows+7%22%2Buac&aq=f&oq=&aqi=g10

This could turn into something huge.

Of course I understand you guys. You wanted to please the blogger and slashdot crowds with that move, but the approach was obviously shortsighted. You know it now of course - but what do to? It's too late in the product cycle to over-engineer UAC to such extend that it will detect code injections and such (if it is even possible), and setting the UAC default behaviour back to Vista levels.. well, I still think it would be the right choice, but you guys advertised so much with the claim that Windows 7 is "less annoying than Vista" so that that move will generate negative press. But seriously, isn't it better to fix it now, get some bad press for one month, than not fixing it, and getting bad press about it for the next several years?

I  can imagine that the guy who came up with the bright idea to make UAC "less annoying" got, when the flaws started to come up, an facial expression found on infants who have just crapped into their pants. He propably sat stupidly in an oozing euphoria, grinning from ear to ear, subcounsciously knowing he made a serious error, but not really understanding it.

wastingtimewithforums said:

Charles said:

*snip*

"Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7."

------------------

So you had it wrong all these years and now you guys saw the light? Just when the UAC issues with Win7 appeared?

fortunate coincidence! Seriously, I am disappointed. I've read all the anti-MS hate posts on slashdot and various other internet holes and was never impressed by their stupid arguments, but, reading this inane responses from you guys... I've lost a substantial amount of respect for MS. This move could be the biggest negative advertising in the tech community for Microsoft EVER.

Look how much noise it generates:

http://www.google.com/search?hl=en&q=%22windows+7%22%2Buac&aq=f&oq=&aqi=g10

This could turn into something huge.

Of course I understand you guys. You wanted to please the blogger and slashdot crowds with that move, but the approach was obviously shortsighted. You know it now of course - but what do to? It's too late in the product cycle to over-engineer UAC to such extend that it will detect code injections and such (if it is even possible), and setting the UAC default behaviour back to Vista levels.. well, I still think it would be the right choice, but you guys advertised so much with the claim that Windows 7 is "less annoying than Vista" so that that move will generate negative press. But seriously, isn't it better to fix it now, get some bad press for one month, than not fixing it, and getting bad press about it for the next several years?

I  can imagine that the guy who came up with the bright idea to make UAC "less annoying" got, when the flaws started to come up, an facial expression found on infants who have just crapped into their pants. He propably sat stupidly in an oozing euphoria, grinning from ear to ear, subcounsciously knowing he made a serious error, but not really understanding it.

What the hell is with all the whining in this thread? They made a decision to sacrifice some security for usability. If you want to do it differently make your own damn OS.

Bass said:

wastingtimewithforums said:

*snip*

What the hell is with all the whining in this thread? They made a decision to sacrifice some security for usability. If you want to do it differently make your own damn OS.

"They made a decision to sacrifice some security for usability"

---------------------------------

The problem is, that in the long term this decision is pretty negative for the windows plattform as a whole. The implications of this decision could haunt the plattform for years and years to come.

To quote myself:

-----------
What now? What is the future of Windows security? Will it be now "forever" that users will work as administrators with a broken UAC? Or will you force in Windows 8 that the default user will be a standard account user? But if you do that, people will be extremely annoyed! After  Windows 7, with its reduced UAC dialogs, people WON'T ACCEPT a standard user account in Windows 8 - because on a standard account there will be much more UAC prompts than on the default administrator account on win7 with its broken UAC.

UAC was a good tool to prepare people for the "standard account future", but now.. it's less likely that normal users will accept that future, after they use win7.

It seems that you guys maneuvered yourselves into a pretty naster corner, just to please the blogosphere

-----------

http://channel9.msdn.com/forums/Coffeehouse/473037-UAC-controversy-the-last-episode/?CommentID=473105

I repeat myself: What now? What is the future of Windows security wise? This shows me that MS doesn't has the balls to enforce security. If they are freaked out so easily by the negativity towards UAC (which is pretty mild - it just wants a click, not password [if you're an administrator]) - Just how in hell do they want to make the standard account as the default account in the future?

Bass said:

wastingtimewithforums said:

*snip*

What the hell is with all the whining in this thread? They made a decision to sacrifice some security for usability. If you want to do it differently make your own damn OS.

That's actually a good idea, I was wondering what I should do with those spare 40 bil. dollars lying around in my pocket...

wastingtimewithforums said:

Charles said:

*snip*

"Sure, OK, the UAC blog, Windows blogs, media outlets, even Channel 9, misrepresented UAC as a security feature during the Vista daze. Can we move along? Can we focus on the here and now? DeVaan's post is from 2009. The context is Windows 7."

------------------

So you had it wrong all these years and now you guys saw the light? Just when the UAC issues with Win7 appeared?

fortunate coincidence! Seriously, I am disappointed. I've read all the anti-MS hate posts on slashdot and various other internet holes and was never impressed by their stupid arguments, but, reading this inane responses from you guys... I've lost a substantial amount of respect for MS. This move could be the biggest negative advertising in the tech community for Microsoft EVER.

Look how much noise it generates:

http://www.google.com/search?hl=en&q=%22windows+7%22%2Buac&aq=f&oq=&aqi=g10

This could turn into something huge.

Of course I understand you guys. You wanted to please the blogger and slashdot crowds with that move, but the approach was obviously shortsighted. You know it now of course - but what do to? It's too late in the product cycle to over-engineer UAC to such extend that it will detect code injections and such (if it is even possible), and setting the UAC default behaviour back to Vista levels.. well, I still think it would be the right choice, but you guys advertised so much with the claim that Windows 7 is "less annoying than Vista" so that that move will generate negative press. But seriously, isn't it better to fix it now, get some bad press for one month, than not fixing it, and getting bad press about it for the next several years?

I  can imagine that the guy who came up with the bright idea to make UAC "less annoying" got, when the flaws started to come up, an facial expression found on infants who have just crapped into their pants. He propably sat stupidly in an oozing euphoria, grinning from ear to ear, subcounsciously knowing he made a serious error, but not really understanding it.

I provided a link to Jon's post on E7. Why don't ask these questions/provide this feedback there? What are you trying to accomplish here? We are not the Windows team. The Windows team doesn't spend time here going through threads. They want this conversation to happen on E7. So, make it happen there.

C

RoyalSchrubber said:

Bass said:

*snip*

That's actually a good idea, I was wondering what I should do with those spare 40 bil. dollars lying around in my pocket...

You don't need 40 billion to make an OS. Even Microsoft doesn't spend that much on Windows.

Charles said:

wastingtimewithforums said:

*snip*

I provided a link to Jon's post on E7. Why don't ask these questions/provide this feedback there? What are you trying to accomplish here? We are not the Windows team. The Windows team doesn't spend time here going through threads. They want this conversation to happen on E7. So, make it happen there.

C

"The Windows team doesn't spend time here going through threads."

Why not? No, seriously. What's the point of channel9?

http://channel9.msdn.com/About/

"Channel 9 is all about the conversation. Channel 9 should inspire Microsoft and our customers to talk in an honest and human voice."

I thought this place is a central hub to "talk" to Microsoft. If it's not, make it! There is a need for such a hub. Or is the prefered way for communication for MS really all those scattered msdn blogs?

And by the way - we both know the UAC behaviour won't be changed. The guy who discovered it never got an answer from the windows team, despite contacting Microsoft several times:

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

So what's the point in posting on that blog? Well, of course you could ask the question why I am posting here, since it's pointless to post here about that too. I am posting here because it seems to make some noise, (externally) much more people read this forum than the e7 blog. I noticed some people who posted about that issue there and their comments were quickly buried by other comments and no one noticed it.

At the end of the day, it's you who is working at Microsoft, and if the Windows plattform will be in trouble, you guys will have trouble too. So, since it's in your interest, why don't you send a link to this thread to the windows 7 team, and ask them to comment on this issue again? The chances are better if a fellow Softie asks them than some faceless commenter. I think the posters here made good points, why not counter them one by one by the windows team?

Especially:

1. All the talk about UAC not a security feature/boundary/whatever EVEN THOUGH Microsoft touted the complete opposite just 6-8 months ago! There are plenty of links in this thread that prove this. How do they explain that? Either Microsoft didn't know what UAC was when it developed and advertised it, or they knew it back then and don't know it now.

2. What about the future of Windows plattform? How does it fare with the decision to cripple UAC? I wrote about it here:http://channel9.msdn.com/forums/Coffeehouse/473037-UAC-controversy-the-last-episode/?CommentID=473261

wastingtimewithforums said:

Charles said:

*snip*

"The Windows team doesn't spend time here going through threads."

Why not? No, seriously. What's the point of channel9?

http://channel9.msdn.com/About/

"Channel 9 is all about the conversation. Channel 9 should inspire Microsoft and our customers to talk in an honest and human voice."

I thought this place is a central hub to "talk" to Microsoft. If it's not, make it! There is a need for such a hub. Or is the prefered way for communication for MS really all those scattered msdn blogs?

And by the way - we both know the UAC behaviour won't be changed. The guy who discovered it never got an answer from the windows team, despite contacting Microsoft several times:

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

So what's the point in posting on that blog? Well, of course you could ask the question why I am posting here, since it's pointless to post here about that too. I am posting here because it seems to make some noise, (externally) much more people read this forum than the e7 blog. I noticed some people who posted about that issue there and their comments were quickly buried by other comments and no one noticed it.

At the end of the day, it's you who is working at Microsoft, and if the Windows plattform will be in trouble, you guys will have trouble too. So, since it's in your interest, why don't you send a link to this thread to the windows 7 team, and ask them to comment on this issue again? The chances are better if a fellow Softie asks them than some faceless commenter. I think the posters here made good points, why not counter them one by one by the windows team?

Especially:

1. All the talk about UAC not a security feature/boundary/whatever EVEN THOUGH Microsoft touted the complete opposite just 6-8 months ago! There are plenty of links in this thread that prove this. How do they explain that? Either Microsoft didn't know what UAC was when it developed and advertised it, or they knew it back then and don't know it now.

2. What about the future of Windows plattform? How does it fare with the decision to cripple UAC? I wrote about it here:http://channel9.msdn.com/forums/Coffeehouse/473037-UAC-controversy-the-last-episode/?CommentID=473261

 

I didn't say don't talk here.... I was trying to make the point that if you post these concerns on a blog that is frequented by the Windows team, well, maybe you'd get some answers that will help you understand. In the meantime, again, please take the time to watch this:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

C

CKurt said:

Charles said:

*snip*

If the application that does the code injection needs to pass a UAC prompt before it can be installed, the users agrees the application is trust wordy so it does not need to prompt when it is doing admin stuff?

Am I right? Or doens't the applcation doing the injection need a UAC prompt to install? It doens't need one to boot in any UAC mode i guess because otherwise we would not have this discussion.

 

The application that does the code injection does not ever need to show a UAC prompt. It does not need to be installed, nor does it need to be elevated to run the code injection.

Furthermore, this risk is increased even more if you take into account remote code vulnerabilities in other unelevated applications. (Not low-privileged applications like IE though)

Charles said:

wastingtimewithforums said:

*snip*

I didn't say don't talk here.... I was trying to make the point that if you post these concerns on a blog that is frequented by the Windows team, well, maybe you'd get some answers that will help you understand. In the meantime, again, please take the time to watch this:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

C

Charles, security boundaries and security features aside, do you agree with this definition of a vulnerabillity from Wikipedia?

"vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system"

If so, would you consider this application of code-injection scenario in Windows 7 a vulnerability?

If not, how would you define vulnerabilities?

longzheng said:

CKurt said:

*snip*

The application that does the code injection does not ever need to show a UAC prompt. It does not need to be installed, nor does it need to be elevated to run the code injection.

Furthermore, this risk is increased even more if you take into account remote code vulnerabilities in other unelevated applications. (Not low-privileged applications like IE though)

That's the crux of the argument, in my opinion. My primary argument in favour of UAC that I've always used is that if there's a remote code execution vulnerability in e.g. Outlook, any exploit code cannot exceed Outlook's privilege level, it cannot elevate without the user's consent. Now, with Windows 7's default settings, it can.

I do not understand why MS is pretending this isn't a bad thing.

longzheng said:

Charles said:

*snip*

Charles, security boundaries and security features aside, do you agree with this definition of a vulnerabillity from Wikipedia?

"vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system"

If so, would you consider this application of code-injection scenario in Windows 7 a vulnerability?

If not, how would you define vulnerabilities?

Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

C

Charles said:

longzheng said:

*snip*

Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

C

Well I would assume developers/hackers haven't taken advantage of it yet because Windows 7 isn't a feasible target yet, there are relatively few users and they're rather technical - an unfavourable target. Because this only works on 7, it would be wise to wait after 7 is adopted in the mass market.

