Here at OSAlert I have hammered and hammered on a few times already about the major flaw in Windows 7’s default User Account Control, which allows people or software with malicious intent to completely bypass UAC in such an easy manner that you wonder why UAC is there in the first place. Well, the source code to this flaw has been released – since Microsoft has made it clear they have no interest in fixing it anyway – and Long Zheng, fellow advocate of fixing this bug, made a very clear demonstration video.
In a nutshell, since we’ve already discussed this a few times, the flaw works like this: a lot of people got all whiny over the UAC prompts in Windows Vista. As a result, Microsoft wanted to fix this in Windows 7. The logical, thorough, and proper method would’ve been to fix components of Windows so that they no longer require elevated privileges. Instead, Microsoft did an epic cop-out, reminiscent of the early days of Windows XP, and created a list of processes which possess auto-elevation capabilities. In other words, Microsoft allows its own processes to silently elevate in Windows 7 as to avoid having to actually fix their code.
As always, you can fix this by setting the UAC slider in Windows 7 to its topmost position. It’s also important to note that this flaw does not work if you are running as a standard user – however, since the first user created is still an administrator, that point is moot.
The video made by Long Zheng demonstrates just how easy it is. Mind-blowing.
Now that the source code is out and about, it will be much easier to abuse the flaw once Windows 7 is out there. I’d say Microsoft brought this upon themselves. The flaw and the code has been sent to Microsoft, the media have been all over it, but the company doesn’t care. As a result, there was no option left but to put the source out there.
Let me reiterate: set the UAC slider all the way up. Anything lower is very insecure.
He should have embedded the video using HTML 5, killing two birds with one stone.
Isn’t Safari 4 the only (production release) browser that supports HTML5 video currently?
Nope!
iCab 4.6
OmniWeb 5.9
Safari 3 as well
And Firefox 3.5 is in RC.
—
I second the comment about using HTML5 video! All I see is [Javascript required to view Flash movie] which is two fails in one line.
Does this problem exist if running as a limited user account? No it does not! There is no problem here people!
Edited 2009-06-23 00:31 UTC
Correction. There would be no problem if Microsoft’s default user setup when the os is first installed is a limited user. But guess what? It isn’t. Couple this with the fact that most typical users do not want to worry about securing their computers, and you have a very dangerous situation. Sometimes half-assed “security” is worse than none at all. This is one of those times, and so, so typical of Microsoft. They don’t like their own security measures so they implement a backdoor and forget to put the key in the lock, so to speak. Pathetic.
Now the question is: What will be the result of this code being released? Will Microsoft hurry up and fix it before malware uses it, or will they delay yet again and close their eyes to a problem while people’s computers are cracked?
microsoft does not install the OS on computers, OEM do and they chose to not default to normal user set up because they didnt want joe sixpack to call them and complain that he cant install the video codecs his newly found porn site tells him to ..
as far as i can tell, this “exploit” doesnt work if UAC setting is set to maximum, OEM can do that before pass the OS the joe if they care about his security…why arent they?
It might be true – if Microsoft provided the ability to create a limited user account during installation or provide a tool which allows OEM’s to create a preamble that forces the end user to create a limited user account (and hide the ability to login as administrator via the login screen or directly via command line).
Look at Fedora for example, you install it and during installation time you’re asked to select a root password, the operating system is installed and it reboots. On reboot you’re then forced to create a limited user account. Why doesn’t Microsoft do that? a few hundred (or thousand) lines of code to force users to do the right thing.
OEM’s merely install the operating system as Microsoft defaults to – it is Microsoft’s fault that they don’t have an installation process that forces end users (thus enable OEM’s to do the same) to create a limited user account on first boot.
Microsoft has the same install that ubuntu has, first user created has elevation rights, others do not.
Which hasn’t addressed a single thing I said; I pointed out what fedora installer does when compared to Windows installation routine – you went off on a tangent and talked about something that is completely irrelevant nor did I ever mention Ubuntu – I specifically pointed to Fedora and you raised Ubuntu because you couldn’t counter a basic fact that Microsoft does not believe security matters because everything they’ve done so far has been little more than lip service. For all intents and purposes UAC is nothing more than a ‘please don’t crack me’ sign being held up – you really think that is going to stop the seasoned cracker?
