Coffeehouse Thread

184 posts

UAC controversy - the last episode!

Back to Forum: Coffeehouse
  • User profile image
    Charles

    Uxtheme Rafael said:
    ManipUni said:
    *snip*

    You're making this harder than it needs to be. It's easier to just say... Mom downloads SuperCalculator.exe onto her desktop. She executes this program. While the calculator UI appears, it silently injects itself into Explorer, gains elevated abilities, and sets up all sorts of nastyness.

    No prompts. Nothing.

    Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior. Smiley

    C

  • User profile image
    ManipUni

    Charles said:
    Uxtheme Rafael said:
    *snip*

    Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior. Smiley

    C

    Right, and it should be.

    But without leaving it turned all the way on Microsoft will never be able to make it one because application developers and users will never update to the new system. Leave it turned up for now, roll out a better UAC in Windows 8 along with removing the ability to login to Administrator accounts on workstations.

    Administrator accounts have no place anymore. But people are FORCED to use them because too many applications haven't adapated and will never adapt with UAC off.

  • User profile image
    longzheng

    Charles said:
    Uxtheme Rafael said:
    *snip*

    Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior. Smiley

    C

    Charles, please realise the machine does not have to be infected. That is the simplest method of attack. But as we all know, malware/rootkits thrive on stealth, and remote code execution vulnerabilities on applications you already trust like Microsoft Office, Mozilla Firefox, Adobe Reader will also be suspectible.

    That of course is just looking at at the dark side of the moon. On the bright side, legitamite application developers can (and intends to) use this vulnerability to also silently elevate themselves.If it comes to that, there will be no separation between medium-level and adminstrative-level applications because one can switch between the two silently.

  • User profile image
    longzheng

    Charles said:
    Uxtheme Rafael said:
    *snip*

    Yes. The problem scenario relies on an infected machine. This infection exploits UAC's default behavior to auto-elevate signed system binaries to achieve silent rights elevation. Of course, if UAC was a security boundary, then it would not possess such behavior. Smiley

    C

    True or false? There are ways to run arbitrary code on your machine without you agreeing to it.

    http://www.google.com.au/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=gA0&q=remote+code+execution+site%3Amicrosoft.com%2Ftechnet%2Fsecurity&btnG=Search&meta=

  • User profile image
    Charles

    longzheng said:
    Charles said:
    *snip*

    Charles, please realise the machine does not have to be infected. That is the simplest method of attack. But as we all know, malware/rootkits thrive on stealth, and remote code execution vulnerabilities on applications you already trust like Microsoft Office, Mozilla Firefox, Adobe Reader will also be suspectible.

    That of course is just looking at at the dark side of the moon. On the bright side, legitamite application developers can (and intends to) use this vulnerability to also silently elevate themselves.If it comes to that, there will be no separation between medium-level and adminstrative-level applications because one can switch between the two silently.

    Yes. By infection, I mean vulnerability already on board (like a trusted installed application with, say, a buffer overrun hole). Other applications that you install or run can also self-elevate using this UAC default behavior. This is understood.

    Is UAC supposed to solve the user-initiated-installation-or-download-and-execution-of-malicious-code problem? If Outlook is vulnerable to attack through a memory hole, well, patch Outlook Smiley Seems to me you are asking for a UAC state where auto-elevation under all circumstances is disabled.

    C

  • User profile image
    ManipUni

    Charles said:
    longzheng said:
    *snip*

    Yes. By infection, I mean vulnerability already on board (like a trusted installed application with, say, a buffer overrun hole). Other applications that you install or run can also self-elevate using this UAC default behavior. This is understood.

    Is UAC supposed to solve the user-initiated-installation-or-download-and-execution-of-malicious-code problem? If Outlook is vulnerable to attack through a memory hole, well, patch Outlook Smiley Seems to me you are asking for a UAC state where auto-elevation under all circumstances is disabled.

    C

    We're asking for UAC to limit the scope of damage that can be caused by either route.

  • User profile image
    Larry Osterman

    longzheng said:

    Long, the situation in Win7 is unchanged from Vista.  In Vista if you were running with UAC enabled, it was possible for an RCE vuln to gain administrative privileges on your desktop without you approving it.  In Win7 if you are running with UAC enabled it is posible for an RCE vuln to gain administrative privileges on your desktop without your approving it.

    UAC was not a security boundary in Vista, it's not a security boundary in Win7.  This is an unpleasant truth but it's one that MSFT has been making for 3 years.  Our messaging on this issue hasn't changed over all this time.