Whilst the most obvious method this vulnerability can be exploited is via a (unsigned) binary that a user executes, there is no restriction on it being implemented in just malware. Besides the remote code execution I mentioned above, legitmate applications too can take advantage of this vulnerability to silently elevate themselves, without malicious intent.

One developer has already said in public that they will be taking advantage of this vulnerability to make their application silently elevate.

"As a software developer I wouldn’t think twice of taking advantage of this vulnerability to save my users from having to go through the UAC prompt. You’re absolutely right about competitive advantage."
http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/#comment-75629

I'm not technical enough to explain how the exploit works in its entirety, but I've personally tested the proof of concept and it works as described. If you're concerned about the validity of his claims, keep an eye out for the source code.

longzheng said:

Charles said:

*snip*

Well I would assume developers/hackers haven't taken advantage of it yet because Windows 7 isn't a feasible target yet, there are relatively few users and they're rather technical - an unfavourable target. Because this only works on 7, it would be wise to wait after 7 is adopted in the mass market.

Whilst the most obvious method this vulnerability can be exploited is via a (unsigned) binary that a user executes, there is no restriction on it being implemented in just malware. Besides the remote code execution I mentioned above, legitmate applications too can take advantage of this vulnerability to silently elevate themselves, without malicious intent.

One developer has already said in public that they will be taking advantage of this vulnerability to make their application silently elevate.

"As a software developer I wouldn’t think twice of taking advantage of this vulnerability to save my users from having to go through the UAC prompt. You’re absolutely right about competitive advantage."
http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/#comment-75629

I'm not technical enough to explain how the exploit works in its entirety, but I've personally tested the proof of concept and it works as described. If you're concerned about the validity of his claims, keep an eye out for the source code.

See my argument about remote code execution vulnerabilities. I don't decide to run the code that comes in through an exploit, yet with Win 7's UAC it can silently elevate.

As for there having been no attacks yet, that's a stupid argument. It advocates a purely reactionary approach to security, which is the exact opposite of "secure by default". In addition, 7's market penetration is still too low to make it a large target for attacks, and because it is still pre-release software, most people who are running it are technically proficient and therefore not likely to be prone to common attack strategies.

Charles said:

longzheng said:

*snip*

Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

C

Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision.

How do I, as a consumer, determine if what I'm executing is unsigned when zero prompts appear? The malware I ran, as far as I'm concerned, was a fancy mortage calculator. Oops, my machine is screwed now. "Mondo for Windows 7" just bit me.

Sven Groot said:

longzheng said:

*snip*

See my argument about remote code execution vulnerabilities. I don't decide to run the code that comes in through an exploit, yet with Win 7's UAC it can silently elevate.

As for there having been no attacks yet, that's a stupid argument. It advocates a purely reactionary approach to security, which is the exact opposite of "secure by default". In addition, 7's market penetration is still too low to make it a large target for attacks, and because it is still pre-release software, most people who are running it are technically proficient and therefore not likely to be prone to common attack strategies.

Charles said:

Sven Groot said:

*snip*

Look. I want to be clear. I do not represent Microsoft's official position. I had nothing to do with the advent and evolution of UAC. Though my position represents stupity, it is most likely due to the fact that I don't think about this problem. I have nothing to to with UAC design and development. I have experienced 0 issues with UAC on Win 7. It prompts me when I install applications, change certain system settings. You know, the things I expect it to do. If it is vulnerable to attack, then I'd imagine the WIndows team will fix the exploit. If it's vulnerable by attack only if you have a currently executing process that can silently elevate, well, you have a currently executing malicious binary. How did it get on your machine? Silently? How does that work, exactly?

I'm fine with being stupid. Please do increase my understanding.

C

I don't find any of this a big deal personally because in my experience its pretty easy to avoid getting viruses, UAC or not. But one of the the aspects of UAC I appreciate is that it lets you know if a program that you didn't intend to run is trying to get permission, such as something that may have been added to your Windows startup process.

 Am I wrong to say that the exploit circumvents this feature of UAC?

brian.shapiro said:

Charles said:

*snip*

I don't find any of this a big deal personally because in my experience its pretty easy to avoid getting viruses, UAC or not. But one of the the aspects of UAC I appreciate is that it lets you know if a program that you didn't intend to run is trying to get permission, such as something that may have been added to your Windows startup process.

 Am I wrong to say that the exploit circumvents this feature of UAC?

No, you're not wrong to question behavior. But how did the exploiting code get on your system?

C

Charles said:

brian.shapiro said:

*snip*

No, you're not wrong to question behavior. But how did the exploiting code get on your system?

C

Exactly, which is why I don't really care about UAC that much to begin with. But I see UAC as pretty useless with the exploit.

brian.shapiro said:

Charles said:

*snip*

Exactly, which is why I don't really care about UAC that much to begin with. But I see UAC as pretty useless with the exploit.

If Charles is to be believed it is pretty useless with or without this exploit.

C

Charles said:

Suppose one creates an algoritm that diables the ability of the OS to connect to the Internet (well, for maliciously naughty reasons, it can connect to the hacker's devious representation of the Internet, anyway...). If you attempt to download this exploit, then you will be warned. If you try and execute the binary, then UAC will prompt you. Or are you saying you can get around this UAC behavior as part of the very UAC exploit that is the basis of this argument?

C

Take my scenario:
You're browsing a website, Adobe Reader has yet another bug in it, an advert on the site injects code into that process and starts executing as the current user. It then launched calculator escalates Adobe Reader and roots the entire system.

What would happen with UAC on full? While Adobe Reader could cause issues and attempt to inject its self into processes IN CASE they get escalated later, a more realistic scenario is that it would be greatly limited within its scope to cause damage. Simply because luck is required (the user escalates something) and it is a lot harder to write.

ManipUni said:

Charles said:

*snip*

Take my scenario:
You're browsing a website, Adobe Reader has yet another bug in it, an advert on the site injects code into that process and starts executing as the current user. It then launched calculator escalates Adobe Reader and roots the entire system.

What would happen with UAC on full? While Adobe Reader could cause issues and attempt to inject its self into processes IN CASE they get escalated later, a more realistic scenario is that it would be greatly limited within its scope to cause damage. Simply because luck is required (the user escalates something) and it is a lot harder to write.

Interesting. So, it uses Calculator to escalate. Of course, it got on to the system to execute in context (I believe you used an exploit in an installed application as the doorway fo the exploit package). But, forget that for now. Can you elaborate on the UAC exploit pattern?

C

ManipUni said:

Charles said:

*snip*

Take my scenario:
You're browsing a website, Adobe Reader has yet another bug in it, an advert on the site injects code into that process and starts executing as the current user. It then launched calculator escalates Adobe Reader and roots the entire system.

What would happen with UAC on full? While Adobe Reader could cause issues and attempt to inject its self into processes IN CASE they get escalated later, a more realistic scenario is that it would be greatly limited within its scope to cause damage. Simply because luck is required (the user escalates something) and it is a lot harder to write.

You're making this harder than it needs to be. It's easier to just say... Mom downloads SuperCalculator.exe onto her desktop. She executes this program. While the calculator UI appears, it silently injects itself into Explorer, gains elevated abilities, and sets up all sorts of nastyness.

No prompts. Nothing.

Charles said:

ManipUni said:

*snip*

Interesting. So, it uses Calculator to escalate. Of course, it got on to the system to execute in context (I believe you used an exploit in an installed application as the doorway fo the exploit package). But, forget that for now. Can you elaborate on the UAC exploit pattern?

C

Launch Calculator. Find Calculator's process. Use WriteProcessMemory to inject instructions into the process. Have calculator escalate either Adobe Reader or any other process of your choice.

Why wouldn't this work with full UAC?
Because Calculator isn't running with the rights to escalate Adobe Reader or anything else.

Uxtheme Rafael said:

ManipUni said:

*snip*

You're making this harder than it needs to be. It's easier to just say... Mom downloads SuperCalculator.exe onto her desktop. She executes this program. While the calculator UI appears, it silently injects itself into Explorer, gains elevated abilities, and sets up all sorts of nastyness.

No prompts. Nothing.

Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior.

C

Charles said:

Uxtheme Rafael said:

*snip*

Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior.

C

Right, and it should be.

But without leaving it turned all the way on Microsoft will never be able to make it one because application developers and users will never update to the new system. Leave it turned up for now, roll out a better UAC in Windows 8 along with removing the ability to login to Administrator accounts on workstations.

Administrator accounts have no place anymore. But people are FORCED to use them because too many applications haven't adapated and will never adapt with UAC off.

Charles said:

Uxtheme Rafael said:

*snip*

Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior.

C

Charles, please realise the machine does not have to be infected. That is the simplest method of attack. But as we all know, malware/rootkits thrive on stealth, and remote code execution vulnerabilities on applications you already trust like Microsoft Office, Mozilla Firefox, Adobe Reader will also be suspectible.

That of course is just looking at at the dark side of the moon. On the bright side, legitamite application developers can (and intends to) use this vulnerability to also silently elevate themselves.If it comes to that, there will be no separation between medium-level and adminstrative-level applications because one can switch between the two silently.

Charles said:

Uxtheme Rafael said:

*snip*

Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior.

C

True or false? There are ways to run arbitrary code on your machine without you agreeing to it.

http://www.google.com.au/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=gA0&q=remote+code+execution+site%3Amicrosoft.com%2Ftechnet%2Fsecurity&btnG=Search&meta=

longzheng said:

Charles said:

*snip*

Charles, please realise the machine does not have to be infected. That is the simplest method of attack. But as we all know, malware/rootkits thrive on stealth, and remote code execution vulnerabilities on applications you already trust like Microsoft Office, Mozilla Firefox, Adobe Reader will also be suspectible.

That of course is just looking at at the dark side of the moon. On the bright side, legitamite application developers can (and intends to) use this vulnerability to also silently elevate themselves.If it comes to that, there will be no separation between medium-level and adminstrative-level applications because one can switch between the two silently.

Yes. By infection, I mean vulnerability already on board (like a trusted installed application with, say, a buffer overrun hole). Other applications that you install or run can also self-elevate using this UAC default behavior. This is understood.

Is UAC supposed to solve the user-initiated-installation-or-download-and-execution-of-malicious-code problem? If Outlook is vulnerable to attack through a memory hole, well, patch Outlook Seems to me you are asking for a UAC state where auto-elevation under all circumstances is disabled.

C

Charles said:

longzheng said:

*snip*

Yes. By infection, I mean vulnerability already on board (like a trusted installed application with, say, a buffer overrun hole). Other applications that you install or run can also self-elevate using this UAC default behavior. This is understood.

Is UAC supposed to solve the user-initiated-installation-or-download-and-execution-of-malicious-code problem? If Outlook is vulnerable to attack through a memory hole, well, patch Outlook Seems to me you are asking for a UAC state where auto-elevation under all circumstances is disabled.

C

We're asking for UAC to limit the scope of damage that can be caused by either route.

longzheng said:

Charles said:

*snip*

True or false? There are ways to run arbitrary code on your machine without you agreeing to it.

http://www.google.com.au/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=gA0&q=remote+code+execution+site%3Amicrosoft.com%2Ftechnet%2Fsecurity&btnG=Search&meta=

Long, the situation in Win7 is unchanged from Vista.  In Vista if you were running with UAC enabled, it was possible for an RCE vuln to gain administrative privileges on your desktop without you approving it.  In Win7 if you are running with UAC enabled it is posible for an RCE vuln to gain administrative privileges on your desktop without your approving it.

UAC was not a security boundary in Vista, it's not a security boundary in Win7.  This is an unpleasant truth but it's one that MSFT has been making for 3 years.  Our messaging on this issue hasn't changed over all this time.

I was incorrect in my comment above about UAC btw - it is a security feature.  It's just not a security boundary.  It's a convenience feature only, there simply are too many ways for malware to bypass it for it to be considered a defendable security boundary.

The only difference between Win7 and Vista is that on Win7 it is marginally easier for malware to auto-elevate.  But that any malware that exploits that "marginally easier" mechanism is trivial to defeat - just set your UAC defaults to be the same as they are for Vista.

The internet->local machine IS a defended security boundary both by Microsoft and 3rd parties.  And Microsoft actively defends that boundary - you know that because of the monthly security fixes that are issued by both Microsoft AND 3rd parties (think Adobe, Mozilla, Google and Apple) - these are all examples of those vendors patching holes in their applications to defend this boundary. 

The goal is that there be no way for malware to get on your machine without your permission, we're not there yet and we may never get there. 

The internet->local machine boundary IS a defendable boundary because the internet is (hopefully) sandboxed in a web browser thus there's a controllable interface between the two that can be defended (although it is VERY hard to defend this boundary due to the amount of code that runs in the browser). 