Edited 2009-06-23 05:09 UTC
Microsoft has the same install that ubuntu has, first user created has elevation rights, others do not.
I just have to point out the difference so people don’t get the wrong idea:
In Win7 the default user doesn’t need to enter any passwords for elevation, Microsoft’s own apps elevate without even popping UAC up.
In Ubuntu you are asked for password when you want to elevate, and there is no such thing as auto-elevation unless you just did elevate something else. If you did then there is auto-elevation for 5 minutes or something (I don’t use Ubuntu, I am not certain how long the timer is) after which it is again necessary to input the password.
Notice the difference here?
I’m going to repeat Werecatf’s comments. Sudo (used on Ubuntu) works completely differently than UAC. In a normal Sudo configuration, there is no auto-elevation: to run a command as root, you have to use Sudo to do it, and you have to enter your password.
Another difference worth noting is that, once you elevate a process with Sudo, it stays elevated: one thing that made me disable UAC is that I had to elevate the same process multiple times!
(In the interest of honesty, you actually can configure Sudo to allow some users to run some commands as root, without entering a password. If I understand correctly, you can also accomplish the same thing just by making an executable file owned-by root and then setting the sticky-bit. But these kinds of thing are avoided like the plague most of the time, basically for this reason.)
Edited 2009-06-23 16:47 UTC
microsoft does not install the OS on computers, OEM do and they chose to not default to normal user set up because they didnt want joe sixpack to call them and complain that he cant install the video codecs his newly found porn site tells him to ..
as far as i can tell, this “exploit” doesnt work if UAC setting is set to maximum, OEM can do that before pass the OS the joe if they care about his security…why arent they?
Indeed, OEMs can create a normal user account for the clients to use, but more often than not they don’t. OEMs take the route with least minimum effort needed to minimize time spent on setting the systems up, and you should know this.
So yes, OEMs can do that. I doubt they will however. And you must still admit that it’s silly if OEMs have to fix the issue which Microsoft is unwilling to (ie. default account should be limited user)
There’s also a “principle of least surprise” here. Many users would have no idea what was going on, if their computer started telling them they’re “not authorized to do X as the current, non-administrator user,” and asking them for a password. Crazy as it sounds, some might think that the OEM is trying to not give them control of the machine they bought, and that customer may not patronize that OEM again.
My brother’s like that: he interprets password dialogs as “machines challenging his authority and ownership.” He turns off passwords and log-ins whenever he can. And OEMs want people like him as a customer just as much as they want people who actually understand how computer security works. They need to ship machines whose default configurations are usable to people like my brother, as well as… more grounded users. (And education’s not going to work: my brother wants his computer to conform to his requirements, not the other way around).
OEM’s install Windows to a point, however Windows is also available retail so a joe blogs user purchasing the software will still be stuck in the catch 22 of installing the os with a default user of administrator.
As others have said Windows should prompt you to create a limited or perhaps rephrase this for the general public to standard account, as the word limited does not have a positive spin to it, when you are a home user, the last thing you want is your computer limited. (i know the term limited is being used in the subtext of limited access)
Windows security has long been a problem, Microsoft should be more proactive, im still surprised they hamstringed UAC so much, there was a bit of an grumble at the beginning but most home users got past that and now work fine with the UAC enabled in Vista.
Except that the default user created in Windows is an Administrator. This is default behaviour in XP, Vista and Windows 7. And an extremely stupid decision made by Microsoft.
And running as limited user is not a solution, but merely a workaround. Though of course, the wiser solution is always to run as limited user (in win2k3 known as ‘standard user’).
In the mean time, if you have to run as Administrator, run at highest security level, even if UAC is annoying (which it is).
OSX’s default user is admin, last I checked (Panther). Did they change that in Tiger or Leopard? If not, then is it really “extremely stupid”? If both Apple and Microsoft, and Ubuntu (according to google_ninja) all do the same thing, then there must be a good reason for it.
It’s not a “root” admin, the only thing that makes it different from a regular user is the ability to manage other users and system settings. This ability is not implicit – you still have to enter your credentials before performing most any administrative task.
Edited 2009-06-23 06:37 UTC
Actually, Ubuntu is a rootless distribution. You can acquire extra privileges with sudo, but it does require entering a password. Similar is true for OS X. But yes, autoelevation is extremely stupid.
