Coffeehouse Thread

184 posts

UAC controversy - the last episode!

Back to Forum: Coffeehouse
  • User profile image
    ManipUni

    wastingtimewithforums said:
    ManipUni said:
    *snip*

    "But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do."

    And this is easy? First of all you would have a background application in the task manager always visible - problem 1 (and some anti virus-anti spyware software give alarms if an unknown process is always active in the background)

    It's a guess game - there is very high chance that the user won't elevate any application. If mom&pop work only with the browser+mail client+word they don't see the elevation prompt that often. Maybe once a week or so (MAYBE) - problem 2

    Problem 3 - this attack works with a standard account! And exactly like that - it lurks in the background and injects into processes, if the user elevates an infected process.. boom. What's the difference? Where is the standard account superior then? The additional password request?

     

    Your second way has the same problems. Sorry, but I still don't see how being able to circumvent UAC instantly, without any guess games, is supposed to be not a vulnerability.

    1) You just hide it inside rundll or name it creatively. Or have your entire logic only exist within existing processes, so for example you inject the logic into all the processes on the system, close, and those processes poll the OS for any new processes and pass it on if one exists. The only hard part about that is making sure that you don't inject twice or twice at the same time.

    2) If they don't escalate any of the applications then you've lost nothing.

    3) The standard account only removes a limited amount of threat. It just means that if processes are launched directly into the admin's session they MIGHT be clean. It can be bypassed and can be broken. But it is harder than UAC on the same account is. A lot of these same techniques work on both but not all of them. Fast user switching or logging out defeats much more however.

  • User profile image
    wastingtime​withforums

    Uxtheme Rafael said:
    blowdart said:
    *snip*

    You do realize the majority of Windows 7 users will be using Administrative accounts right?

     

    "You do realize the majority of Windows 7 users will be using Administrative accounts right?"
    -------------

    And that the default account in Win7 is an administrator account of course too.

    The defenders of the Win7 default UAC behaviour point always to the fact, that using a standard account solves the UAC problem, but they always seem to forget, that the default account is still administrator.


    They want to keep the cake and eat it at the same time.

  • User profile image
    wastingtime​withforums

    ManipUni said:
    wastingtimewithforums said:
    *snip*

    1) You just hide it inside rundll or name it creatively. Or have your entire logic only exist within existing processes, so for example you inject the logic into all the processes on the system, close, and those processes poll the OS for any new processes and pass it on if one exists. The only hard part about that is making sure that you don't inject twice or twice at the same time.

    2) If they don't escalate any of the applications then you've lost nothing.

    3) The standard account only removes a limited amount of threat. It just means that if processes are launched directly into the admin's session they MIGHT be clean. It can be bypassed and can be broken. But it is harder than UAC on the same account is. A lot of these same techniques work on both but not all of them. Fast user switching or logging out defeats much more however.

    1) This is complicated and error prone. OK, it might work, but.. not guaranteed, while the new UAC flaw works absolutely.

    2) The attacker lost! He lost the chance to root the system.

    3)

    "It can be bypassed and can be broken. But it is harder than UAC on the same account is"

    By your method it's not really even harder, there is just the additonal password prompt, but if the user wants to elevate the infected process, he will anway. So what? And you wrote the keyword: harder. To make security brearches harder should be the goal of the OS maker. And by all means, Microsoft just made it EASIER to break the system with Win7.

    I still don't see the point of the new UAC behaviour in Win7. It opened a serious addtional attack vector and, even worse, creates a false sense of security, since third party applications still get prompts, but, if the applications want to, they can circumvent them with ridiculous ease.

  • User profile image
    ManipUni

    wastingtimewithforums said:
    ManipUni said:
    *snip*

    1) This is complicated and error prone. OK, it might work, but.. not guaranteed, while the new UAC flaw works absolutely.

    2) The attacker lost! He lost the chance to root the system.

    3)

    "It can be bypassed and can be broken. But it is harder than UAC on the same account is"

    By your method it's not really even harder, there is just the additonal password prompt, but if the user wants to elevate the infected process, he will anway. So what? And you wrote the keyword: harder. To make security brearches harder should be the goal of the OS maker. And by all means, Microsoft just made it EASIER to break the system with Win7.

    I still don't see the point of the new UAC behaviour in Win7. It opened a serious addtional attack vector and, even worse, creates a false sense of security, since third party applications still get prompts, but, if the applications want to, they can circumvent them with ridiculous ease.

    It doesn't open a new attack vector though. It just makes it easier to exploit one that already exists on Vista.

  • User profile image
    wastingtime​withforums

    ManipUni said:
    wastingtimewithforums said:
    *snip*

    It doesn't open a new attack vector though. It just makes it easier to exploit one that already exists on Vista.

    Well, it makes it *much* easier. That's the problem.

  • User profile image
    AndyC

    ManipUni said:
    wastingtimewithforums said:
    *snip*

    I cannot show you an application that disables UAC instantly.

