Comment Feed for What UAC Controversy? (Coffeehouse on Channel 9)

Re: Re: Re: Re: Re: Re: What UAC Controversy?

Charles — Thu, 18 Jun 2009 18:49:37 GMT

Yep. I agree...

Re: Re: Re: Re: Re: What UAC Controversy?

Minh — Thu, 18 Jun 2009 14:09:10 GMT

Well... I have to say that it's a legit scenario, but such a niche scenario at the same time.

As a user you have to realize that the UAC prompt isn't the same as the "Are you sure you want to delete these files?"

AND...

You're doing something that triggered elevation

WHICH...

Probably means that you're deleting "All Users" shortcuts...

I mean, it saved AndyC lots of time... but very very niche-y

Re: Re: Re: What UAC Controversy?

Minh — Thu, 18 Jun 2009 14:06:09 GMT

I'm not even talking about the silent elevation scenario, my idea has always been that the text within the prompt is useless EXCEPT for programmers. A programmer can make informed deciscions when confronted with "Do you want me to let you do what you just try to do?" question.

Because we can tell that we shouldn't receive that when visiting a web site... but not virtually ANYONE else.

To me, the ideal security solution is some sort of hierarchical .Net Code-Access-Security for native Windows app... It's funny that I watched a recent C9 video where they said that .Net has very granular security model, but no body bothered to use it because it was too complicated, and that you can always write native code to get around it... haha

Re: Re: Re: Re: What UAC Controversy?

Charles — Thu, 18 Jun 2009 14:00:39 GMT

Ah. So, UAC isn't just a mechanism that can sometimes protect you from harmful code. :)
C

Re: Re: Re: What UAC Controversy?

Minh — Thu, 18 Jun 2009 13:56:56 GMT

That's a legit scenario that is helpful when the concept of switching from a standard user to an admin actually makes sense.

Re: Re: Re: Re: Re: What UAC Controversy?

Charles — Thu, 18 Jun 2009 13:04:54 GMT

I don't know anything about the current state of the UAC team, but the Windows org was not hit by any of the layoffs.....

Re: Re: What UAC Controversy?

RoyalSchrubber — Thu, 18 Jun 2009 13:03:03 GMT

Medium IL process shouldn't have access to each others mem address space, because Medium IL can be elevated. Exception should be put on whitelist.

There should be 'protected' folders that would be used for documents. At least 'my documents' and 'desktop' should be protected folders. Processes could open a file in protected folders only by user-mode equivalent of UAC windows in legacy applications, if its path is in arguments, or by special dialog that would behave just like Open/Save As but would also automatically give r/w permission to that application on per file basis. That way interaction with (non-legacy) applications would not change, but user's files containing confidential material/bank account numbers could not be stolen by Medium-IL processes.

AppData folder (or subfolders) should be lockable in operating system, so that corrupted process of one applications could not write settings that would corrupt application every time it is started. (Like corrupted IE setting its home-page to a site that would exploit a hole in IE every time it is started)

Saving executables and any other files that contain code should not be allowed in folders that are not protected. IE should delegate download of executables to special separate program that would display URL of source of executable. This way Medium-IL processes would not get access to executable just before they are run and corrupted IE would not be able to download file from source different than stated.

Any administrative tasks should require UAC dialog, only few OS components that do not accept much input from outside world (via Internet or files, like control panel or registry editor) could be put on white list.

Solaris containers/zones-like sand-boxing would also be great.

Re: Re: What UAC Controversy?

LeoDavidson — Thu, 18 Jun 2009 10:30:30 GMT

Not sure if it counts but I was surprised to see a UAC prompt after changing desktop resolution via NVidia's control panel a few weeks ago.

That didn't happen in the past (and it happens after the res is changed, i.e. the requested operation is already done so what does it need admin for?) so I wondered what was going on, and if the prompt was legitimate, and cancelled the prompt. Still happened on subsequent resolution changes...

After some digging around it seemed to be using UAC to update some HKLM registry data to do with the display settings, not doing anything dodgy as far as I could tell. I still cancelled the prompts when requested, though, since I didn't see any need for a display mode change to suddenly require admin and there seemed to be no downside in denying them.

Even more recent versions of the drivers/control panel have stopped doing this.