On the other hand, UAC/IL is NOT a defendable boundary (UAC as a feature is useless without IL) - there's simply too much shared state between applications running in the  same session to defend the boundary.  This is true for ALL graphical operating systems, btw - the instant you run an application at a higher level of privilege malware running in the lower privilege level can take over the higher level process.

As I've said before, there's only one safe configuration for both Windows AND *nix - run as a standard user and switch to an administrative user running in a different session whenever you need to perform an elevated operation.  Most users (of both *nix AND Windows) aren't willing to put up with that level of inconvenience.

ManipUni said:

Charles said:

*snip*

We're asking for UAC to limit the scope of damage that can be caused by either route.

Manip, you can't have what you want.  It's unfortunate but it's true.  UAC cannot limit the scope of damage.

Actually UAC alone is a totally worthless security technology.  It's trivially defeatable.  UAC as a technology only has value when you combine it with the integrity level (IL) technology.

And even with UAC and IL, it cannot limit the scope of damage.   Not on Vista, not on Windows 7.

And Microsoft has never said anything otherwise.  People just didn't listen carefully enough.

longzheng said:

Charles said:

*snip*

Charles, security boundaries and security features aside, do you agree with this definition of a vulnerabillity from Wikipedia?

"vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system"

If so, would you consider this application of code-injection scenario in Windows 7 a vulnerability?

If not, how would you define vulnerabilities?

Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

longzheng said:

Charles said:

*snip*

True or false? There are ways to run arbitrary code on your machine without you agreeing to it.

http://www.google.com.au/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=gA0&q=remote+code+execution+site%3Amicrosoft.com%2Ftechnet%2Fsecurity&btnG=Search&meta=

True. Memory attacks from remote sources is a typical vector of attack. The point is that your scenario requires that the target system is vulnerable. It's infected with a bug that will cause painful itching when exploited.

If I run vulnerable software on my machine, independent of my realizing it, then I have a vulnerability, by definition. Most people do not realize that there is a poorly designed data structure currently residing at some memory location, for example, primed for overflow...

I understand your positions, Long, Sven, Manip. I am not advocating that some level of extra protection is a bad idea. My position in this discussion is that UAC is not a security boundary. Seems to me that most of you are advocating that it become one or that it behaves exactly as the Vista iteration of the technology. Correct?

C

Larry Osterman said:

ManipUni said:

*snip*

Manip, you can't have what you want.  It's unfortunate but it's true.  UAC cannot limit the scope of damage.

Actually UAC alone is a totally worthless security technology.  It's trivially defeatable.  UAC as a technology only has value when you combine it with the integrity level (IL) technology.

And even with UAC and IL, it cannot limit the scope of damage.   Not on Vista, not on Windows 7.

And Microsoft has never said anything otherwise.  People just didn't listen carefully enough.

Charles said:

Seems to me you are asking for a UAC state where auto-elevation under all circumstances is disabled.

I'd be happy if they left that behaviour in, it just shouldn't be the default behavior.

Larry Osterman said:

UAC as a technology only has value when you combine it with the integrity level (IL) technology.

I'm not sure I understand you. UAC is the Integrity Levels technology.

AndyC said:

longzheng said:

*snip*

Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

 

But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

Yes, sure, processes can be poisoned but only if they escalate AFTER the initial execution. If you dump them to an admin session right from the inital launch it would be impossible for an application within another session to poison them.

My point is, that if Microsoft wants to turn UAC into a security boundary then they have to leave UAC in place in the mean time in order to get application developers used to writing code that either runs in User or Admin scopes.

AndyC said:

longzheng said:

*snip*

Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

 

I am not implying UAC is a security boundary. I'm over the whole "boundary", "feature" terminology.

I draw upon Wikipedia's definition of an vulnerability, "a weakness in a system which allows an attacker to violate the integrity of that system", which in this case appears to fit very well. Even if we assume UAC is not a security feature, which Larry now confirms it is, a "convenience feature" can still have a vulnerability.

ManipUni said:

AndyC said:

*snip*

But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

Yes, sure, processes can be poisoned but only if they escalate AFTER the initial execution. If you dump them to an admin session right from the inital launch it would be impossible for an application within another session to poison them.

My point is, that if Microsoft wants to turn UAC into a security boundary then they have to leave UAC in place in the mean time in order to get application developers used to writing code that either runs in User or Admin scopes.

ManipUni said:

But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

I'm not suggesting you couldn't build a system where everyone is a user and elevation presents a security boundary that does something a bit like fast-user switching but in a more seemless fashion. Of course there'd be lots of additional protection needed to ensure such apps remained truly isolated (it would need to go beyond, for example, UIPI).

However that is not what UAC does. It's not trivial to reach that point, especially when too many apps still don't truly understand Standard User behavior. That would be a long term goal perhaps. Right now we need UAC to do the best it possibly can and to continue pushing application developers into having to do things "the right way"

longzheng said:

AndyC said:

*snip*

I am not implying UAC is a security boundary. I'm over the whole "boundary", "feature" terminology.

I draw upon Wikipedia's definition of an vulnerability, "a weakness in a system which allows an attacker to violate the integrity of that system", which in this case appears to fit very well. Even if we assume UAC is not a security feature, which Larry now confirms it is, a "convenience feature" can still have a vulnerability.

Long, I know where you're coming from. However if you say "X has a vulnerabilty" to a security architect and your "vulnerabilty" doesn't cross a security boundary, it'll be dismissed as incorrect. Avoiding the word vulnerability takes the focus off a strict technical definition and focuses more on what is or isn't the right behaviour.

longzheng said:

AndyC said:

*snip*

I am not implying UAC is a security boundary. I'm over the whole "boundary", "feature" terminology.

I draw upon Wikipedia's definition of an vulnerability, "a weakness in a system which allows an attacker to violate the integrity of that system", which in this case appears to fit very well. Even if we assume UAC is not a security feature, which Larry now confirms it is, a "convenience feature" can still have a vulnerability.

With this logic in mind, one could also very easily construct a sound argument that UAC enabling users to choose "Yes, elevate" when prompted is a vulnerability inherent to UAC. Or do you think human user behavior plays no role in maintaining the integrity of the system?

So, you can get around UAC if you run malicious code. This is understood.

I need to get some sleep now. Keep on caring. Keep on keeping us real.

Thank you, Niners!!

C

AndyC said:

longzheng said:

*snip*

Long, I know where you're coming from. However if you say "X has a vulnerabilty" to a security architect and your "vulnerabilty" doesn't cross a security boundary, it'll be dismissed as incorrect. Avoiding the word vulnerability takes the focus off a strict technical definition and focuses more on what is or isn't the right behaviour.

AndyC, are process privileges security boundaries?

Charles said:

longzheng said:

*snip*

With this logic in mind, one could also very easily construct a sound argument that UAC enabling users to choose "Yes, elevate" when prompted is a vulnerability inherent to UAC. Or do you think human user behavior plays no role in maintaining the integrity of the system?

So, you can get around UAC if you run malicious code. This is understood.

I need to get some sleep now. Keep on caring. Keep on keeping us real.

Thank you, Niners!!

C

I would say when you present a choice to the user, then responsibility has shifted from the system to a user. As a result of this, security dialogs in general are not considered vulnerabilities.

AndyC said:

longzheng said:

*snip*

Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

 

I understand and accept the potential malicious capabilities of medium-level applications, however, that should not be a reason to allow them to do more damage as a high-level application.

longzheng said:

AndyC said:

*snip*

I understand and accept the potential malicious capabilities of medium-level applications, however, that should not be a reason to allow them to do more damage as a high-level application.

longzheng said:

AndyC, are process privileges security boundaries?

I'm not entirely clear on what you mean. Are you talking about NT privileges, such as seDebugPrivilege? Or something else?

longzheng said:

I understand and accept the potential malicious capabilities of medium-level applications, however, that should not be a reason to allow them to do more damage as a high-level application.

I agree. Which is why I recommend avoiding describing the issue in terms of words like vulnerability, because it muddies the issue.

Larry Osterman said:

longzheng said:

*snip*

Long, the situation in Win7 is unchanged from Vista.  In Vista if you were running with UAC enabled, it was possible for an RCE vuln to gain administrative privileges on your desktop without you approving it.  In Win7 if you are running with UAC enabled it is posible for an RCE vuln to gain administrative privileges on your desktop without your approving it.

UAC was not a security boundary in Vista, it's not a security boundary in Win7.  This is an unpleasant truth but it's one that MSFT has been making for 3 years.  Our messaging on this issue hasn't changed over all this time.

I was incorrect in my comment above about UAC btw - it is a security feature.  It's just not a security boundary.  It's a convenience feature only, there simply are too many ways for malware to bypass it for it to be considered a defendable security boundary.

The only difference between Win7 and Vista is that on Win7 it is marginally easier for malware to auto-elevate.  But that any malware that exploits that "marginally easier" mechanism is trivial to defeat - just set your UAC defaults to be the same as they are for Vista.

The internet->local machine IS a defended security boundary both by Microsoft and 3rd parties.  And Microsoft actively defends that boundary - you know that because of the monthly security fixes that are issued by both Microsoft AND 3rd parties (think Adobe, Mozilla, Google and Apple) - these are all examples of those vendors patching holes in their applications to defend this boundary. 

The goal is that there be no way for malware to get on your machine without your permission, we're not there yet and we may never get there. 

The internet->local machine boundary IS a defendable boundary because the internet is (hopefully) sandboxed in a web browser thus there's a controllable interface between the two that can be defended (although it is VERY hard to defend this boundary due to the amount of code that runs in the browser). 

On the other hand, UAC/IL is NOT a defendable boundary (UAC as a feature is useless without IL) - there's simply too much shared state between applications running in the  same session to defend the boundary.  This is true for ALL graphical operating systems, btw - the instant you run an application at a higher level of privilege malware running in the lower privilege level can take over the higher level process.

As I've said before, there's only one safe configuration for both Windows AND *nix - run as a standard user and switch to an administrative user running in a different session whenever you need to perform an elevated operation.  Most users (of both *nix AND Windows) aren't willing to put up with that level of inconvenience.

 

"Long, the situation in Win7 is unchanged from Vista.  In Vista if you were running with UAC enabled, it was possible for an RCE vuln to gain administrative privileges on your desktop without you approving it.  In Win7 if you are running with UAC enabled it is posible for an RCE vuln to gain administrative privileges on your desktop without your approving it."

The situation has changed. Talking about the default settings in both cases:

- In Vista an RCE vuln had to successfully attack a process with admin rights, or wait for / trick the user into clicking a particular UAC prompt. There are far fewer processes with admin rights, and those processes tend to have a lot more attention paid to them w.r.t. vulnerability testing than your average piece of software.

- In Windows 7 an RCE / buffer-overflow vuln has to successfully attack any process (except for low-integrity ones, i.e. IE) and can then immediately and silently gain full admin rights. As soon as the RCE is on the machine it can hide itself as a rootkit and potentially never be discovered.

In the first case the attack surface is smaller and the user (or their anti-virus if it is updated in time) may be alerted to suspicious / unusual acivity. It can still succeed, of course, and once it has admin it can also install a rootkit, but are you honestly trying to claim that those two situations are equivlent?

To claim they are equivalent seems no different to saying that "all operating systems have security flaws, and you can trick most users anyway, so there is no point fixing any more security flaws ever." If that is Microsoft's policy then it's disapointing.

Given that the Win 7 defaults make the prompts so easy to bypass why do we have them at all? And why can't third-party code be added to the whitelist? MS simultaneously claim it's a non-issue that the prompts can be bypassed and that it would be too dangerous to allow users to choose to whitelist third-parties apps (at least for COM elevation). How does that work? Isn't that anti-competitive?

The argument that it's to force developers to change their code does not wash when Microsoft have done such an awful job of changing their own code. The only reason this silent-elevation hack had to be put into Windows 7 is that Explorer and the Control Panels spam people with so many prompts (and the utterly braindead prompts-about-prompts!).

Speaking of prompts which irritate users too much, that fact has not really changed in the standard user case. That brings into question the commitment that MS have to getting everyone to run as a standard user. It also exemplifies the hypocrisy of MS inflicting UAC prompts on third-party software to force developers to do what MS themsevlves cannot be bothered to do properly while MS give themselves a backdoor to make the prompts go away at the cost of reducing the default robustness of UAC.

You can't really say that third-party code cannot be trusted with whitelisting when MS's own code used whitelisting in a way which blew UAC wide open to immediate, silent bypasses.

(And standard users are still vulnerable to RCEs which spoof elevation requests. Does that mean that standard user is no more secure than running as admin with UAC turned off, by your logic?)

AndyC said:

longzheng said:

*snip*

I agree. Which is why I recommend avoiding describing the issue in terms of words like vulnerability, because it muddies the issue.

I'm referring to the system of low-level, medium-level, adminstrative (high) level application as process privileges. Do you believe those are security boundaries?

