Whenever we talk about Windows 7 on OSAlert, you’ll always hear me advise you to change the UAC settings by setting it to its highest level, since Windows 7’s default simply isn’t secure. You might wonder why you should deal with additional prompts – what is the security risk actually like? Well, it’s pretty big.
When you run Windows 7 with the default UAC level, a technique using code injection and several components in Windows 7 that can auto-elevate can totally own your system. Microsoft gave several components in Windows 7 special privileges (like notepad.exe and calc.exe) in order to reduce the amount of UAC prompts in Windows. The end result, however, is that these components can be used to bypass UAC completely, and basically get full access to your machine. This works even on the RC.
The proof-of-concept exploit works by injecting its own code into the memory of another process, a process with auto-elevation capabilities. This is done using standard and documented APIs. The first proof-of-concept just copied a file to a location, but further editions could do all sorts of nasty things – and ASLR doesn’t help either. This video should give you a good idea. Whiskey tango foxtrot, indeed.
As the writer of the proof-of-concept code explains, the UAC API is a good API, but code does require refactoring to provide a good user experience; to not flood users with prompts. Microsoft did not do this right in Vista, and instead of addressing this issue properly in Windows 7, they took the easy way out by creating UAC backdoors for their own code and programs (the UAC whitelist) as to reduce the number of prompts. This list isn’t configurable by the user.
This leads to this weird situation where even though Microsoft have stated that UAC is supposed to nudge developers to fix their code so that it works for limited users as well, Microsoft itself doesn’t seem to want to do that. So, to avoid having to fix their own code to work well with UAC, they cheated. This isn’t the kind of behaviour that befits an otherwise great release.
At this point in time, the default UAC level in Windows 7, and all levels below that, are insecure. You might as well turn UAC off completely, as it makes no difference to have it either off or at the default level. This entire flaw becomes null the moment you set UAC to its highest setting (as that disables auto-elevation). That’s why I always advise you to do so.
Microsoft needs to address this issue before the release, or else malware and virus writers are going to have a field day. It’s exactly this kind of braindead decision making that led to years of neglect of Windows NT’s advanced security features, creating an environment where malware and viruses could prosper. With Vista, it seemed as if Microsoft finally got their act together, and now, with Windows 7, they’re throwing it all away again.
They never learn.
The linked video is incredible. The ease in which UAC is bypassed is impressive. What is more impressive is the outright incompetence of Microsoft to not update freaking Calc and Notepad to work with privileges correctly. Why does Notepad need to auto-elevate? If I was trying to save a text file to a system location, a UAC prompt wouldn^aEURTMt be shocking to see.
This only confirms factually what I understood philosophically already: that UAC is just a ‘patch’ trying to add security on top of a system that^aEUR”for backwards-compatibility^aEURTMs sake^aEUR”is totally insecure by design. The Windows user-space is one giant insecure mess. The NT kernal has all the features to implement a really, really tight and secure user-space, and Microsoft are still waving the Windows 95 flag.
Until Microsoft ditch all backwards-compatibility and move it into a VM, Windows security is never going to be properly secure, and we will always see inane, short-sighted and ineffective security systems tacked on top like UAC.
P.S. Also love how Flash can auto-install itself in IE8/Win7. You get a UAC-prompt, but none of the normal Active-X warnings. Cute. What^aEURTMs your normal reaction when a web-page upon loading suddenly, out of nowhere, fires off a UAC-prompt??
Edited 2009-05-15 07:45 UTC
I never had Notepad asking for elevation when UAC was set as high. Some configuration problem maybe?
-Ad
I’d say it’s related to saving and opening files in Notepad. Not sure though. It doesn’t matter anyway – what matters is that it can auto-elevate itself, and that you can trivially abuse that.
Remember, the author of the proof-of-concept is just a programmer, not even a security researcher!
After learning of this a while ago I turned the UAC up to the maximum and I barely get irritated by prompts. It should be up to the max by default, I agree, because it causes very little problems if any.. at least so far for me.
I’m running the RC as well.
Considering you’re supposed to be one of the core osnews guys, I’m a little shocked to read your comments.
You clearly have little understanding of windows internals.