I think we'll have to wait until XP is obscure, and everyone is on Vista and above, before we see any interesting malware use UAC. It's not worth targeting Vista or Win 7 at this stage, but that time will come. (We're not talking about OS X here. :) ) My bet is that stuff will be opportunistic and not require admin to do its main job, but we might see things that will get admin if they can without drawing attention to themselves and then use the extra access to hide better or do additional things.

Re: Re: What UAC Controversy?

AndyC — Thu, 18 Jun 2009 07:00:36 GMT

Just yesterday, setting up our PC lab image for next year. I was using the desktop as a temporary store for drivers and so on (as I tend to do). Naturally once I'd finished I wanted rid of them and did my typical Ctrl-A, Shift-Delete, forgetting that there are some shared icons on the system desktop (to access student webmail etc) which obviously I didn't really want rid of. As shared content, there was a (somewhat unexpected) UAC prompt, naturally I hit cancel and UAC saved the day.

Re: What UAC Controversy?

Minh — Thu, 18 Jun 2009 03:32:54 GMT

I renew my quest to find a single person who received a UAC prompt on an action they didn't intend to make...

Re: Re: Re: Re: What UAC Controversy?

wastingtimewithforums — Thu, 18 Jun 2009 03:20:38 GMT

"I will try my best to get an interview with the UAC team (as it exists today)"

--------

What, I was right? To quote myself:

"I wonder whether the UAC division was hit hard by the recent layoffs?"
http://channel9.msdn.com/forums/Coffeehouse/473037-UAC-controversy-the-last-episode/?CommentID=473740

"The UAC team (as it exists today)" sounds, as if the old team was heavily purged.

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: What UAC Controversy?

LeoDavidson — Wed, 17 Jun 2009 21:08:27 GMT

Wouldn't it be better for the defaults to please somebody rather than nobody?

I dunno... Maybe they'd catch too much flack if they turned off the prompts completely, and too much flack if they did nothing, and the 3-year(?) dev cycle for Windows 7 didn't give enough time to really fix things*.

If so then I wish someone would just say that, admit that it's dumb if you think things through but sometimes dumb things are required for marketing/perception reasons, and give us some committment that they're already working to do things better in Windows 8.

MS could even talk with, instead of at, the community about UAC's future so we can share ideas and feel involved in the discussion rather than having something we disagree with and/or don't understand foisted upon us in three years' time.

(*I'm still not sure that's an excuse to create an API that is unfair on 3rd party developers but I also seem to be in a minority for caring about that aspect.)

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: What UAC Controversy?

vesuvius — Wed, 17 Jun 2009 20:46:34 GMT

My assumptions are based on experience and not speculation, and I feel that it is the correct one. UAC is an educational matter, not a medicine that must be foisted upon users as they are fickle.

The internet is a wide and powerful thing nowadays, and just as I have to enable "view all hidden files and folders" on any new PC, so will I automatically increase my UAC prompts. Most people are acting like abundant information about Windows Seven and it's architecture is unavailable.- give the Windows team some credit guys?

I just wish you could all send StevenS Email to let him know that they did right by UAC in Vista, and they have done well to allow most users in this educated age the option to either increase or remove their prompts.

That is the correct and finely balanced decision in this situation.

Re: Re: Re: Re: Re: Re: Re: Re: Re: What UAC Controversy?

LeoDavidson — Wed, 17 Jun 2009 19:57:25 GMT

Vesuvius, you're assuming that what MS did with Windows 7 was the only possible response to the complaints about UAC.

It really wasn't.

Equally, UAC itself wasn't the only possible response to the complaints that some apps required people to run as administrator (or whatever it was that UAC was supposed to address).

Just because something was done doesn't mean it was the right thing.

The new mode is a broken compromise. People who didn't value the prompts will still want to turn them off completely because they'll still get prompted for some apps. People who did value the prompts will want to turn them on completely because they're easy for apps to bypass by default. Who, exactly, are the new defaults supposed to please?

Re: Re: Re: Re: Re: What UAC Controversy?

Charles — Wed, 17 Jun 2009 19:34:29 GMT

Well, Sinofsky is the Senior Vice President of Windows Product Management. His opinion on the matter is quite frankly all that matters ( in terms of whether or not Windows does anything about your stated concern, which we all agree, requires that malicious code gets on your machine via one of several ways (IE hole, Chrome hole, FF hole, Outlook hole, Flash hole, Adobe Reader hole... Or, you simply run a dangerous package without realizing that the exe you downloaded and clicked on was malware, evilware) ).