If so, and if they can be violated, shouldn't the flaw be classified as a vulnerability?

CreamFilling512 said:

Guys, UAC is a convenience feature.  It improves the user experience when you are logged on as a LIMITED USER by enabling you to automatically "run-as Admin" by prompting for Administrator credentials when a program requires it.  If you're already running as Administrator, it might as well be non-existent or completely turned off.

Then why isn't it turned off for administrators? That's the whole point: UAC is now so easily circumvented for administrator accounts that it might as well be set at its lowest level. So why doesn't MS do that? The current level serves no purpose.

longzheng said:

CKurt said:

*snip*

The application that does the code injection does not ever need to show a UAC prompt. It does not need to be installed, nor does it need to be elevated to run the code injection.

Furthermore, this risk is increased even more if you take into account remote code vulnerabilities in other unelevated applications. (Not low-privileged applications like IE though)

Thanks Long!

I've got the picture now. The application does not need to be installed. So indeed this is pretty insafe. They should just change the default to "Always Notify" again, and warn people lowering the slider. It's a simple sollution for Windows 7 RTM and maybe they can fix the architecture for SP1 or Windows 8.

longzheng said:

AndyC said:

*snip*

I'm referring to the system of low-level, medium-level, adminstrative (high) level application as process privileges. Do you believe those are security boundaries?

If so, and if they can be violated, shouldn't the flaw be classified as a vulnerability?

longzheng said:

I'm referring to the system of low-level, medium-level, adminstrative (high) level application as process privileges. Do you believe those are security boundaries? If so, and if they can be violated, shouldn't the flaw be classified as a vulnerability?

And this is why discussing security is hard, because you're using the word "privilege" to mean something entirely different to what "privilege" means in the context of the NT security model. It's like discussing a piece of code and using words like variable, method, function, class and object as if they were interchangable.

As to your actual question, if the two applications are running in the same NT Session, then they aren't seperated by a security boundary even if they happen to be running with different user tokens. This is why the so-called "Shatter Attack" isn't a security vulnerability and it's also why UAC isn't a security boundary (since they're on the same desktop, hence the same session). Permissions/integrity levels don't define security boundarys in Windows, Sessions do.

Now, if you want my opinion, the future of Windows security design should involve re-architecting things so that a "desktop" in the visual sense (and not necessarily in the NT sense) can display content from individual NT Sessions and keep them entirely independent. At that point, we'd be a lot closer to an ideal situation where you can get much of the benefits of having true "Standard User" accounts without having to endure the full on Fast User Switching experience just to complete a single administrative task in a truly secure fashion.

Charles said:

Ray7 said:

*snip*

Please watch and understand this: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

Learn.

C

But by the time I've finished watching it, the story might have changed again.

Now this novice developer has highlighted what still looks like a flaw to me. I'm not too bright about these things; so can someone explain to me in plain English, why it is not?

I mean there are clearly ways around the dialog. Whats the deal with the dialog? Why is it shown? Why not elevate all applications? I mean malware could silently elevate (is it Vista, is it 7). And all the other applications show the dialog, which is broadly hated eeem unliked by people...

AndyC said:

longzheng said:

*snip*

And this is why discussing security is hard, because you're using the word "privilege" to mean something entirely different to what "privilege" means in the context of the NT security model. It's like discussing a piece of code and using words like variable, method, function, class and object as if they were interchangable.

As to your actual question, if the two applications are running in the same NT Session, then they aren't seperated by a security boundary even if they happen to be running with different user tokens. This is why the so-called "Shatter Attack" isn't a security vulnerability and it's also why UAC isn't a security boundary (since they're on the same desktop, hence the same session). Permissions/integrity levels don't define security boundarys in Windows, Sessions do.

Now, if you want my opinion, the future of Windows security design should involve re-architecting things so that a "desktop" in the visual sense (and not necessarily in the NT sense) can display content from individual NT Sessions and keep them entirely independent. At that point, we'd be a lot closer to an ideal situation where you can get much of the benefits of having true "Standard User" accounts without having to endure the full on Fast User Switching experience just to complete a single administrative task in a truly secure fashion.

I agree entirely with your vision of the future.

Everyone is a user. But a process can be running as you (the user) or you (the administrator) but you'll need to get past those nasty boxes to do it. You would actually spawn processes into two NT sessions and there would be no cross process communications between layers.

Charles said:

longzheng said:

*snip*

Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

C

"On Windows 7, you run as standard user by default"

-------

Since when?

Charles said:

Ray7 said:

*snip*

Please watch and understand this: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

Learn.

C

I watched the video, extremely good, extremely informative.

Yet even with more general knowledge about Windows' security model in my back pocket my opinion remains the same:
 - Leave UAC on full
 - Begin engineering work to move to a more fluid admin/user model (that doesn't require fast user switching etc)
 - Warn the 3rd parties that if they aren't user-mode compliant by Windows 8 then they're in deep trouble

And in answer to the video, this doesn't add a new expensive security boundary. It relies on the admin/user model that is already in place but fractures user accounts into subsets with different permissions.

ManipUni said:

Charles said:

*snip*

I watched the video, extremely good, extremely informative.

Yet even with more general knowledge about Windows' security model in my back pocket my opinion remains the same:
 - Leave UAC on full
 - Begin engineering work to move to a more fluid admin/user model (that doesn't require fast user switching etc)
 - Warn the 3rd parties that if they aren't user-mode compliant by Windows 8 then they're in deep trouble

And in answer to the video, this doesn't add a new expensive security boundary. It relies on the admin/user model that is already in place but fractures user accounts into subsets with different permissions.

 

An update:

http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/

longzheng said:

ManipUni said:

*snip*

An update:

http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/

 

Its been done.

AndyC said:

Larry Osterman said:

*snip*

I'm not sure I understand you. UAC is the Integrity Levels technology.

"I'm not sure I understand you. UAC is the Integrity Levels technology."

Actually it's not.  UAC is the ability to run with a split token (one with the admin rights removed that is active, the other with full admin privileges that isn't) and create processes that either run with the split token or the full admin token.  It's basically the equivilant of the old XP "makemeadmin.cmd" (or the "dropmyrights.cmd").  The problem with UAC is that there is nothing preventing an app on the desktop from injecting code in the application running elevated (since they're running as the same base account) and taking over the system.  IL is what makes that difficult because it blocks processes running at a lower integrity level from opening processes at a higher integrity level for write access.

Larry Osterman said:

AndyC said:

*snip*

"I'm not sure I understand you. UAC is the Integrity Levels technology."

Actually it's not.  UAC is the ability to run with a split token (one with the admin rights removed that is active, the other with full admin privileges that isn't) and create processes that either run with the split token or the full admin token.  It's basically the equivilant of the old XP "makemeadmin.cmd" (or the "dropmyrights.cmd").  The problem with UAC is that there is nothing preventing an app on the desktop from injecting code in the application running elevated (since they're running as the same base account) and taking over the system.  IL is what makes that difficult because it blocks processes running at a lower integrity level from opening processes at a higher integrity level for write access.

 

IL is what makes that difficult because it blocks processes running at a lower integrity level from opening processes at a higher integrity level for write access.

Fortunately, with Windows 7 it's no longer necessary to get write access to a process with higher priority. All you need to do is inject code into a process that can auto-elevate running at the same integrity level, and there's nothing blocking you from doing that.

Which means that in effect the difference between medium and high integrity no longer exists, and the prompts have lost all semblence of purpose. You can argue that it's not a security issue, but fact remains that this change essentially makes UAC prompts for Administrator accounts completely useless, so I ask again (and it'll get ignored again): why are they still there at all? What is their purpose in Windows 7?

Sven Groot said:

Larry Osterman said:

*snip*

Fortunately, with Windows 7 it's no longer necessary to get write access to a process with higher priority. All you need to do is inject code into a process that can auto-elevate running at the same integrity level, and there's nothing blocking you from doing that.

Which means that in effect the difference between medium and high integrity no longer exists, and the prompts have lost all semblence of purpose. You can argue that it's not a security issue, but fact remains that this change essentially makes UAC prompts for Administrator accounts completely useless, so I ask again (and it'll get ignored again): why are they still there at all? What is their purpose in Windows 7?

I'm wondering about the prompts too... as seen in an earlier reply... it's a little bit weird.

littleguru said:

Sven Groot said:

*snip*

I'm wondering about the prompts too... as seen in an earlier reply... it's a little bit weird.

Ask the Windows team.

C

Charles said:

littleguru said:

*snip*

Ask the Windows team.

C

no u

Sven Groot said:

Larry Osterman said:

*snip*

Fortunately, with Windows 7 it's no longer necessary to get write access to a process with higher priority. All you need to do is inject code into a process that can auto-elevate running at the same integrity level, and there's nothing blocking you from doing that.

Which means that in effect the difference between medium and high integrity no longer exists, and the prompts have lost all semblence of purpose. You can argue that it's not a security issue, but fact remains that this change essentially makes UAC prompts for Administrator accounts completely useless, so I ask again (and it'll get ignored again): why are they still there at all? What is their purpose in Windows 7?

You keep on saying that there's some difference between Vista and Win7 in this regard.  There isn't. 

There are ways to get around the security prompts in Vista just like there are ways of getting around the security prompts in Win7.  That's why UAC+IL isn't a security boundary.  If there were no way of getting past the security prompts, it would be a security boundary.

UAC+IL is a DiD feature like ASLR and DEP, but unlike ASLR and DEP it's a "break once, break forever" feature - once it's broken, cookbook solutions will come out for malware and they'll all start auto-elevating.

ManipUni said:

Charles said:

*snip*

no u

I did. They told me: "The E7 blog posts on the topic represent our response. We will not comment further".

Move along. These are not the droids you're looking for.

C

Charles said:

ManipUni said:

*snip*

I did. They told me: "The E7 blog posts on the topic represent our response. We will not comment further".

Move along. These are not the droids you're looking for.

C

Larry Osterman said:

Sven Groot said:

*snip*

You keep on saying that there's some difference between Vista and Win7 in this regard.  There isn't. 

There are ways to get around the security prompts in Vista just like there are ways of getting around the security prompts in Win7.  That's why UAC+IL isn't a security boundary.  If there were no way of getting past the security prompts, it would be a security boundary.

UAC+IL is a DiD feature like ASLR and DEP, but unlike ASLR and DEP it's a "break once, break forever" feature - once it's broken, cookbook solutions will come out for malware and they'll all start auto-elevating.

 

Hi, Larry! Hate to break it to you and Mr. Torre, etc., but the original UAC team with the original UAC blog would like to disagree with your assessment that UAC isn't a security feature.

http://www.aeroxp.org/2009/06/uac-in-7-exponential-silent-attack-vector-multiplier-redux/

Sorry to be a thorn in your side, pal, but I like hearing it straight from the team which designed it. They obviously know a bit more

(By the way, this little fact is one of those tidbits which can't be contested without making you guys look hypocritical and downright foolish in the eyes of those watching. If the original team said it's a security feature, you guys can't just backtrack when you feel like it. Game, set, and match.)

Charles said:

littleguru said:

*snip*

Ask the Windows team.

C

*sigh*

Most of us agree that in its current state it does not offer significant security benefits. But most of us (non-Microsoft people) would like to see it become a solid security feature.

The debate on the default for Windows 7 still remains however. The Microsoft people think it is pointless anyway so thus think the whitelist can't do any harm. While others argue that either it makes it easier to bypass, which is a point of contention, or that having UAC on fully has other benefits.

I personally will be:
 - Running as a user 
 - Turn UAC all the way up
 - Login to an Administrator account (via UAC) to make changes

wastingtimewithforums said:

Charles said:

*snip*

"On Windows 7, you run as standard user by default"

-------

Since when?

Yea, that would be a big departure. Or are we talking contexts again, with UAC "protecting" elevation?

conhopper said:

Larry Osterman said:

*snip*

Hi, Larry! Hate to break it to you and Mr. Torre, etc., but the original UAC team with the original UAC blog would like to disagree with your assessment that UAC isn't a security feature.

http://www.aeroxp.org/2009/06/uac-in-7-exponential-silent-attack-vector-multiplier-redux/

Sorry to be a thorn in your side, pal, but I like hearing it straight from the team which designed it. They obviously know a bit more

(By the way, this little fact is one of those tidbits which can't be contested without making you guys look hypocritical and downright foolish in the eyes of those watching. If the original team said it's a security feature, you guys can't just backtrack when you feel like it. Game, set, and match.)

The only thing we have stated regarding UAC is, one more time, UAC IS NOT A SECURITY BOUNDARY.

Send mail to the Windows team.

C

ManipUni said:

With all due respect, aren't we beating a dead horse debating if it is a security feature or not?

Most of us agree that in its current state it does not offer significant security benefits. But most of us (non-Microsoft people) would like to see it become a solid security feature.