I’m suprised Thom didn’t pick you up on it to save face
Could you please point out the mistakes kroc made? Because i agree with him. And so seems everybody else.
Instead of me going into depth of explaining the inernals of UAC and why it isn’t a ‘patch’ which is ‘totally insecure by design’, why usermode isn’t a giant insecure mess and why Windows will always be insecure until they move historical stuff into a VM, maybe Kroc would care to explain where he gets these ideas from.
Quite frankly, it’s absolute rubbish, and someone writing about this stuff should really know better.
As the article states, if you move the slider to the top then it becomes secure again. This is a case of Microsoft making a bad decision on default security (again), not a case of Windows being insecure and flawed.
If Windows is so insecure and flawed, let’s see Kroc move the slider to the top and compromise the security. Surely it can’t be hard if his claims are true.
It sounded like an uninformed Microsoft hater comment. Something Thom avoids which is why I expected him to comment.
Edited 2009-05-18 07:42 UTC
I disagree. The default policies of Microsoft’s MIC and some applications are insecure. This does not make it insecure by design. It just means that Microsoft yet again decided that compatibility is more important than security. It is even more frustrating considering the tools are in place to secure it.
I knew something had to be wrong when I didnt have to disable it. for me the fact UAC doesnt work is a good thing, but it needs to be there for the morons.
You misunderstand the system, and your ignorance leads you to incorrect conclusions. It’s not like calc.exe is on some list saying it can auto-elevate. Calc.exe has no use for administrator privileges, which is why it does not request them. If you force it to run with them, you won’t get prompted in the default UAC leve (“Notify me only when programs try to make changes to my computer”) assuming that a series of requirements are met (it is the original, Windows signed binary, it is in a trusted location, etc).
The system makes sense. Yes, the “always notify” setting has some small security benefit for some users, which is why it exists. But for most users the default setting is a better trade-off of useability versus security, and it keeps the most important mitigations provided by UAC intact. It is MUCH safer than turning it off.
The UAC prompts should also be easy to configure to request for the admin password to proceed with a ‘yes’. Similar to what is done in OS X and Ubuntu.
This would give people with a common family PC to ensure that installed apps work as they are supposed to but grandma/kids don’t accidentally install stuff.
I have found that anti-viruses and PC optimization tools don’t work well when the active user isn’t a Admin. So a standard user for everyone is not practical in every case.
-Ad
Run as a normal user, then you get the password dialogs. Run as administrator, and you get the clickthrough dialogs.
The problem I am having is, when run as Admin the dialogs appear, but when run as user the dialogs don’t appear at all and the app fails to run altogether.
I have had this problem with CCleaner, AVG, Kaspersky and F-Secure.
-Ad
because these applications are poorly written and don’t use the right UAC API
Edited 2009-05-15 09:50 UTC
– Why is Administrator allowed to log in directly?
– Can I still have a blank password for Administrator?
– Is the “home” version’s admin account still crippled?
I’m still open to win7 being all it’s supposed to be but the UAC bug being in place still is the first stumble it’s hit.
News at 11
Microsoft must be getting a huge kickback fund from the security industry. Nobody can screw up security this badly on accident.
Like anything done well; you have to practice, all day, every day.
Mac OS X has had its really *dumbass* local security flaw:
tell application “ARDAgent” to run shell script “whoami”
And now Windows 7 has had a similar one involving rundll32.exe. Both allow the box to be rooted without waiting for any additional user input, or modifying memory or files.
The people who claimed that Linux was no more secure than Windows should be eating hats right now.
Do note, though, that THIS article is NOT about the rundll32.exe flaw. This is a DIFFERENT case.
Just to clarify.
Do note, though, that THIS article is NOT about the rundll32.exe flaw. This is a DIFFERENT case.
Just to clarify.
I was planning to try Win7 RC myself, but it’s kinda off-putting that there’s these absolutely ridiculous security issues there. I mean, I can’t for the life of me understand why the f*ck would a calculator need admin rights? O_o The programmers themselves probably know how idiotic that is, but some drooling monkey higher-above in the salary chain thought that it was a good idea..
Anyhow.. I understood these issues can be atleast partially worked-around by using UAC at max, but does that also work for the rundll32 flaw?