    But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

    Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.

    ManipUni said:
    But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

    Nope, you can't do that, once a process is launched its security token can't be changed. You have to elevate it before you launch it and you can't inject code into a process that hasn't started yet. Elevating silently on Vista is hard work, if possible at all. Elevating silently on Windows 7 is trivial.

  • User profile image
    wastingtime​withforums

    Uxtheme Rafael said:
    LeoDavidson said:
    *snip*

    I think it's safe to say this team isn't working on UAC anymore...

    "Quote from http://blogs.msdn.com/uac/archive/2006/06/01/613098.aspx:" (...)
    ---

    Ouch. If this isn't a contradiction to the current policy, I don't know what a contradiction is. I wonder whether the UAC division was hit hard by the recent layoffs?

    Every new NT release since the last 15 years was more secure than its predecessor, with Win7, this line will be broken. HM... I can see a new Apple ad!

  • User profile image
    pavone

    Bass said:

    Why does "not having root access" == security? I think people's personal files and information is FAR more important to be secured then some apps in \Program Files, and you don't need root access to manipulate the user's home directory, where they store most of their sensistive information, nor to open sockets, or access the keyboard and mouse.

    You people suck at teh hax0r if you think UAC or root/user separation makes much a difference. As long as people have computers which can execute "software", there will be successful viruses written for them.

     I thought Vista did a good job with UAC, I still have it enabled and it only pops up when it needs to, I'd rather know what's going on in my PC. Is/will there be an option in Windows 7 then to make it like Vista? 

  • User profile image
    Koogle

    This is the sh*ttest never ending last episode evER tbh!

    And you know what.. I hope its a thorn to MS for a while(though I do side with them on there reasoning), but trying to tackle something for perhaps the right reasons, only delivered in the wrong way!!! Next time don't bother if you can't do it properly... now keep pissing off those security conscious nutjobs who actually liked / relied on UAC- tis funny to read their pleas Tongue Out

     

     

  • User profile image
    GoddersUK

    pavone said:
    Bass said:
    *snip*

     I thought Vista did a good job with UAC, I still have it enabled and it only pops up when it needs to, I'd rather know what's going on in my PC. Is/will there be an option in Windows 7 then to make it like Vista? 

    IIRC the highest level in 7 is akin to Vista.

  • User profile image
    ManipUni

    GoddersUK said:
    pavone said:
    *snip*

    IIRC the highest level in 7 is akin to Vista.

    But that isn't the default and as such 98% of users will never see it. Just like Windows XP supports running as a standard user but again, not default.

    AndyC, fair enough. Clearly more research on my part is still needed. I need to buy the WinInternals book Smiley

  • User profile image
    Blue Ink

    wastingtimewithforums said:
    ManipUni said:
    *snip*

    Well, it makes it *much* easier. That's the problem.

    If a toned down UAC is what it takes to make people accept to upgrade and to run with some sort of UAC, this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with UAC turned off.

    Unfortunately, these are quite common as far as I can see... I know my customer base does not qualify as a valid statistic, but what I could see is worrying. When asked, the customers usually justify their choices (and the fact that they are using administrative accounts in the first place) with some legacy or homegrown software they cannot afford to update. Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.

    In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability. They will simply react by not buying your software or requiring a way to keep working like they were used to. This is a hard lesson to learn, and it's sad that a large number of developers still don't get it.

     

  • User profile image
    AndyC

    ManipUni said:
    GoddersUK said:
    *snip*

    But that isn't the default and as such 98% of users will never see it. Just like Windows XP supports running as a standard user but again, not default.

    AndyC, fair enough. Clearly more research on my part is still needed. I need to buy the WinInternals book Smiley

    I'd suggest waiting for the 5th Edition, but who knows when that'll come out. Wink

  • User profile image
    LeoDavidson

    Blue Ink said:
    wastingtimewithforums said:
    *snip*

    If a toned down UAC is what it takes to make people accept to upgrade and to run with some sort of UAC, this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with UAC turned off.

    Unfortunately, these are quite common as far as I can see... I know my customer base does not qualify as a valid statistic, but what I could see is worrying. When asked, the customers usually justify their choices (and the fact that they are using administrative accounts in the first place) with some legacy or homegrown software they cannot afford to update. Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.

    In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability. They will simply react by not buying your software or requiring a way to keep working like they were used to. This is a hard lesson to learn, and it's sad that a large number of developers still don't get it.

     

    this will defintely benefit security on average as you will agree that Windows 7 with a limited UAC is still much better than either XP or Vista with UAC turned off.

    I disagree. With Vista a lot of people did turn off UAC, but I would bet the majority -- whether annoyed by it or not -- did not turn it off or know they could turn it off. Would your average person even know what to search the web for?

    Windows 7 might as well default to having no UAC prompts, given how easy they are to bypass. So, on average, I'd say more people will be running with ineffective/pointless UAC settings than before. (Unless you feel that UAC is pointless in all modes, in which case the Win7 defaults still don't make sense.)

    usually justify their choices ... with some legacy or homegrown software they cannot afford to update.