The debate on the default for Windows 7 still remains however. The Microsoft people think it is pointless anyway so thus think the whitelist can't do any harm. While others argue that either it makes it easier to bypass, which is a point of contention, or that having UAC on fully has other benefits.

I personally will be:
 - Running as a user 
 - Turn UAC all the way up
 - Login to an Administrator account (via UAC) to make changes

It's no longer a debate. The original team said it's a security feature (which, by the way, can't be edited out since it's been up on the official blog long enough for the internet archive to catch it), so it's a security feature. Saying otherwise indicates laziness or fear on the part of those who don't want to fix it.

Anyway, I posted what I think is a good enough solution in my post: just ask the user upon first-start which UAC mode he'd like to use while informing the user that convenience comes at the cost of security.

@charles, shh. The UAC team disagrees with you, so I doubt you can say otherwise

(I love you too. I'm being hard on you for the good of the users, that's all)

conhopper said:

ManipUni said:

*snip*

It's no longer a debate. The original team said it's a security feature (which, by the way, can't be edited out since it's been up on the official blog long enough for the internet archive to catch it), so it's a security feature. Saying otherwise indicates laziness or fear on the part of those who don't want to fix it.

Anyway, I posted what I think is a good enough solution in my post: just ask the user upon first-start which UAC mode he'd like to use while informing the user that convenience comes at the cost of security.

@charles, shh. The UAC team disagrees with you, so I doubt you can say otherwise

(I love you too. I'm being hard on you for the good of the users, that's all)

Please, let's argue semantics more. I didn't say it was or wasn't a "security feature" what I said was it does not offer significant security benefits.

ManipUni said:

conhopper said:

*snip*

Please, let's argue semantics more. I didn't say it was or wasn't a "security feature" what I said was it does not offer significant security benefits.

nah, I don't have the time. I'm working on an article dealing with the iPhone; I'd much rather let you guys figure out on your own that authority is always a security boundary

conhopper said:

ManipUni said:

*snip*

nah, I don't have the time. I'm working on an article dealing with the iPhone; I'd much rather let you guys figure out on your own that authority is always a security boundary

 

Even if true, users will click yes on just about anything, so not a very effective one

ManipUni said:

conhopper said:

*snip*

Even if true, users will click yes on just about anything, so not a very effective one

Actually, that's not true. The prompts have dropped in frequency to the point that every lay user I know actually denies access if they see a random UAC prompt get kicked up.

This was always a part of the UAC design philosophy.

conhopper said:

ManipUni said:

*snip*

Actually, that's not true. The prompts have dropped in frequency to the point that every lay user I know actually denies access if they see a random UAC prompt get kicked up.

This was always a part of the UAC design philosophy.

 

I don't see how that even matters at all, if there's a way for an application to skip giving the user a prompt.

Larry Osterman said:

Sven Groot said:

*snip*

You keep on saying that there's some difference between Vista and Win7 in this regard.  There isn't. 

There are ways to get around the security prompts in Vista just like there are ways of getting around the security prompts in Win7.  That's why UAC+IL isn't a security boundary.  If there were no way of getting past the security prompts, it would be a security boundary.

UAC+IL is a DiD feature like ASLR and DEP, but unlike ASLR and DEP it's a "break once, break forever" feature - once it's broken, cookbook solutions will come out for malware and they'll all start auto-elevating.

 

What are the ways in vista?

conhopper said:

ManipUni said:

*snip*

Actually, that's not true. The prompts have dropped in frequency to the point that every lay user I know actually denies access if they see a random UAC prompt get kicked up.

This was always a part of the UAC design philosophy.

 

The prompts have dropped in frequency to the point that every lay user I know actually denies access if they see a random UAC prompt get kicked up.

The prompt frequency is still ridiculous for the standard user case. I assume that's what we're talking about as it's the onyl true security boundary, and yet MS have done little to improve the amount of prompting there.

That's part of the problem.

MS should have refactored their apps so that they prompt less. (e.g. By caching objects through consecutive/related operations or givin Explorer an Admin Mode you could toggle via a single prompt, which is a better trade-off of security and convenience than it always being in admin mode as it is in Win7.)

MS should have improved UAC so that it could display securely-generated descriptions of actions about-to-be-performed as part of the UAC prompts so that the absolutely braindead prompts-about-prompts Explorer shows could be merged into the actual UAC dialog.

If MS had done those things then both the admin and standard user cases would be much less painful to use at the Always Prompt level.

If MS had done this then they would not have needed to add a stupid, anti-competitive hack which hides UAC prompts from default users in their apps only while at the same time undermining the UAC prompt system with a hole you could drive a tank through*.

If MS had done that then standard user accounts might be something people would consider using instead of something they'll run away from faster than they ran away from Vista's UAC.

If MS had done that then we might be discussing whether or not standard user should be the default account type in Windows 7 instead of discussing this stuff.

(* And, dammit Larry, that hole is bigger than it was in Vista. Being prompted to let malware elevate vs allowing it to immediately and silently elevate is a significant difference. If it isn't then why do MS try to stop it happening at all? If it isn't then surely standard user accounts are vulnerable to exactly the same UAC prompt spoofing? By your own logic, then, you actually do have the same prompt-spoofing security hole crossing a security boundary. I don't buy your logic at all. It's an excuse, not reasoning. I hate to be arguing with people like Larry and Mark because I think they're great, intelligent, knowledgeable guys and I've enjoyed reading their stuff, and occasionally talking to them via their blogs, in the past, but so be it if they wheel out logic like this.)

LeoDavidson said:

conhopper said:

*snip*

The prompt frequency is still ridiculous for the standard user case. I assume that's what we're talking about as it's the onyl true security boundary, and yet MS have done little to improve the amount of prompting there.

That's part of the problem.

MS should have refactored their apps so that they prompt less. (e.g. By caching objects through consecutive/related operations or givin Explorer an Admin Mode you could toggle via a single prompt, which is a better trade-off of security and convenience than it always being in admin mode as it is in Win7.)

MS should have improved UAC so that it could display securely-generated descriptions of actions about-to-be-performed as part of the UAC prompts so that the absolutely braindead prompts-about-prompts Explorer shows could be merged into the actual UAC dialog.

If MS had done those things then both the admin and standard user cases would be much less painful to use at the Always Prompt level.

If MS had done this then they would not have needed to add a stupid, anti-competitive hack which hides UAC prompts from default users in their apps only while at the same time undermining the UAC prompt system with a hole you could drive a tank through*.

If MS had done that then standard user accounts might be something people would consider using instead of something they'll run away from faster than they ran away from Vista's UAC.

If MS had done that then we might be discussing whether or not standard user should be the default account type in Windows 7 instead of discussing this stuff.

(* And, dammit Larry, that hole is bigger than it was in Vista. Being prompted to let malware elevate vs allowing it to immediately and silently elevate is a significant difference. If it isn't then why do MS try to stop it happening at all? If it isn't then surely standard user accounts are vulnerable to exactly the same UAC prompt spoofing? By your own logic, then, you actually do have the same prompt-spoofing security hole crossing a security boundary. I don't buy your logic at all. It's an excuse, not reasoning. I hate to be arguing with people like Larry and Mark because I think they're great, intelligent, knowledgeable guys and I've enjoyed reading their stuff, and occasionally talking to them via their blogs, in the past, but so be it if they wheel out logic like this.)

I'm seeing a lot of push back on the security front, so lets talk about why UAC is here. The "standard user" vision.

With Windows 7's new auto-elevation and its white-list features in place, I believe self-elevation (read: the hole) becomes easy and valuable to third parties. Bill Pytlovany (WinPatrol), for example, indicated he "wouldn’t think twice of taking advantage of this" to save his users from having to go through the UAC prompt. Microsoft, of all companies, should know developers will write code that oozes into the nook and cranies of the Windows operating system. It may not be right, but it'll be done. Ask the AppCompat guys.

I can see the exchange on Experts Exchange now...

• BadAdvisor: "You can fix your LUA broken application by elevating."
• WorseDeveloper: "How do I do that?"
• BadAdvisor: "Well you can request elevation by adding this to your application manifest, or you can use this piece of code to self-elevate, without prompts. It works on Windows 7, I tested it!"
• WorseDeveloper: "Cool! Thx2u"
• [100 points awarded to BadAdvisor]

Uxtheme Rafael said:

LeoDavidson said:

*snip*

I'm seeing a lot of push back on the security front, so lets talk about why UAC is here. The "standard user" vision.

With Windows 7's new auto-elevation and its white-list features in place, I believe self-elevation (read: the hole) becomes easy and valuable to third parties. Bill Pytlovany (WinPatrol), for example, indicated he "wouldn’t think twice of taking advantage of this" to save his users from having to go through the UAC prompt. Microsoft, of all companies, should know developers will write code that oozes into the nook and cranies of the Windows operating system. It may not be right, but it'll be done. Ask the AppCompat guys.

I can see the exchange on Experts Exchange now...

• BadAdvisor: "You can fix your LUA broken application by elevating."
• WorseDeveloper: "How do I do that?"
• BadAdvisor: "Well you can request elevation by adding this to your application manifest, or you can use this piece of code to self-elevate, without prompts. It works on Windows 7, I tested it!"
• WorseDeveloper: "Cool! Thx2u"
• [100 points awarded to BadAdvisor]

and this is the problem. UAC was designed to make sure developers develop their apps without abusing administrative privileges for every task. This basically gives devs a get-out-of-jail-free pass to do whatever the hell they want again. We don't want to go back to those days, please.

http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html

I also converted the step-by-step guide in the readme into HTML:

http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html

Now you don't have to download the source zip or have Visual Studio to see how simple it all is.

Charles said:

ManipUni said:

*snip*

I did. They told me: "The E7 blog posts on the topic represent our response. We will not comment further".

Move along. These are not the droids you're looking for.

C

"I did. They told me: "The E7 blog posts on the topic represent our response. We will not comment further"."

----------

How smart of them! Meanwhile, look at how the PR catastrophe unfolds:

http://blogs.zdnet.com/igeneration/?p=1826

Quote from the article:

--------

It would be far easier to explain what the consequences weren’t. If the US defence systems were running Windows 7, at this rate, all-out nuclear war could be a possibility if someone was determined enough and the end-user was unlucky enough.

The fact of the matter is, this vulnerability opens up Windows 7 like a cracked nut; exposing the possibility of a malware attack instigated unknowingly by the end user at any given time. But for the reasoning behind Microsoft’s decision not to fix this unholy flaw not only shows their arrogance, but also their inability to listen to some of the most influential and experienced people on the web.

------

Look at the wording! And we all know how journalists love to copy each other. this could turn into a Vista-esque PR-disaster in the long run.

wastingtimewithforums said:

Charles said:

*snip*

"I did. They told me: "The E7 blog posts on the topic represent our response. We will not comment further"."

----------

How smart of them! Meanwhile, look at how the PR catastrophe unfolds:

http://blogs.zdnet.com/igeneration/?p=1826

Quote from the article:

--------

It would be far easier to explain what the consequences weren’t. If the US defence systems were running Windows 7, at this rate, all-out nuclear war could be a possibility if someone was determined enough and the end-user was unlucky enough.

The fact of the matter is, this vulnerability opens up Windows 7 like a cracked nut; exposing the possibility of a malware attack instigated unknowingly by the end user at any given time. But for the reasoning behind Microsoft’s decision not to fix this unholy flaw not only shows their arrogance, but also their inability to listen to some of the most influential and experienced people on the web.

------

Look at the wording! And we all know how journalists love to copy each other. this could turn into a Vista-esque PR-disaster in the long run.

Absolutely. Whatever your opinion of this issue, I think we can all agree that this has hurt Windows 7.

LeoDavidson said:

My proof-of-concept source code is now online in HTML format as well. Start here:

http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html

I also converted the step-by-step guide in the readme into HTML:

http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html

Now you don't have to download the source zip or have Visual Studio to see how simple it all is.

How does this code get on the target client? Is that a fair question?

Answers:

1.) If there is a already a vulnerable trusted app installed on the user's system and executing when somehow you exploit it in proc via, say, some memory attack, e.g., buffer overrun, which then executes this code in context.

2.) If the user chooses to run an unsigned exe containing this code from an untrusted source, say, from your website.

Please read Jon's post again. Then, read it again. http://blogs.msdn.com/e7/archive/2009/02/05/update-on-uac.aspx

C

Charles said:

LeoDavidson said:

*snip*

How does this code get on the target client? Is that a fair question?

Answers:

1.) If there is a already a vulnerable trusted app installed on the user's system and executing when somehow you exploit it in proc via, say, some memory attack, e.g., buffer overrun, which then executes this code in context.

2.) If the user chooses to run an unsigned exe containing this code from an untrusted source, say, from your website.