The rundll flaw is already fixed separately from this case.
It’s Microsoft generating good will with the info sec industry. After all, with higher privileged in calc.exe and notepad.exe helps when your looking for a process to hide meterpreter behind.
So the incompetent manager driven programmer renegades can calculate complicated formulas for their own exploits(?) As Windows 7 calc comes with extra modes.
Never mind the unit conversion and mortgage calculator, calc has always allowed easy cut and paste, like any application.
MS always focused on automating this, ie. the IBM/MS DDE/OLE/Active X/COM+.
Is there anyway to forgo this programming style while making it easy to convert old Active X code.
Some of these security risks which UAC is supposed to manage (read some of the IE 8 blog and comments) need to be redeveloped and revolutionised.
What on earth has that got to do with the UAC issues? the ARDAgent vulnerability was NEVER a structural flaw but an flaw primarily the result of social engineering and/or code itself
This UAC flaw within the article shows that Microsoft do not take security seriously because of the fundamental design flaw of UAC itself – instead they use a band-aide solution instead of facing the reality that win32 is long in the tooth and designed in an era where security was never from the perspective of computers being connected to a massive network.
Microsoft could do something about it but it require them to take a tough line, it would require them to look long term, and it would require them to stand with some conviction with the decisions they make – they could chuck out large portions of code that they know are unsafe, they could force VM down the collective throats of end users (both using software and built in virtualisation) and force Intel/AMD’s hand to expand VM support beyond a small niche of their product line up. Again, it would require Microsoft to stand up with a strong sturdy voice announce a new course – the problem is that there isn’t a single manager within Microsoft willing to locate that wonderful thing called a backbone and put it to some good use.
Edited 2009-05-15 15:25 UTC
It’s important to make clear that Microsoft took that approach in Windows Vista. And held on to it strictly.
The world cried foul. Including all the anti-MS people.
The changes applied in Windows 7 are the DIRECT CONSEQUENCE of whiners – people who had no idea what they were talking about but threw hissy fit after hissy fit because they saw a few dialogs while setting up their computer. Well, boo-friggin’ hoo.
Microsoft listened to their customers. Too bad most of those customers are stupid.
Doesn’t make this decision any less braindead, though.
Edited 2009-05-15 15:11 UTC
[q]It’s important to make clear that Microsoft took that approach in Windows Vista. And held on to it strictly.
The world cried foul. Including all the anti-MS people.[/quote]
They cried fowl because it was crap; GDI was moved to unaccelerated when it should have been ripped out, torn up and burnt. UAC should never have been implemented and instead all users are put as limited user mode and all applications that fail to work in that mode – simply fail. They moved to a new printing system – no attempt should have been made to accommodate the old drivers or way of interacting.
Microsoft did a half assed, half baked attempt to fix the problem. I might have the slightest bit of ‘pride’ in their decision if they removed the old garbage and did what they said they were going to do. The simple fact is that they never did anything radical; Windows Vista was a half baked operating system whose legion of apologists latch onto anything to legitimise the poor quality of it.
I’m as cynical of the “Anything But Microsoft” crowd as anyone – but UAC is one of the (several) reasons I’ve avoided Vista like the plague.
IMO, the sensible approach would have been:
– keep the existing XP/2k/NT4 security model (permissions based on account type/ACLs)
– make the default user non-Admin on new installations
– add the ability to prompt for elevation when a user tries to do something without sufficient permissions (E.g., when a normal user tries to change network settings)
And voila – no need for UAC.
That results in a whole mess of compatibility and useability problems. When you run as a standard user and then launch a single program as an adminstrator account, the program running as an admin will have the admin user’s profile, settings, permissions, etc. That’s problematic for many scenarios.
The UAC model offers many advantages, both in useability/compatibility and in security. It allows Windows to securely prompt for *consent* (i.e. Continue / Cancel) versus asking for a password. Asking for a password for elevations is risky, as it will always be susceptible to spoofing and logging (unless you require a Secure Attention Sequence, i.e. Ctrl+Alt+Del press for every password entry).