And no, just because several entities do the same thing, doesn’t mean there’s a good reason for it. In this case however, there isn’t several entitites doing the same thing. Just Microsoft being silly.
Not really, you can easily change the root password:
sudo passwd
From that moment root uses a different password as the user password.
My opinion is plain simple: not even one application should be able to obtain admin rights automatically. All programs should ask the user for the password if they need admin rights.
I always felt that PolicyKit was a better approach. You can define an access policy for each task you might want to perform (mounting removable media, changing the network configuration, connecting to wireless networks, changing the timezone…). The access policy can allow the request with no authentication, require sudo or su style authentication, or deny access, based on conditions (is the user logged in locally, is the user a member of a group, and so on).
The key part is that programs never run as root (or equivalent). They just ask another process to do something for them, and the OS provides a mechanism to configure who is allowed to do what.
Using something like this, most of the mundane elevation prompts that occur often could be removed entirely. That just leaves elevation prompts for unusual activities, such as installing software, which should keep the elevation prompts.
“Sudo passwd” will change root’s password (giving root a password, which will let you actually log in as root at a console): however, you will still have to enter your password to do that, just like with any invocation of sudo. Also, sudo will still want your password, not the one you gave root. Finally, while it may not really matter, even if you give root a password, GDM won’t let you log into an X session as root, unless you do more work.
Again: as configured by default, on any sane system, Sudo is very different from UAC, and not vulnerable to this bug (as it won’t perform auto-elevation).
Actually, as a note, the default user on Ubuntu is not root, and is not in the root or wheel group (I think). He’s a normal user, who’s been allowed to Sudo.
Edited 2009-06-23 17:20 UTC
In Ubuntu default user is not a member of wheel but it is member of admin. Group names don’t matter the least when you allow members to do “ALL=(ALL) ALL” in sudoers.
While sudo is better than UAC, it is not good by any stretch.
For example, it doesn’t allow to limit rights to the needed subset of root. This means applications have to explicitly drop privileges by themselves when they are done. And they better do it quickly.
This might not seem like a big deal, but holes in applications that fail to drop privileges(however trivial they are) are as good a target for escalation as the biggest hole in the OS itself.
Another inherent flaw is the default timeout window mentioned above. Applications and scripts are allowed to try and fail to gain privileges by themselves with no user interaction whatsoever(printf “\n” | sudo -S evil_command). This means they can try and try again until they get in.
From what I could make out of this rant, (the video didn’t work on Firefox 3 with XP) its more of a threat, than a vulnerability.
Go and google the difference….
What I would like to know is then why MS allows for the first user one creates to be the Administrator user in the first place.
An “Administrator” account on Vista/7 is no different than a sudo-er on Linux. Well, minus the whole auto elevate thing that the article’s about.
I’d say that’s quite a difference…
Which is a completely different thing to how LInux does it. When you install Linux you are forced to choose a password then you’re forced to create a limited user account; Microsoft fails miserably at implementing these very basic things. These aren’t high end security features – just common sense that I’d expect a multibillion dollar company to implement from day one.
Installed Windows Server 2008 Standard Edition, enabled UAC, then created a standard account – logged back out, logged in as the standard user – and when I needed my permissions elevated I was asked for the administrator password (when I was installing some software). Nice, simple and easy – why don’t Microsoft do that?
Microsoft want to avoid having to implement some real security that’ll rock the boat, break some applications, and result in customers complaining. Quite frankly, the noise of a few whiners is a small price to pay if the net result is a robust and secure operating system.
With that being said, when Microsoft can’t be bothered fixing their own software and issuing patches for old software (Office 2003 on Vista being the best example) – how can one expect third parties to make the necessary investments? do any of the divisions actually work together? When things occur in Windows do the other divisions actually get a heads up on what is happening or do they bump around in the dark like mindless noddies?
Edited 2009-06-23 03:56 UTC
Agreed wholeheartedly.
I am running Win 7 right now btw as my main OS on my home rig.
Most of the time, no one wants to screw around with a limited account.
Can you imagine the amount of people complaining because they couldn’t do anything.
It doesn’t matter with elevated prompts either, stupid people are still going to click yes to things because of one simple thing. They want to do something quickly without having to worry about the consequences.