Please read Jon's post again. Then, read it again. http://blogs.msdn.com/e7/archive/2009/02/05/update-on-uac.aspx

C

 

Or there's another exploit in acrobat. Or IE. Or Firefox. Or ...

And so on.

blowdart said:

Charles said:

*snip*

Or there's another exploit in acrobat. Or IE. Or Firefox. Or ...

And so on.

Yes. See answer number 1.)

C

Charles said:

blowdart said:

*snip*

Yes. See answer number 1.)

C

"Yes. See answer number 1.)"

----

Yes, and that proves your point.. how exactly? An exploited acrobat reader couldn't get root access (without UAC prompt) now it can. That fact ISN'T in your favour, guys.

Charles said:

LeoDavidson said:

*snip*

How does this code get on the target client? Is that a fair question?

Answers:

1.) If there is a already a vulnerable trusted app installed on the user's system and executing when somehow you exploit it in proc via, say, some memory attack, e.g., buffer overrun, which then executes this code in context.

2.) If the user chooses to run an unsigned exe containing this code from an untrusted source, say, from your website.

Please read Jon's post again. Then, read it again. http://blogs.msdn.com/e7/archive/2009/02/05/update-on-uac.aspx

C

 

Charles said:

How does this code get on the target client? Is that a fair question?

Somebody puts a Sony audio CD in their PC to listen to music?

No, it isn't a fair question, because it skirts the real point. If the distinction between Medium and High IL doesn't matter, why bother having UAC prompts for it at all? Why not just run every application except Internet Explorer with full Administrator rights? Why doesn't Microsoft recommend running as Administrator for all users?

AndyC said:

Charles said:

*snip*

Somebody puts a Sony audio CD in their PC to listen to music?

No, it isn't a fair question, because it skirts the real point. If the distinction between Medium and High IL doesn't matter, why bother having UAC prompts for it at all? Why not just run every application except Internet Explorer with full Administrator rights? Why doesn't Microsoft recommend running as Administrator for all users?

Whatever. I'm finished with this topic.

C

Charles said:

AndyC said:

*snip*

Whatever. I'm finished with this topic.

C

We aren't though

On an unrelated note, UAC doesn't bother me that much; my biggest gripe is how they duplicated various dialog boxes for common tasks in NT6 / Win7 so that UAC can "split down the middle" and allow people to see-and-not-touch various settings like NTFS ACLs and Network settings, but if you're using WS2008 where UAC is disabled it means you have to open superflous and pointless windows to get to what you're trying to do.

Will they get rid of the duplicate ACL windows in the final build of Win7?

W3bbo said:

Charles said:

*snip*

We aren't though

On an unrelated note, UAC doesn't bother me that much; my biggest gripe is how they duplicated various dialog boxes for common tasks in NT6 / Win7 so that UAC can "split down the middle" and allow people to see-and-not-touch various settings like NTFS ACLs and Network settings, but if you're using WS2008 where UAC is disabled it means you have to open superflous and pointless windows to get to what you're trying to do.

Will they get rid of the duplicate ACL windows in the final build of Win7?

W3bbo said:

Will they get rid of the duplicate ACL windows in the final build of Win7?

Doubt it at this point, especially because redesigning the ACL editor to allow editing of ACLs without that would be an incredibly difficult (if not impossible) task.

W3bbo said:

Charles said:

*snip*

We aren't though

On an unrelated note, UAC doesn't bother me that much; my biggest gripe is how they duplicated various dialog boxes for common tasks in NT6 / Win7 so that UAC can "split down the middle" and allow people to see-and-not-touch various settings like NTFS ACLs and Network settings, but if you're using WS2008 where UAC is disabled it means you have to open superflous and pointless windows to get to what you're trying to do.

Will they get rid of the duplicate ACL windows in the final build of Win7?

We're likely on the final build of Windows 7, excluding service packs.

Most of the configuration stuff in Windows (Control Panel et al) is a jumbled mess. It only got worse in Vista. Hopefully they will sit down and give it some serious thought in the future because it is only going to continue to get worse.

When I have some free time I'm going to make a large thread about Window 7's control panel and tear into it... Start asking questions like "Why does this box exist?" "Why do these do the same thing?" "Why is this design style and this design style used here and here?" "Why aren't users given a control panel with only usable configuration boxes in?"

Windows 95 was at least consistent and everything visible was usable to the user...

Charles said:

AndyC said:

*snip*

Whatever. I'm finished with this topic.

C

"Whatever. I'm finished with this topic."
----------------------------------------

This is just asking for it ("it" being a PR disaster). You can bet that there are journalists from cnet,  zdnet, theregister etc. monitoring this thread. And, like it nor not, you're the MS representative here.

I understand that you're not part of the windows team, but their unwillingness to comment and now your unwillingness to comment, is like throwing lumber into the PR forest fire.

ManipUni said:

W3bbo said:

*snip*

We're likely on the final build of Windows 7, excluding service packs.

Most of the configuration stuff in Windows (Control Panel et al) is a jumbled mess. It only got worse in Vista. Hopefully they will sit down and give it some serious thought in the future because it is only going to continue to get worse.

When I have some free time I'm going to make a large thread about Window 7's control panel and tear into it... Start asking questions like "Why does this box exist?" "Why do these do the same thing?" "Why is this design style and this design style used here and here?" "Why aren't users given a control panel with only usable configuration boxes in?"

Windows 95 was at least consistent and everything visible was usable to the user...

 

ManipUni said:

Windows 95 was at least consistent and everything visible was usable to the user...

Well yes but Windows 95 had an easier story, no back compat and absolutely no security.

Sounds like an interesting thread though....

Charles said:

AndyC said:

*snip*

Whatever. I'm finished with this topic.

C

"Whatever. I'm finished with this topic."

Is it only me that's reminded of a child putting their hands over their ears and shouting "I'M NOT LISTENING I'M NOT LISTENING"?

AndyC said:

ManipUni said:

*snip*

Well yes but Windows 95 had an easier story, no back compat and absolutely no security.

Sounds like an interesting thread though....

What about Mac OS X's control panel? It's arguably simpler than Windows 95's.

I like how in OS X and in most Mac applications settings take effect as soon as a checkbox is filled rather than when you hit Apply.

W3bbo said:

AndyC said:

*snip*

What about Mac OS X's control panel? It's arguably simpler than Windows 95's.

I like how in OS X and in most Mac applications settings take effect as soon as a checkbox is filled rather than when you hit Apply.

It's also trivial to exploit.

Charles said:

AndyC said:

*snip*

Whatever. I'm finished with this topic.

C

I'm not sure what's worse: That we have to spend so long to convince MS people that remote-code-execution vulnerabilities exist (duh!) and can be made worse by combining them with a silent, instant UAC bypass, or that once that obvious fact is finally repeated enough times for it to sink in the response is always the same: Silence.

Besides which, WTF is the point of the UAC prompts, secure desktop, etc. if MS are happy to ignore a trivial (2 days to research and write from scratch) bypass mechanism which was raised four months ago, back when Windows was still at the public beta stage?

(Ignore, I might add, without even bothering to get the full details of what it was. To me that screams, "We know this feature is now just for show and we thus don't care about any issues people raise.")

Meanwhile using standard user still sucks and will be considered unusable by most people, because MS's private UAC-exemption backdoor only covers up the same old badly designed, prompt-(about-prompt)-spamming code for admin users, and third-party apps suffer under admin accounts for pure security theater.

It's crystal clear that the new UAC setting/default is an attempt to appease the complaints about Vista's UAC prompt-spamming -- a good aim but a terrible way to go about it! -- without appearing to go back to the bad-old-days of XP.

Yeah, if you make it so users see the odd UAC prompt for other people's software then they'll feel like they're secure, even though by default the prompts are now worth no more than a MessageBox("Are you sure?", MB_OKCANCEL)

(UAC itself isn't worthless, of course, but the prompts are at the default mode.)

wastingtimewithforums said:

Charles said:

*snip*

"Yes. See answer number 1.)"

----

Yes, and that proves your point.. how exactly? An exploited acrobat reader couldn't get root access (without UAC prompt) now it can. That fact ISN'T in your favour, guys.

[EDIT: I was wrong about Flash/PDF within protected-mode IE. See reply on 8th page.]

It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer. We all wish they didn't, and wish more things supported low-IL, but we still live in a reality where that isn't the case. Low-IL is the exception, not the rule. There are still plenty of "innocent" actions, like visiting a webpage in an up-to-date low-IL browser or double-clicking what you think is a static image or document file, which can result in malicious code being run.

It doesn't have to be a "dodgy" webpage or file, either. There have been several cases this year alone where non-malicious sites and advertising networks have been hijacked by bad people to deliver malicious content to unsuspecting users.

UAC isn't only about malicious code, obviously, but it's pretty useful at slowing it down and/or limiting how deeply it can embed itself in the system itself. I'd say that's the primary benefit of the prompts for admin accounts. (Even though UAC isn't a security boundary, it is still a security feature.)

If you remove that benefit then what's left? Just the idea of making apps which show too many prompts annoy admin users with the misguided idea that it'll be more likely to make people push for those apps to be redesigned than for those people to simply turn off UAC if it bothers them... A pretty rich idea, too, considering Microsoft's apps (when their private backdoor is taken away) were and still are the worst offenders when it comes to this.

LeoDavidson said:

wastingtimewithforums said:

*snip*

[EDIT: I was wrong about Flash/PDF within protected-mode IE. See reply on 8th page.]

It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer. We all wish they didn't, and wish more things supported low-IL, but we still live in a reality where that isn't the case. Low-IL is the exception, not the rule. There are still plenty of "innocent" actions, like visiting a webpage in an up-to-date low-IL browser or double-clicking what you think is a static image or document file, which can result in malicious code being run.

It doesn't have to be a "dodgy" webpage or file, either. There have been several cases this year alone where non-malicious sites and advertising networks have been hijacked by bad people to deliver malicious content to unsuspecting users.

UAC isn't only about malicious code, obviously, but it's pretty useful at slowing it down and/or limiting how deeply it can embed itself in the system itself. I'd say that's the primary benefit of the prompts for admin accounts. (Even though UAC isn't a security boundary, it is still a security feature.)

If you remove that benefit then what's left? Just the idea of making apps which show too many prompts annoy admin users with the misguided idea that it'll be more likely to make people push for those apps to be redesigned than for those people to simply turn off UAC if it bothers them... A pretty rich idea, too, considering Microsoft's apps (when their private backdoor is taken away) were and still are the worst offenders when it comes to this.

Well flash is an incredibly nasty piece of software. Adobe simply ignores privacy mode, be in in IE or Mozilla and allows flash "cookies" regardless. And Acrobat is one of the easier vectors to exploit these days, just embed a PDF which has the javascript exploit and it will run, no prompts to the user.

LeoDavidson said:

wastingtimewithforums said:

*snip*

[EDIT: I was wrong about Flash/PDF within protected-mode IE. See reply on 8th page.]

It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer. We all wish they didn't, and wish more things supported low-IL, but we still live in a reality where that isn't the case. Low-IL is the exception, not the rule. There are still plenty of "innocent" actions, like visiting a webpage in an up-to-date low-IL browser or double-clicking what you think is a static image or document file, which can result in malicious code being run.

It doesn't have to be a "dodgy" webpage or file, either. There have been several cases this year alone where non-malicious sites and advertising networks have been hijacked by bad people to deliver malicious content to unsuspecting users.

UAC isn't only about malicious code, obviously, but it's pretty useful at slowing it down and/or limiting how deeply it can embed itself in the system itself. I'd say that's the primary benefit of the prompts for admin accounts. (Even though UAC isn't a security boundary, it is still a security feature.)

If you remove that benefit then what's left? Just the idea of making apps which show too many prompts annoy admin users with the misguided idea that it'll be more likely to make people push for those apps to be redesigned than for those people to simply turn off UAC if it bothers them... A pretty rich idea, too, considering Microsoft's apps (when their private backdoor is taken away) were and still are the worst offenders when it comes to this.

Quote from http://blogs.msdn.com/uac/archive/2006/06/01/613098.aspx:

The problem with marking Windows binaries to “silently elevate” is that we feel it will lead to “worms” or self propagating malware.  If, for example, the user marks MMC.exe (the Microsoft Management Console) as “silent elevate” so that the device setup dialogs don’t prompt for elevation, malware running as Standard User would be able to use that setting to launch MMC with a set of command line parameters that accomplish tasks that we don’t want to happen silently, such as adding a new admin account to the system.  As another example, if you mark Format.com as a “silent elevator,” malware can then do a format of the OS drive.

I think it's safe to say this team isn't working on UAC anymore...

Uxtheme Rafael said:

LeoDavidson said:

*snip*

I think it's safe to say this team isn't working on UAC anymore...