    Those things will still show UAC prompts in Win 7 by default, so people annoyed by that will still be encouraged to turn off UAC (or the just the UAC prompts, if they stumble on to better advice).

    Others simply say that the UAC is too annoying, either because they didn't try it long enough, or because they heard enough hearsay to this effect.

    I agree there. Most people who disliked UAC on Vista seem to have extrapolated from the number of prompts they saw during the unusual first couple of weeks of setup, instead of realising that they'd not have to see that many prompts after a while.

    Still, now the "it's annoying" hearsay will be replaced with "it's still annoying at times and it's now completely pointless so you still might as well turn it off" hearsay.

    In brief, you cannot shove security (or any other brilliant design) down the throat of your customers if this impacts significantly their perceived usability.

    Indeed, but if UAC had been slightly better designed* and if Microsoft's apps had used it better** then I doubt there would have been as many complaints about Vista.

    (* e.g. To show more of a UI than just "Yes or No" in confirmation dialogs so that prompts-about-prompts were not neccessary and so that spoofing was more difficult (assuming the dialogs were built by elevated code based on the args it was being passed, not built by the app requesting elevation). e.g. To make the Secure Desktop switch not take 10+ seconds at times, and make the switch to it less visually annoying (esp. on large monitor or in dark rooms.))

    (** e.g. To cache elevated COM objects through multiple operations instead of showing several prompts (and prompts-about-prompts) for a sequence of changes which, to the user, is all part of the same thing. Part of that problem was pure bad design -- like showing four prompts to create one folder -- and the other part was, I believe, an attempt to limit the chance that an object or UI could be hijacked. Clearly the second point has been thrown out of the window now that Explorer etc. are *effectively* elevated all of the time (and yet not protected like a real elevated process/UI). We went from one extreme of security/inconvenience to another extream of insecurity/convenience when the middle ground would've been much better: Cached elevated COM objects through some kind of "admin mode" that the user either turns on explicitly or enters after the first elevation, and then exits via a timeout or explicit button/window-close/etc.)

    This goes back to what you said earlier: When faced with third-party software which triggered a lot of UAC prompts, did people ask for that software to be improved? Nope. They just turned off UAC. Why? I think it's because Microsoft themselves set such a bad example that people assumed UAC was inherently irritating.

  • User profile image
    JessicaD

    Charles said:
    wastingtimewithforums said:
    *snip*

    I didn't say don't talk here.... I was trying to make the point that if you post these concerns on a blog that is frequented by the Windows team, well, maybe you'd get some answers that will help you understand. In the meantime, again, please take the time to watch this:

    http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

    C

    Charles,

    Its great that you have been having such a great success with Windows 7. Microsoft developers worked on many areas including UAC, security, speed, peformance, resource consumption and so much more! To learn more about the changes that were made and why they were made check out Microsoft Springboard and Talking About Windows.

    http://tinyurl.com/832nco -- Microsoft Springboard (Check out the tips / tricks section too!)
    www.talkingaboutwindows.com

    Jessica
    Microsoft Windows Client Team

  • User profile image
    Royal​Schrubber

    JessicaD said:
    Charles said:
    *snip*

    Charles,

    Its great that you have been having such a great success with Windows 7. Microsoft developers worked on many areas including UAC, security, speed, peformance, resource consumption and so much more! To learn more about the changes that were made and why they were made check out Microsoft Springboard and Talking About Windows.

    http://tinyurl.com/832nco -- Microsoft Springboard (Check out the tips / tricks section too!)
    www.talkingaboutwindows.com

    Jessica
    Microsoft Windows Client Team

    ah, come on, tinyurl is so last year, dickensurl is the new tinyurl now...

    http://dickensurl.com/b745/Whatever_was_required_to_be_done_the_Circumlocution_Office_was_beforehand_with_all_the_public_departments_in_the_art_of_perceiving__HOW_NOT_TO_DO_IT

    http://dickensurl.com/b748/The_serjeant_was_describing_a_military_life_It_was_all_drinking_he_said_except_that_there_were_frequent_intervals_of_eating_and_lovemaking

  • User profile image
    Koogle

    I'm surprised reCaptcha haven't made a spin off tinyurl alternative.. whereby the user has to do some extra human work before they get the url Tongue Out

  • User profile image
    blowdart

    JessicaD said:
    Charles said:
    *snip*

    Charles,

    Its great that you have been having such a great success with Windows 7. Microsoft developers worked on many areas including UAC, security, speed, peformance, resource consumption and so much more! To learn more about the changes that were made and why they were made check out Microsoft Springboard and Talking About Windows.

    http://tinyurl.com/832nco -- Microsoft Springboard (Check out the tips / tricks section too!)
    www.talkingaboutwindows.com

    Jessica
    Microsoft Windows Client Team

    I think maybe you missed the point here. Oh well.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.