    I was incorrect in my comment above about UAC btw - it is a security feature.  It's just not a security boundary.  It's a convenience feature only, there simply are too many ways for malware to bypass it for it to be considered a defendable security boundary.

    The only difference between Win7 and Vista is that on Win7 it is marginally easier for malware to auto-elevate.  But that any malware that exploits that "marginally easier" mechanism is trivial to defeat - just set your UAC defaults to be the same as they are for Vista.

    The internet->local machine IS a defended security boundary both by Microsoft and 3rd parties.  And Microsoft actively defends that boundary - you know that because of the monthly security fixes that are issued by both Microsoft AND 3rd parties (think Adobe, Mozilla, Google and Apple) - these are all examples of those vendors patching holes in their applications to defend this boundary. 

    The goal is that there be no way for malware to get on your machine without your permission, we're not there yet and we may never get there. 

    The internet->local machine boundary IS a defendable boundary because the internet is (hopefully) sandboxed in a web browser thus there's a controllable interface between the two that can be defended (although it is VERY hard to defend this boundary due to the amount of code that runs in the browser). 

    On the other hand, UAC/IL is NOT a defendable boundary (UAC as a feature is useless without IL) - there's simply too much shared state between applications running in the  same session to defend the boundary.  This is true for ALL graphical operating systems, btw - the instant you run an application at a higher level of privilege malware running in the lower privilege level can take over the higher level process.

    As I've said before, there's only one safe configuration for both Windows AND *nix - run as a standard user and switch to an administrative user running in a different session whenever you need to perform an elevated operation.  Most users (of both *nix AND Windows) aren't willing to put up with that level of inconvenience.

     

  • User profile image
    Larry Osterman

    ManipUni said:
    Charles said:
    *snip*

    We're asking for UAC to limit the scope of damage that can be caused by either route.

    Manip, you can't have what you want.  It's unfortunate but it's true.  UAC cannot limit the scope of damage.

    Actually UAC alone is a totally worthless security technology.  It's trivially defeatable.  UAC as a technology only has value when you combine it with the integrity level (IL) technology.

    And even with UAC and IL, it cannot limit the scope of damage.   Not on Vista, not on Windows 7.

    And Microsoft has never said anything otherwise.  People just didn't listen carefully enough.

  • User profile image
    AndyC

    longzheng said:
    Charles said:
    *snip*

    Charles, security boundaries and security features aside, do you agree with this definition of a vulnerabillity from Wikipedia?

    "vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system"

    If so, would you consider this application of code-injection scenario in Windows 7 a vulnerability?

    If not, how would you define vulnerabilities?

    Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

    UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

    On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

    On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

     

  • User profile image
    Charles

    longzheng said:

    True. Memory attacks from remote sources is a typical vector of attack. The point is that your scenario requires that the target system is vulnerable. It's infected with a bug that will cause painful itching when exploited.

    If I run vulnerable software on my machine, independent of my realizing it, then I have a vulnerability, by definition. Most people do not realize that there is a poorly designed data structure currently residing at some memory location, for example, primed for overflow...

    I understand your positions, Long, Sven, Manip. I am not advocating that some level of extra protection is a bad idea. My position in this discussion is that UAC is not a security boundary. Seems to me that most of you are advocating that it become one or that it behaves exactly as the Vista iteration of the technology. Correct?

    C

  • User profile image
    AndyC

    Larry Osterman said:
    ManipUni said:
    *snip*

    Manip, you can't have what you want.  It's unfortunate but it's true.  UAC cannot limit the scope of damage.

    Actually UAC alone is a totally worthless security technology.  It's trivially defeatable.  UAC as a technology only has value when you combine it with the integrity level (IL) technology.

    And even with UAC and IL, it cannot limit the scope of damage.   Not on Vista, not on Windows 7.

    And Microsoft has never said anything otherwise.  People just didn't listen carefully enough.

    Charles said:
    Seems to me you are asking for a UAC state where auto-elevation under all circumstances is disabled.
    The Windows Vista team were very clear on the fact that any sort of auto-elevation utterly destroyed the point of UAC. They repeatedly said this was why whitelisting wasn't included. It's not possible to design an auto-elevation system that isn't bypassed in this fashion.

    I'd be happy if they left that behaviour in, it just shouldn't be the default behavior.

    Larry Osterman said:
    UAC as a technology only has value when you combine it with the integrity level (IL) technology.

    I'm not sure I understand you. UAC is the Integrity Levels technology.