That's what pisses me of the most. MS is treating it like we're all wrong about what UAC is supposed to do, yet a scant few years ago the very people working on Vista UAC agreed with the points we are now arguing.

Uxtheme Rafael said:

LeoDavidson said:

*snip*

I think it's safe to say this team isn't working on UAC anymore...

Ah except silent elevation only happens for administrators, your quote talks about making silent elevation happen for standard users.

Sven Groot said:

Uxtheme Rafael said:

*snip*

That's what pisses me of the most. MS is treating it like we're all wrong about what UAC is supposed to do, yet a scant few years ago the very people working on Vista UAC agreed with the points we are now arguing.

Not only that, but most of us are probably aware of this issue because the original UAC team did such a good job of explaining why it couldn't whitelist apps the first time around.

My advice to Windows 7 (and Vista) users now is, don't run as an administrator account. UAC will offer no protection. Run as a user and create an administrator account to login using the UAC prompt. That gives you UAC with real process isolation.

ManipUni said:

I think I'm starting to side with Microsoft on this issue. The more I look at UAC the more I realize that the entire thing is a waste of time with or without the whitelist. All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way.

My advice to Windows 7 (and Vista) users now is, don't run as an administrator account. UAC will offer no protection. Run as a user and create an administrator account to login using the UAC prompt. That gives you UAC with real process isolation.

The more I look at UAC the more I realize that the entire thing is a waste of time with or without the whitelist.

Run as a user and create an administrator account to login using the UAC prompt.

Prompt-spoofing can be done from standard user accounts. e.g. You want to open an elevated command prompt. Something's waiting for you to click that button and gets there first. All you see is a UAC dialog saying cmd.exe from Microsoft is about to be run. You don't know it's being run with different arguments, so you type your password in and by the time you see the second UAC prompt it's too late.

(Even code-injection could also be done from standard user accounts, although it is far, far more difficult. If someone spends enough time analysing the target process they could do it, though. e.g. You trigger an elevation in Explorer. Something's waiting for you to do that and finds the elevated IFileOperation object pointer in Explorer's memory and starts sending commands to it. Very, very difficult but not impossible.)

Even if you don't use elevation at all, and use fast user switching instead, things can go wrong. If you decide to browse the web using standard user for security, how do you know that an unsigned exe you download hasn't been changed by malware between you saving it to disk and you switching to the admin account to run the installer?

So there are issues even with standard user elevation and the real security boundary. That's life. It doesn't mean we should throw our hands up and ignore all security issues with standard user accounts, does it? So why are we doing that with limited-admin accounts when they are still what the majority of non-business users will use?

It all boils down to making things difficult enough that they will not be exploited quickly or often.

What the default settings are, and what users will actually put up with, also cannot be ignored.

You can say people should change the defaults to be more secure but it's about as likely to happen for most users as people changing to Linux to be more secure.

You can say that people should put up with the hassle of typing in a password five times in a row because they needed to move some data around in Program Files, but that's about as likely to happen as people disassembling every program they download to check for malicious code.

The situation we're in now is that the default settings have been made easy to bypass. That's not good.

Edit: But if we do throw our hands up and give up on making limited-admin as secure as possible, let's admit that's what we've done and not inflict pointless UAC prompts on third-party software just for show.

LeoDavidson said:

ManipUni said:

*snip*

Prompt-spoofing can be done from standard user accounts. e.g. You want to open an elevated command prompt. Something's waiting for you to click that button and gets there first. All you see is a UAC dialog saying cmd.exe from Microsoft is about to be run. You don't know it's being run with different arguments, so you type your password in and by the time you see the second UAC prompt it's too late.

(Even code-injection could also be done from standard user accounts, although it is far, far more difficult. If someone spends enough time analysing the target process they could do it, though. e.g. You trigger an elevation in Explorer. Something's waiting for you to do that and finds the elevated IFileOperation object pointer in Explorer's memory and starts sending commands to it. Very, very difficult but not impossible.)

Even if you don't use elevation at all, and use fast user switching instead, things can go wrong. If you decide to browse the web using standard user for security, how do you know that an unsigned exe you download hasn't been changed by malware between you saving it to disk and you switching to the admin account to run the installer?

So there are issues even with standard user elevation and the real security boundary. That's life. It doesn't mean we should throw our hands up and ignore all security issues with standard user accounts, does it? So why are we doing that with limited-admin accounts when they are still what the majority of non-business users will use?

It all boils down to making things difficult enough that they will not be exploited quickly or often.

What the default settings are, and what users will actually put up with, also cannot be ignored.

You can say people should change the defaults to be more secure but it's about as likely to happen for most users as people changing to Linux to be more secure.

You can say that people should put up with the hassle of typing in a password five times in a row because they needed to move some data around in Program Files, but that's about as likely to happen as people disassembling every program they download to check for malicious code.

The situation we're in now is that the default settings have been made easy to bypass. That's not good.

Edit: But if we do throw our hands up and give up on making limited-admin as secure as possible, let's admit that's what we've done and not inflict pointless UAC prompts on third-party software just for show.

ManipUni said:

LeoDavidson said:

*snip*

Which is why I am suggesting people use something other than the default which is harder to bypass. While logging into an administrator account via UAC is still somewhat flawed it is better than either UAC in Vista or whitelisted UAC in 7. Secure desktop helps mitigate some UI hijack issues.

But I do grant that you could entirely replace for example the Firewall Control Panel applet and people would just login to admin and escalate your new nasty applet. But I'm not sure how much can be done to mitigate that. I guess you could suggest people fast user switch but that is asking more than most normal people are willing to give.

ManipUni said:

Which is why I am suggesting people use something other than the default which is harder to bypass. While logging into an administrator account via UAC is still somewhat flawed it is better than either UAC in Vista or whitelisted UAC in 7. Secure desktop helps mitigate some UI hijack issues.

That is absolutely the best way to do things, but it can also be the most frustrating if you have a lot of applications that aren't Standard User friendly. One of the goals of UAC in Vista was to make more applications Standard User friendly, which would make taking this most secure route much more palatable. Sadly Windows 7 has jumped the shark in that regard, what we will now see is more apps that appear (and claim) to be Standard User friendly, but only do so by exploiting silent elevation. And fixing that in future versions of Windows could be the biggest nightmare the appcompat team will ever have.

ManipUni said:

But I do grant that you could entirely replace for example the Firewall Control Panel applet and people would just login to admin and escalate your new nasty applet. But I'm not sure how much can be done to mitigate that. I guess you could suggest people fast user switch but that is asking more than most normal people are willing to give.

Not really. How do you replace the Firewall control panel without having Administrator rights? And if you were able to obtain Administrator rights at some point, why would you bother messing around with the Firewall Control panel when you already own the machine at that point?

AndyC said:

ManipUni said:

*snip*

Not really. How do you replace the Firewall control panel without having Administrator rights? And if you were able to obtain Administrator rights at some point, why would you bother messing around with the Firewall Control panel when you already own the machine at that point?

The Firewall Control Panel applet is displayed by Explorer running within your session. You just modify the process to direct the Firewall applet to another applet of your choice.

ManipUni said:

I think I'm starting to side with Microsoft on this issue. The more I look at UAC the more I realize that the entire thing is a waste of time with or without the whitelist. All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way.

My advice to Windows 7 (and Vista) users now is, don't run as an administrator account. UAC will offer no protection. Run as a user and create an administrator account to login using the UAC prompt. That gives you UAC with real process isolation.

"All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way."

--------------------------

Is automatic escalation really easy in Vista? OK then, how do you circumvent Vista's UAC prompts? Show me an example.. Because, frankly, I have never seen one. Of course I have seen something that claims it can circumvent it, as example:

http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/

But at the end, it doesn't really circumvent it, quote:

--------------------

"While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

The resulting application has an installer - which requires admin privileges, of course - which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but - in line with the Windows Service Model - cannot be interacted with by end users."

-------------------

All the examples I have seen _still_ ask for a prompt at some point. Can you show me an .exe, that disables Vista's UAC instantly without any prompts?

ManipUni said:

AndyC said:

*snip*

The Firewall Control Panel applet is displayed by Explorer running within your session. You just modify the process to direct the Firewall applet to another applet of your choice.

If you altered the explorer process so it pointed the firewall applet at a different control panel, you'd get a different UAC prompt (either the Orange unsigned one or the grey Signed by third party one), wheras the normal Firewall control panel generates the Green/Blue Windows one. It's not perfect, but it's another layer of defense if you know what you are looking for.

wastingtimewithforums said:

ManipUni said:

*snip*

"All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way."

--------------------------

Is automatic escalation really easy in Vista? OK then, how do you circumvent Vista's UAC prompts? Show me an example.. Because, frankly, I have never seen one. Of course I have seen something that claims it can circumvent it, as example:

http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/

But at the end, it doesn't really circumvent it, quote:

--------------------

"While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

The resulting application has an installer - which requires admin privileges, of course - which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but - in line with the Windows Service Model - cannot be interacted with by end users."

-------------------

All the examples I have seen _still_ ask for a prompt at some point. Can you show me an .exe, that disables Vista's UAC instantly without any prompts?

I cannot show you an application that disables UAC instantly.

But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.

ManipUni said:

wastingtimewithforums said:

*snip*

I cannot show you an application that disables UAC instantly.

But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.

"But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do."

And this is easy? First of all you would have a background application in the task manager always visible - problem 1 (and some anti virus-anti spyware software give alarms if an unknown process is always active in the background)

It's a guess game - there is very high chance that the user won't elevate any application. If mom&pop work only with the browser+mail client+word they don't see the elevation prompt that often. Maybe once a week or so (MAYBE) - problem 2

Problem 3 - this attack works with a standard account! And exactly like that - it lurks in the background and injects into processes, if the user elevates an infected process.. boom. What's the difference? Where is the standard account superior then? The additional password request?

Your second way has the same problems. Sorry, but I still don't see how being able to circumvent UAC instantly, without any guess games, is supposed to be not a vulnerability.

blowdart said:

Uxtheme Rafael said:

*snip*

Ah except silent elevation only happens for administrators, your quote talks about making silent elevation happen for standard users.

Ah except silent elevation only happens for administrators, your quote talks about making silent elevation happen for standard users.

You do realize the majority of Windows 7 users will be using Administrative accounts right?

wastingtimewithforums said:

ManipUni said:

*snip*

"But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do."

And this is easy? First of all you would have a background application in the task manager always visible - problem 1 (and some anti virus-anti spyware software give alarms if an unknown process is always active in the background)

It's a guess game - there is very high chance that the user won't elevate any application. If mom&pop work only with the browser+mail client+word they don't see the elevation prompt that often. Maybe once a week or so (MAYBE) - problem 2

Problem 3 - this attack works with a standard account! And exactly like that - it lurks in the background and injects into processes, if the user elevates an infected process.. boom. What's the difference? Where is the standard account superior then? The additional password request?

 

Your second way has the same problems. Sorry, but I still don't see how being able to circumvent UAC instantly, without any guess games, is supposed to be not a vulnerability.

1) You just hide it inside rundll or name it creatively. Or have your entire logic only exist within existing processes, so for example you inject the logic into all the processes on the system, close, and those processes poll the OS for any new processes and pass it on if one exists. The only hard part about that is making sure that you don't inject twice or twice at the same time.

2) If they don't escalate any of the applications then you've lost nothing.

3) The standard account only removes a limited amount of threat. It just means that if processes are launched directly into the admin's session they MIGHT be clean. It can be bypassed and can be broken. But it is harder than UAC on the same account is. A lot of these same techniques work on both but not all of them. Fast user switching or logging out defeats much more however.

Uxtheme Rafael said:

blowdart said:

*snip*

You do realize the majority of Windows 7 users will be using Administrative accounts right?

 

"You do realize the majority of Windows 7 users will be using Administrative accounts right?"
-------------

And that the default account in Win7 is an administrator account of course too.

The defenders of the Win7 default UAC behaviour point always to the fact, that using a standard account solves the UAC problem, but they always seem to forget, that the default account is still administrator.

They want to keep the cake and eat it at the same time.

ManipUni said:

wastingtimewithforums said:

*snip*

1) You just hide it inside rundll or name it creatively. Or have your entire logic only exist within existing processes, so for example you inject the logic into all the processes on the system, close, and those processes poll the OS for any new processes and pass it on if one exists. The only hard part about that is making sure that you don't inject twice or twice at the same time.

2) If they don't escalate any of the applications then you've lost nothing.

3) The standard account only removes a limited amount of threat. It just means that if processes are launched directly into the admin's session they MIGHT be clean. It can be bypassed and can be broken. But it is harder than UAC on the same account is. A lot of these same techniques work on both but not all of them. Fast user switching or logging out defeats much more however.