UAC also provides the ability to easily *reduce* the privileges of a process, like Protected Mode IE (just one example) running on the same desktop, and to track objects/files created by those “low integrity” processes.
Lots of people think they know better than the Windows engineering team, but 99% of the time they are looking at a very small piece of the puzzle.
UAC is basically based on the old security model. Only now, it’s actually enforced. For nearly 10 years Microsoft has been telling developers to write programs the new way. Some didn’t, and now their programs break. UAC is meant to lesson the impact of that, while providing a new way for developers to keep the old, antiquated mind-set and allow things to run (mostly) smoothly.
Good idea. Users also need to be taught to be more security minded, not just the developers.
UAC elevates privileges based on a new access control system introduced with Vista called MIC. UAC requests privileges based on the integrity level of an object. If the integrity level required to access an object is higher than your current integrity level UAC is invoked.
Then why “get your act together”? This makes the symptoms worse, which doesn’t make sense in regards to your argument for Vista.
“Throwing it all away” is actually useful when you write down all your worries. You then tear up the paper.
Windows 7 UAC has done a runner, that is not the same.
You may violate your country’s mental-health act. Which I won’t go on about, so be more educated in future.
That is completely different. Mac OS X had a bug, that was resolved:
http://support.apple.com/kb/HT2647
This is not a bug, it seems like a design decision. A feature… I do not know what to call it.
It is beyond a bug. A bug is the result of bad implementation. But this is a failure in the whole idea of security. It seems more like a business decision: Make all legacy code work and do not touch Norton and “security” firms necessity and revenue, this is a whole ecosystem we have to maintain here, boys. If Microsoft looses installed base of legacy apps, it opens the door for Mac and Linux.
Please tell me this is some kind of late April Fools joke. Please tell me Microsoft didn’t screw up security again…
I don’t know why I’m surprised. MS has never been one for eating their own dogfood. It’s the classic “do as I say, not as I do” philosophy for them. Their products don’t have to conform to the standards they set out for everyone else… well, why not? They’re hypocritical everywhere else, why not in their software too?
Leaving aside the complete stupidity of this flaw in the first place… why, exactly, would calc.exe need to be elevated? I just can’t think of anything that would require elevated privileges in a *calculator*. Notepad I can understand needing elevation sometimes if you’re editing a system file…
I guess it’s typical MS: great kernel, braindead userland. Move along folks, there’s nothing to see here… yet. I can’t wait to see what’s going to happen if they don’t fix this by release time, it will certainly be one hell of a show to watch.
These stupid (deliberate?) flaws are the reason I will never use Windows as my primary os again, no matter how well it runs or how good it looks.
They haven’t screwed up security again.. they’d need to get it correct first before it can be screwed up.
Lol, good point there.
My solution is simple to turn everything off, never have anything actually important in Windows and simple don’t care if it goes *poff* as I will just reinstall when it happens. Stuff like Valve’s Steam really is a <deity> send in this case as it is so easy to reinstall. Just wish they could save my saved games as well.
Then I just do everything actually important, such as files I want to save, online banking, etc on a computer with a less screwed up system. One can dual boot or better yet have two computers. Which better OS to run I will not go into, those flamewars only add to global warming.
The sad thing is that if Microsoft had actual leadership and far less internal fighting, they could make a version of Windows that would shine.
get yourself a flashdrive and PortableUnison (may have to search if not listed on portableapps). Install Unison on the flashdrive and create a root folder for your save game archive.
\ProgramFiles\PortableUnison\
\GameFiles\gameA
\GameFiles\gameb
Then your Unison will sync changes to the flashdrive and after you restore your system and games, it should sync the game save files back to the desktop. No need to involve an untrusted third party for more than the software dump.
I’m not surprised that MS does something like this.. It’s not uncommon for them to be lazy to redesign their software. I’m sure the reason Win32 still exists is that MS developers are the ones stubborn to try learn a new API.
On a sidenote, I’m happy that OSAlert is posting articles on technology nowadays. The lack of in-depth tech related feature articles on Ars Technica made my spirits low..
I suspect the developers are more encumbered by the company culture. Even if they want to put out good design work and code, they have budgets, delivery dates and marketing/management mandates like continuing to support everything back to Dos virus code.