Nothing wrong with sending more mail to Steven. As you can see, he does reply. To be honest, you are probably fighting a losing battle, but you never know.

Re: Re: Re: Re: Re: Re: Re: Re: What UAC Controversy?

vesuvius — Wed, 17 Jun 2009 19:24:39 GMT

All you folks, "Long included" have clearly never been in the position where you are supporting users (in the real world - not blogs) and have a department that deals with complaints. I have been fortunate to work for a company that was operational country-wide, and something I learnt then was that if people are paying a lot of money for software, and they complain, then you cannot ever ignore them. is irreversible and the costliest damage.

Microsoft listened to you, in fact they lead the way and suffered the ignominy of Vista, to educate people to be as voiciferous as you are being at present. They now need to cater for people that are not like you, so rather than writing to Microsoft and complaint to them, write blogs and forum posts about the intolerable and inerudite person called your mother, brother, sister, auntie and Cathy, Prunella and Elizabeth that work with your brother, mother...

It is they that are at fault.

Re: Re: Re: Re: Re: Re: Re: What UAC Controversy?

vesuvius — Wed, 17 Jun 2009 19:16:49 GMT

U guyz have nevah suported uzahz and had 10 million gazillion complayntz. Maw peoples have compaintz bout annoying popupz than anythings else. Security people like symantec will knot complain becoz they wheel cell more p-sees. U guyz are rong!

Re: Re: Re: Re: What UAC Controversy?

LeoDavidson — Wed, 17 Jun 2009 19:15:47 GMT

Thanks Charles. I appreciate the reply (and the other related/recent one in the other thread).

FWIW this issue has been posted at the E7 blog many times by many people in the comments and I peronally submitted it via the contact URL there back in February, but the only reply was from Steven Sinofsky:

Thanks for the note. I wasn't able to tell from the video, but how did the program you have get onto the desktop to run?

I explained and then heard nothing further. Seems that unless it's an RCE nobody is interested.

Given that Adobe seem to be providing the world with RCEs at the moment (hehe) and recently took *weeks* to patch published, in-the-wild, exploited RCE/buffer-overflow vulnerabilities in both Flash and Adobe Reader, it seems worth limiting what code which exploits such vulns. can do. But if not, like contextfree says, let's turn off the prompts entirely (at least for COM elevation if not exe elevation).

Re: Re: Re: What UAC Controversy?

Charles — Wed, 17 Jun 2009 18:06:08 GMT

You're not telling me anything I don't already know. Please see my reply here: http://channel9.msdn.com/forums/Coffeehouse/474156-Is-UAC-a-security-feature-or-not/?CommentID=474198

It should be clear that:

1) You are not wrong in your stated concern
2) There is miscommunication problems that have led to fundamental misunderstanding
3) I don't represent Windows product management. You'll need to engage them directly (they don't spend time on C9)
4) I'm sorry if I came across as belittling in my post yesterday.
5) I will try my best to get an interview with the UAC team (as it exists today). Do not hold your breath, however. This is not an easy thing to do these days......

Re: Re: Re: What UAC Controversy?

contextfree — Wed, 17 Jun 2009 14:51:19 GMT

We've seen a few different opinions here about the Vista default/W7 highest setting (and possibly other settings that may be morally equivalent e.g. Unix/Mac OS sudo):

some think it does provide real and significant security benefits
some claim it can be easily circumvented and is therefore pointless,
some think it's pointless because the whole concept of enhanced-security-through-least-user-privilege is pointless (because malicious programs can still mess with your personal data, etc.)

While this debate is interesting and I have to admit I don't completely understand the proposed exploits that exist for Vista or sudo, and so am not sure which of the above I think is true, it doesn't actually matter for the purposes of assessing the value of W7 default UAC. If the Vista default is worthwhile, crippling it into something that's trivially circumventable is a bad thing. If it's pointless, a weakened version of it is still pointless and it should be disabled entirely (talking about the pretense of a Medium/High boundary here, not Medium/Low). Regardless of one's opinions on other security settings and systems, there is no possible interpretation under which default settings that sometimes irritate the user, add complexity to the system, but present no obstacle to malicious programs make sense.