1) This is complicated and error prone. OK, it might work, but.. not guaranteed, while the new UAC flaw works absolutely.

2) The attacker lost! He lost the chance to root the system.

3)

"It can be bypassed and can be broken. But it is harder than UAC on the same account is"

By your method it's not really even harder, there is just the additonal password prompt, but if the user wants to elevate the infected process, he will anway. So what? And you wrote the keyword: harder. To make security brearches harder should be the goal of the OS maker. And by all means, Microsoft just made it EASIER to break the system with Win7.

I still don't see the point of the new UAC behaviour in Win7. It opened a serious addtional attack vector and, even worse, creates a false sense of security, since third party applications still get prompts, but, if the applications want to, they can circumvent them with ridiculous ease.

wastingtimewithforums said:

ManipUni said:

*snip*

1) This is complicated and error prone. OK, it might work, but.. not guaranteed, while the new UAC flaw works absolutely.

2) The attacker lost! He lost the chance to root the system.

3)

"It can be bypassed and can be broken. But it is harder than UAC on the same account is"

By your method it's not really even harder, there is just the additonal password prompt, but if the user wants to elevate the infected process, he will anway. So what? And you wrote the keyword: harder. To make security brearches harder should be the goal of the OS maker. And by all means, Microsoft just made it EASIER to break the system with Win7.

I still don't see the point of the new UAC behaviour in Win7. It opened a serious addtional attack vector and, even worse, creates a false sense of security, since third party applications still get prompts, but, if the applications want to, they can circumvent them with ridiculous ease.

It doesn't open a new attack vector though. It just makes it easier to exploit one that already exists on Vista.

ManipUni said:

wastingtimewithforums said:

*snip*

It doesn't open a new attack vector though. It just makes it easier to exploit one that already exists on Vista.

Well, it makes it *much* easier. That's the problem.

ManipUni said:

wastingtimewithforums said:

*snip*

I cannot show you an application that disables UAC instantly.

But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.

ManipUni said:

But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

Nope, you can't do that, once a process is launched its security token can't be changed. You have to elevate it before you launch it and you can't inject code into a process that hasn't started yet. Elevating silently on Vista is hard work, if possible at all. Elevating silently on Windows 7 is trivial.

Uxtheme Rafael said:

LeoDavidson said:

*snip*

I think it's safe to say this team isn't working on UAC anymore...

"Quote from http://blogs.msdn.com/uac/archive/2006/06/01/613098.aspx:" (...)
---

Ouch. If this isn't a contradiction to the current policy, I don't know what a contradiction is. I wonder whether the UAC division was hit hard by the recent layoffs?

Every new NT release since the last 15 years was more secure than its predecessor, with Win7, this line will be broken. HM... I can see a new Apple ad!

Bass said:

Why does "not having root access" == security? I think people's personal files and information is FAR more important to be secured then some apps in \Program Files, and you don't need root access to manipulate the user's home directory, where they store most of their sensistive information, nor to open sockets, or access the keyboard and mouse.

You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

 I thought Vista did a good job with UAC, I still have it enabled and it only pops up when it needs to, I'd rather know what's going on in my PC. Is/will there be an option in Windows 7 then to make it like Vista? 

And you know what.. I hope its a thorn to MS for a while(though I do side with them on there reasoning), but trying to tackle something for perhaps the right reasons, only delivered in the wrong way!!! Next time don't bother if you can't do it properly... now keep pissing off those security conscious nutjobs who actually liked / relied on UAC- tis funny to read their pleas

pavone said:

Bass said:

*snip*

 I thought Vista did a good job with UAC, I still have it enabled and it only pops up when it needs to, I'd rather know what's going on in my PC. Is/will there be an option in Windows 7 then to make it like Vista? 

IIRC the highest level in 7 is akin to Vista.

GoddersUK said:

pavone said:

*snip*

IIRC the highest level in 7 is akin to Vista.

But that isn't the default and as such 98% of users will never see it. Just like Windows XP supports running as a standard user but again, not default.

AndyC, fair enough. Clearly more research on my part is still needed. I need to buy the WinInternals book 

wastingtimewithforums said:

ManipUni said:

*snip*

Well, it makes it *much* easier. That's the problem.

If a toned down UAC is what it takes to make people accept to upgrade and to run with some sort of UAC, this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with UAC turned off.

Unfortunately, these are quite common as far as I can see... I know my customer base does not qualify as a valid statistic, but what I could see is worrying. When asked, the customers usually justify their choices (and the fact that they are using administrative accounts in the first place) with some legacy or homegrown software they cannot afford to update. Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.

In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability. They will simply react by not buying your software or requiring a way to keep working like they were used to. This is a hard lesson to learn, and it's sad that a large number of developers still don't get it.

ManipUni said:

GoddersUK said:

*snip*

But that isn't the default and as such 98% of users will never see it. Just like Windows XP supports running as a standard user but again, not default.

AndyC, fair enough. Clearly more research on my part is still needed. I need to buy the WinInternals book 

I'd suggest waiting for the 5th Edition, but who knows when that'll come out.

Blue Ink said:

wastingtimewithforums said:

*snip*

If a toned down UAC is what it takes to make people accept to upgrade and to run with some sort of UAC, this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with UAC turned off.

Unfortunately, these are quite common as far as I can see... I know my customer base does not qualify as a valid statistic, but what I could see is worrying. When asked, the customers usually justify their choices (and the fact that they are using administrative accounts in the first place) with some legacy or homegrown software they cannot afford to update. Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.

In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability. They will simply react by not buying your software or requiring a way to keep working like they were used to. This is a hard lesson to learn, and it's sad that a large number of developers still don't get it.

 

this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with UAC turned off.

I disagree. With Vista a lot of people did turn off UAC, but I would bet the majority -- whether annoyed by it or not -- did not turn it off or know they could turn it off. Would your average person even know what to search the web for?

Windows 7 might as well default to having no UAC prompts, given how easy they are to bypass. So, on average, I'd say more people will be running with ineffective/pointless UAC settings than before. (Unless you feel that UAC is pointless in all modes, in which case the Win7 defaults still don't make sense.)

usually justify their choices ... with some legacy or homegrown software they cannot afford to update.

Those things will still show UAC prompts in Win 7 by default, so people annoyed by that will still be encouraged to turn off UAC (or the just the UAC prompts, if they stumble on to better advice).

Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.

I agree there. Most people who disliked UAC on Vista seem to have extrapolated from the number of prompts they saw during the unusual first couple of weeks of setup, instead of realising that they'd not have to see that many prompts after a while.

Still, now the "it's annoying" hearsay will be replaced with "it's still annoying at times and it's now completely pointless so you still might as well turn it off" hearsay.

In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability.

Indeed, but if UAC had been slightly better designed* and if Microsoft's apps had used it better** then I doubt there would have been as many complaints about Vista.

(* e.g. To show more of a UI than just "Yes or No" in confirmation dialogs so that prompts-about-prompts were not neccessary and so that spoofing was more difficult (assuming the dialogs were built by elevated code based on the args it was being passed, not built by the app requesting elevation). e.g. To make the Secure Desktop switch not take 10+ seconds at times, and make the switch to it less visually annoying (esp. on large monitor or in dark rooms.))

(** e.g. To cache elevated COM objects through multiple operations instead of showing several prompts (and prompts-about-prompts) for a sequence of changes which, to the user, is all part of the same thing. Part of that problem was pure bad design -- like showing four prompts to create one folder -- and the other part was, I believe, an attempt to limit the chance that an object or UI could be hijacked. Clearly the second point has been thrown out of the window now that Explorer etc. are *effectively* elevated all of the time (and yet not protected like a real elevated process/UI). We went from one extreme of security/inconvenience to another extream of insecurity/convenience when the middle ground would've been much better: Cached elevated COM objects through some kind of "admin mode" that the user either turns on explicitly or enters after the first elevation, and then exits via a timeout or explicit button/window-close/etc.)

This goes back to what you said earlier: When faced with third-party software which triggered a lot of UAC prompts, did people ask for that software to be improved? Nope. They just turned off UAC. Why? I think it's because Microsoft themselves set such a bad example that people assumed UAC was inherently irritating.

Charles said:

wastingtimewithforums said:

*snip*

I didn't say don't talk here.... I was trying to make the point that if you post these concerns on a blog that is frequented by the Windows team, well, maybe you'd get some answers that will help you understand. In the meantime, again, please take the time to watch this:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

C

Charles,

Its great that you have been having such a great success with Windows 7. Microsoft developers worked on many areas including UAC, security, speed, peformance, resource consumption and so much more! To learn more about the changes that were made and why they were made check out Microsoft Springboard and Talking About Windows.

http://tinyurl.com/832nco -- Microsoft Springboard (Check out the tips / tricks section too!)
www.talkingaboutwindows.com

Jessica
Microsoft Windows Client Team

JessicaD said:

Charles said:

*snip*

Charles,

Its great that you have been having such a great success with Windows 7. Microsoft developers worked on many areas including UAC, security, speed, peformance, resource consumption and so much more! To learn more about the changes that were made and why they were made check out Microsoft Springboard and Talking About Windows.

http://tinyurl.com/832nco -- Microsoft Springboard (Check out the tips / tricks section too!)
www.talkingaboutwindows.com

Jessica
Microsoft Windows Client Team

ah, come on, tinyurl is so last year, dickensurl is the new tinyurl now...

http://dickensurl.com/b745/Whatever_was_required_to_be_done_the_Circumlocution_Office_was_beforehand_with_all_the_public_departments_in_the_art_of_perceiving__HOW_NOT_TO_DO_IT

http://dickensurl.com/b748/The_serjeant_was_describing_a_military_life_It_was_all_drinking_he_said_except_that_there_were_frequent_intervals_of_eating_and_lovemaking

JessicaD said:

Charles said:

*snip*

Charles,

Its great that you have been having such a great success with Windows 7. Microsoft developers worked on many areas including UAC, security, speed, peformance, resource consumption and so much more! To learn more about the changes that were made and why they were made check out Microsoft Springboard and Talking About Windows.

http://tinyurl.com/832nco -- Microsoft Springboard (Check out the tips / tricks section too!)
www.talkingaboutwindows.com

Jessica
Microsoft Windows Client Team

I think maybe you missed the point here. Oh well.

blowdart said:

JessicaD said:

*snip*

I think maybe you missed the point here. Oh well.

I think she missed more than that. 

DCMonkey said:

blowdart said:

*snip*

I think she missed more than that. 

I'm not sure if "she" is really a member of the Windows Client Team (I say "she" because a username doesn't really effectively designate gender in a reliable way, so, no offense).

If so, I'll need to send her some mail...

C

LeoDavidson said:

wastingtimewithforums said:

*snip*

[EDIT: I was wrong about Flash/PDF within protected-mode IE. See reply on 8th page.]

It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer. We all wish they didn't, and wish more things supported low-IL, but we still live in a reality where that isn't the case. Low-IL is the exception, not the rule. There are still plenty of "innocent" actions, like visiting a webpage in an up-to-date low-IL browser or double-clicking what you think is a static image or document file, which can result in malicious code being run.

It doesn't have to be a "dodgy" webpage or file, either. There have been several cases this year alone where non-malicious sites and advertising networks have been hijacked by bad people to deliver malicious content to unsuspecting users.

UAC isn't only about malicious code, obviously, but it's pretty useful at slowing it down and/or limiting how deeply it can embed itself in the system itself. I'd say that's the primary benefit of the prompts for admin accounts. (Even though UAC isn't a security boundary, it is still a security feature.)

If you remove that benefit then what's left? Just the idea of making apps which show too many prompts annoy admin users with the misguided idea that it'll be more likely to make people push for those apps to be redesigned than for those people to simply turn off UAC if it bothers them... A pretty rich idea, too, considering Microsoft's apps (when their private backdoor is taken away) were and still are the worst offenders when it comes to this.

Correction to what I said a few pages back. This was wrong:

It's also worth noting that both Flash and Adobe Reader run within medium-IL proxy processes even when used with low-IL Internet Explorer.

With protected-mode (low-IL) IE, in-browser PDF do run at low-IL. The broker processes are just there to handle the Save-As dialogs apparently. The same seems to be true for Flash, at least judging by which process (IE not the broker) uses CPU when animations are playing.

There's a good, detailed comment pointing out my mistake here:

http://www.istartedsomething.com/20090613/windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/comment-page-2/#comment-75924

So if you use protected-mode IE (and possibly Chrome) then you shouldn't have to worry about RCEs in Flash/Reader breaking out of the browser and gaining full admin rights.

(It's still an issue if you use Firefox etc., and RCEs/buffer-overflows can still affect lots of other programs and media/document file types, including Adobe Reader when used outside of IE. This doesn't mean RCEs are not a problem but it I was completely wrong about Adobe Reader and Flash within protected-mode IE!)