Maybe, but this looks like they went out of their way to mess this up. I know Microsoft has some security-minded people working for them, and they are probably screaming about this. But, incredibly, they are ignored. Let’s just hope that security by public outcry prevails and once again convinces Microsoft’s management to pull their heads from their a**es.
You’re right; when I hear managers within Microsoft say that ‘legacy code is an asset’ – I know they’ve lost touch with reality. An asset as anyone knows can eventually turn into a liability. This idiotic idea of code being an asset forever simply ignores the reality of situation – it helps no one promising backwards compatibility indefinitely because it results in castrating any possible future improvements to the operating system itself. Windows in its current half-baked state is a by-product of this policy – it has nothing to do with a lack of smart people within Microsoft and everything to do with management placing unrealistic limitations in programmers on what they can do by virtue of this backwards compatibility fixation of theirs.
Edited 2009-05-15 15:21 UTC
It’s more likely that they’re too busy shooting rubber bands at each other than designing and coding good software. It takes too much effort to do things correctly.
Not directed to you, but why should the operating system bother the user to death to avoid disaster? Why shouldn’t the UAC require a password even when the Administrator is using the machine to do certain things? The company seems to have a skewed view of how things should work to be correct and effective.
Requesting a password for OTS elevations is dangerous. Such things are VERY easily spoofed.
Edited 2009-05-15 21:55 UTC
I’d like you all to watch the Windows Security Bodnaries talk by Mark Russinovich (from sysinternals). UAC has never been defined as a security bondary (if it was it would receive critical security updates and such). It is a nice feature but it was never designed to be unbeatable (See mark’s demo at the end)
here the description:
In this session, learn what constitutes a security boundary; get a tour through core Windows technologies, including user sessions, Code Integrity, PatchGuard, Service Security Hardening, and User Account Control, to learn where Windows currently defines such boundaries; and gain insight into why application compatibility and user experience make defining boundaries much more difficult than it might seem.
and the link for the technet spotlight video (I highly recommendall videos from mark !): http://www.microsoft.com.nsatc.net/spain/technet/spotlight/sessionh…
Since I don’t program Windows at a very low level, can someone explain why code injection into a running process is a required feature in Windows? A good OS is supposed to protect processes from each other, after all.
From TFA:
I think that sort of “easy way out” approaches characterizes UAC from conception to implementation.
They had a more-than-sufficient security model as far back as Win2k (and probably back further). Anecdotally, I was able to keep a lab of a dozen Win2k PCs malware-free (in a middle school, no less) by configuring them to use a non-admin account.
There were only two real problems with that security model: it was braindead in some areas (didn’t prompt you to elevate when you tried to perform a task without the necessary permissions) and it was effectively off by default.
And rather than addressing those two issues, they give us a security model that errs to the opposite extreme and asks for elevation whether it’s needed or not. I have an idle suspicion that UAC is not so much a security model, but a research project to provide real-world proof of the concept of “authentication fatigue.”
Agreed (it came about in NT I think), though I’d argue that if you don’t have a general idea when you need elevated privileges, you shouldn’t be mucking around with those privileges. But I guess I understand the UAC approach for the unwashed public.
I just got through cleaning a pretty nasty virus from a friend’s PC. “Cleaning” is a rather loose term; it actually meant reformatting and reinstalling Windows. I decided he needed to run as a limited user (the virus got by his scanner), so I set him up that way and sat him down and gave him a 15-minute class on the how and why. He’s an intelligent guy, and pretty savvy with the applications he uses, but he lacks knowledge of (and interest in) system admin in general. Yet he seemed quite comfortable with the concept.
I find it disturbing that Microsoft and some of its supporters blame the security issues in Windows on 3rd-party applications, and then Microsoft turns around and makes Calculator and Notepad, their own apps, run with the same admin privileges they decry the ISVs for wanting — and not telling users. What utter hypocrisy.
After half a day of trying to find out why my Workstation service takes 2 minutes to start up (and hangs the machine the entire time), because there is nothing in the system logs, I was thinking of running Windows only in a VM from now on (I’m not a gamer). That way I could restore it to a pristine state with ease by copying over the VM image or rolling back the disk snapshots. But this latest bit of news has cemented that decision. Now I just need a laptop that will take 4GB of RAM.