So, forgetting about Vista and Unix for the time being, what is the benefit of the Medium/High pseudo-boundary under W7 default settings? Mark Russinovich mentions that it will force malware writers to change their programs a bit, which I guess will buy some time, but that time seems unlikely to account for a large portion of W7's lifetime. I guess MSFT could continue changing their defense-in-depth features in equally broken but incompatible ways through patches and service packs -- "security through API churn".

Re: What UAC Controversy?

ManipUni — Wed, 17 Jun 2009 10:20:20 GMT

It would be good PR if nothing else to change the default. It has been like a black raincloud over Window 7's otherwise very popular release. Right now when you talk to anyone - "It is a great operating system, but you do need to change the UAC default" or similar.

Re: Re: What UAC Controversy?

AndyC — Wed, 17 Jun 2009 09:29:06 GMT

Charles said:
Are you guys still talking about UAC? Man... If that's Windows 7's biggest problem, well, do go buy lots of MSFT shares, eh?

And the tragic thing is, it is Windows 7s biggest problem. Yet the fix* is utterly trivial and Microsoft don't seem to have the guts to accept that. Aside from that one stupid default setting Windows 7 is an awesome OS and will undoubtedly still sell by the bucketload regardless. Windows 8, however, will be in the unfortunate position of having to maintain the single worst appcompat/security headache ever invented.

*the "fix" being to ship with the slider all the way up to the top.

Secure by Design. Secure by Default. Secure by Deployment and Communication

Re: Re: What UAC Controversy?

LeoDavidson — Wed, 17 Jun 2009 09:14:16 GMT

Are you guys still talking about UAC? Man...

Are you guys still ignoring, misunderstanding and shrugging off the issue with BS excuses? Yup. So yes, we're still talking about it.

People didn't stop talking about Windows security flaws from Win95 through to Windows XP just because Microsoft did nothing about them. MS got a lot of flack instead, and rightly so.

Until you make Standard User the default, and work well enough for most people to use, or make Limited-Admin work well enough and be secure enough that the difference is minor (which one you do is your choice but you've done neither so far!) you'll continue to get flack.

Joking about security features (and anti-competitive APIs) not being important, and wishing the problems would go away by themselves when the only response has been to ignore or try to dismiss them with BS logic that was immediately shot to pieces, just shows how out of touch you are.

I can see the headlines now, "Microsoft: Security is a joke, stop talking about it!"

The Windows team has tried to explain what UAC is for and why.

The UAC team explained what it was, too. A security feature.

But even if we take another definition, UAC as it stands and with the default settings is a complete failure. The fact nobody properly addresses any of the issues raised with it, and the way MS's own apps use it, and the way it's anti-competitive now, and the way it's now pure security theatre for marketing reasons and not design/security reasons, and the way standard user accounts are still a joke given the response to UAC in Vista, is why we're still talking about it.

The solution is really quite simple: Don't run my exe on your computer.

HOW MANY TIMES DO WE HAVE TO SAY IT?

REMOTE

CODE

EXECUTION

VULNERABILITIES.

They exist. Look them up if you've never heard of them.

Done that? Good. Now, would you rather an RCE gained admin rights the very easy, documented and published way, or the way which requires waiting for you, tricking you and potentially alerting you (which, by the way, works just fine from standard user as well)?

The Windows team has tried to explain what UAC is for and why. Apparently, they need to try again.

Yeah, that's right, keep redefining words until they fit your product, instead of making your product do what people want and expect it to do (and what it was marketed as doing).

And once you've reached the definition that "UAC prompts exist just to annoy the user and nothing more," don't be surprised if we still complain because it's stupid to annoy people when there's clearly no benefit, and anti-competitive to annoy people running 3rd party tools while giving your own a free pass to be badly written.

If you don't want us to complain, make it not pointless or not annoying. Preferably both (and don't try to say we haven't suggested plenty of ways to do so).

Re: What UAC Controversy?

intelman — Wed, 17 Jun 2009 07:09:28 GMT

If otheres think UAC should be something "it is not", it should be taken into consideration. The developers develop for us, to some extent they have to yield and do what we want.

Re: Re: Re: What UAC Controversy?

Charles — Wed, 17 Jun 2009 06:49:09 GMT

Guys, is it OK for me to have a little fun? I'm not saying you are wrong. I just think UAC isn't really what you think it is. The Windows team has tried to explain what UAC is for and why. Apparently, they need to try again. My apologies if I offended anybody with my attempt at humor. Again, I am certain that the root cause is misunderstanding based on confusing messaging. C