  • User profile image
    ManipUni

    AndyC said:
    longzheng said:
    *snip*

    Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

    UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

    On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

    On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

     

    But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

    Yes, sure, processes can be poisoned but only if they escalate AFTER the initial execution. If you dump them to an admin session right from the inital launch it would be impossible for an application within another session to poison them.

    My point is, that if Microsoft wants to turn UAC into a security boundary then they have to leave UAC in place in the mean time in order to get application developers used to writing code that either runs in User or Admin scopes.

  • User profile image
    longzheng

    AndyC said:
    longzheng said:
    *snip*

    Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

    UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

    On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

    On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

     

    I am not implying UAC is a security boundary. I'm over the whole "boundary", "feature" terminology.

    I draw upon Wikipedia's definition of an vulnerability, "a weakness in a system which allows an attacker to violate the integrity of that system", which in this case appears to fit very well. Even if we assume UAC is not a security feature, which Larry now confirms it is, a "convenience feature" can still have a vulnerability.

  • User profile image
    AndyC

    ManipUni said:
    AndyC said:
    *snip*

    But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

    Yes, sure, processes can be poisoned but only if they escalate AFTER the initial execution. If you dump them to an admin session right from the inital launch it would be impossible for an application within another session to poison them.

    My point is, that if Microsoft wants to turn UAC into a security boundary then they have to leave UAC in place in the mean time in order to get application developers used to writing code that either runs in User or Admin scopes.

    ManipUni said:
    But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

    I'm not suggesting you couldn't build a system where everyone is a user and elevation presents a security boundary that does something a bit like fast-user switching but in a more seemless fashion. Of course there'd be lots of additional protection needed to ensure such apps remained truly isolated (it would need to go beyond, for example, UIPI).

    However that is not what UAC does. It's not trivial to reach that point, especially when too many apps still don't truly understand Standard User behavior. That would be a long term goal perhaps. Right now we need UAC to do the best it possibly can and to continue pushing application developers into having to do things "the right way"

  • User profile image
    AndyC

    longzheng said:
    AndyC said:
    *snip*

    I am not implying UAC is a security boundary. I'm over the whole "boundary", "feature" terminology.

    I draw upon Wikipedia's definition of an vulnerability, "a weakness in a system which allows an attacker to violate the integrity of that system", which in this case appears to fit very well. Even if we assume UAC is not a security feature, which Larry now confirms it is, a "convenience feature" can still have a vulnerability.

    Long, I know where you're coming from. However if you say "X has a vulnerabilty" to a security architect and your "vulnerabilty" doesn't cross a security boundary, it'll be dismissed as incorrect. Avoiding the word vulnerability takes the focus off a strict technical definition and focuses more on what is or isn't the right behaviour.

  • User profile image
    Charles

    longzheng said:
    AndyC said:
    *snip*

    I am not implying UAC is a security boundary. I'm over the whole "boundary", "feature" terminology.

    I draw upon Wikipedia's definition of an vulnerability, "a weakness in a system which allows an attacker to violate the integrity of that system", which in this case appears to fit very well. Even if we assume UAC is not a security feature, which Larry now confirms it is, a "convenience feature" can still have a vulnerability.

    With this logic in mind, one could also very easily construct a sound argument that UAC enabling users to choose "Yes, elevate" when prompted is a vulnerability inherent to UAC. Or do you think human user behavior plays no role in maintaining the integrity of the system? Smiley

    So, you can get around UAC if you run malicious code. This is understood.

    I need to get some sleep now. Keep on caring. Keep on keeping us real.

    Thank you, Niners!!

    C

  • User profile image
    longzheng

    AndyC said:
    longzheng said:
    *snip*

    Long, I know where you're coming from. However if you say "X has a vulnerabilty" to a security architect and your "vulnerabilty" doesn't cross a security boundary, it'll be dismissed as incorrect. Avoiding the word vulnerability takes the focus off a strict technical definition and focuses more on what is or isn't the right behaviour.

    AndyC, are process privileges security boundaries?

  • User profile image
    longzheng

    Charles said:
    longzheng said:
    *snip*

    With this logic in mind, one could also very easily construct a sound argument that UAC enabling users to choose "Yes, elevate" when prompted is a vulnerability inherent to UAC. Or do you think human user behavior plays no role in maintaining the integrity of the system? Smiley

    So, you can get around UAC if you run malicious code. This is understood.

    I need to get some sleep now. Keep on caring. Keep on keeping us real.

    Thank you, Niners!!

    C

    I would say when you present a choice to the user, then responsibility has shifted from the system to a user. As a result of this, security dialogs in general are not considered vulnerabilities.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.