UAC is a means to try to enforce that security model without breaking software that, for nearly 10 years, ignored that model.
I, too, find it incredibly awkward that simple text editor and basic calculator programs somehow need elevated privileges – at any point.
The text editor makes a bit more sense – edit an .ini file in the system folder – UAC comes up. BUT, that shouldn’t have anything to do with the editor – but with the file access regardless of program.
I also believe permissions should be highly granular – never elevate a program, simply create a virtual copy of a secured object ( file, registry hive, whatever ) upon modification – once permission is granted. At that point a versioning system ( like SVN ) should be employed in order to permit back-pedaling in a full-grained manner. Takes less room to track the changes from the original state than it does to make blind copies of everything System Restore currently does.
A really secure system would employ the versioning system on every object on the system full-time, either not have a registry or limit registry access to specific hives – and write exclusively to an automatic set of locations per application. It would also control all disk writes such that any application’s disk commits were fully reversible – allowing for perfect uninstalls.
There is more in my mind that words fail to convey, but I believe applications and all data written from hat application should be treated as a single entity – almost like .dmg files in OS X, except more extreme.
There should be NO reason for virtually any application to require elevated privileges to accomplish something – especially something as simple as a calculator. If there is, it is the OS’s fault more often than the developer’s. The easy way should always be the right way, these features should not require application rewrites – though new applications will be written differently.
Fine grained security is generally just fine grained control with intelligent defaults. I should be able to open a security panel for any program and disable its access to the clip-board, or to any given folder or registry hive. I should even be able to sand-box some portions and provide false inputs & false write-paths. Granted that is a lot of work – but it isn’t hard work… just a LOT of grunt work – Microsoft has the manpower.
–The loon
well, one of the posters above said: that the loosening of UAC was becuase of the whinners. well,
that poster was dead on right.
Microsoft tryed to go into a more secure mode. ppl you all complained. so, they loosened it up.
so, you can all pat yourelfs on the back now.
-Nex6
This article bugs me a lot. It’s very misleading to users to claim that the default UAC level is “insecure” or that you “might as well turn it off.”
This is COMPLETELY false.
The most useful boundary provided by UAC is the Low Integrity Level isolation feature, used by Protected Mode IE, the shell, and other apps, to create a sandbox around a process working with untrusted data.
This functionality works EXACTLY the same as Vista even in the default setting, and none of the “problems” referenced in this article affect it. However, if you turn UAC off, you lose this important defense.
Please do more research before posting sensational stories like this one and giving users dangerous / misleading advice.
No big deal. So I have to click to allow a few more message boxes……life’s a b**tch. Guess I should try the whole logging in as normal user, thing, and putting in the admin password when needed. Probably would be better.
If it didn’t ask me time and time again on applications I know are completely safe and unlikely to be hijacked – like say… pspad, notepad++, crimson editor.
It needs a box ‘do not ask again for this application’ before I’ll consider turning it on. If it’s a legitimate application I’ve installed and don’t want it to ask me about every freaking time I start it – an application as simple as a god **** text editor…
When news about a “relaxed” UAC on Windows7 first came out, I wrote a post here saying that I would prefer the Vista way and there was no need to relax UAC.
UAC saved me a couple of times on my Vista notebook by signaling that something “administrative” was about to happen and allowing me to cancel that. Those 2 times were the only problems I had on Vista since its launch. It’s a pretty good damn thing.
So why should we relax it? UAC is perfect: when something elevated is about to run, you will be notified and, if you expected that, you can just click on Continue. Easy, simple AND effective.
After years of complaining about security now we have something which is quite effective AND pratical (a lot more pratical than SUDOing, for example, since you don’t need to type anything) and we’re going to “relax” it? Nonsense!
I hope MS will keep UAC the way it works in Vista. Plain and simple.
If they want to improve, they just need to set a way to stop installers to require Administrative rights to execute if they don’t really need it. They could also work on developers requiring Administrative rights to run their programs when it’s not really needed.
P.S. And this bug proves that “relaxing” is not the way to go… hope they will fix it soon!