Limited accounts only go so far, you would be better off trying to do some kind of computer awareness lessons for computers.
It’s exactly the same as Virus scanners, they shouldn’t be used as a first line of defense, users should learn to use computers properly and those things are merely backup tools.
I agree, but good luck with starting those lessons and getting people to pay for them and sustain the project. I wish you the best of luck.
It doesn’t matter with elevated prompts either, stupid people are still going to click yes to things because of one simple thing. They want to do something quickly without having to worry about the consequences.
Well that swiftly made simple click is inconsequential at the moment it is done. It is only after the actions, set in motion by that click, come to punish the user that he regrets not taking the time to read what he agreed to.
That is my biggest gripe with UAC “OK” prompts. It doesn’t make you think before you act. You can click OK before it even registers consciously in the brain. When you ask for the elevated rights password, you are asking a user to make a conscious decision to hand out the keys to the front door.
It is less convenient, but requirings more user interaction gives the user more time to think about the why of having to grant wider access to the system. So being less user friendly is being repayed with greater protection for the users privacy and files.
Limited accounts only go so far, you would be better off trying to do some kind of computer awareness lessons for computers.
That is why OS and program defaults should be implemented in a way that forces a user to think about his actions. That is why elevation prompts should only pop up if something potentially harmful to the system wants access to the guts. Then you can issue graver visual cues and attract the users attention.
The way Vista’s UAC was all over the place with pop-up after pop-up and for some of the most mundane things as removing a desktop icon, is how such prompts shouldn’t be presented to the user. We all know why Ms did it this way. They wanted tormented users to lash out to sloppy developers and force sane installation and runtime behavior of third party programs. The problem is that they also trained a lot of people to subconsciously spot UAC prompts, who now have a learned reflex in their index fingers to get rid of these dialogs as quickly as possible.
Only when real danger is imminent , should the system alert. Software installation/removal and the changing of system wide settings are examples of this type. Then a prompt for the password should pop up, accompanied with the warning that the action should only be allowed if the user started the action and he understands the consequences of giving elevated rights.
Much better than a simple click-on-me-to-get-rid-of-me target.
Wow, the source code is out!
So what? Any programmer worth their salt knows exactly how this is done anyway. Releasing the source code isn’t going to change anything.
Why does osnews keep going on about this? Mark has already explained why this isn’t considered a flaw. What makes osnews better qualified than Mark?
So what? Any programmer worth their salt knows exactly how this is done anyway. Releasing the source code isn’t going to change anything.
Now even novice programmers can create malware by utilizin this flaw.
Why does osnews keep going on about this? Mark has already explained why this isn’t considered a flaw. What makes osnews better qualified than Mark?
Security experts, any system administrators, any knowledgeable users and so on say it’s a flaw, but you ignore it all just because Mark says so? Umm..
I ignore it all because I understand the technology internally and don’t second guess according to what journalists say.
Maybe these so called experts should learn a little more about the systems they’re supposed to be an expert on.
Malware can already compromise admin accounts via elevated prompts without needing to exploit this feature. If Microsoft reverted this choice, it won’t stop malware writers in any way. This is an administrator account, there’s no getting away from that.
The only people Microsoft are concerned about is software writers using this to hack their own software giving it administritive rights. But as they point out, people _should not_ be doing this. Anyone doing this should be shot
Why exactly is the malware going to prompt an admin to elevate if they can now easily do it automatically?
Malware can already compromise admin accounts via elevated prompts without needing to exploit this feature.
Such as?
If Microsoft reverted this choice, it won’t stop malware writers in any way. This is an administrator account, there’s no getting away from that.
Indeed. If the default user was not admin then this would be a non-issue. But as the default user IS an admin this is and will always be an issue. Insecure defaults are insecure.
The only people Microsoft are concerned about is software writers using this to hack their own software giving it administritive rights. But as they point out, people _should not_ be doing this. Anyone doing this should be shot
People shouldn’t auto-elevate their applications and they should be shot if they do? Hmm, have you heard that Microsoft themselves do exactly that; they have several apps auto-elevating..
As I’ve said before, I think Microsoft caved to the lies about UAC and did stupid things to make it less “annoying”. They should have left is as it was in Vista, IMO.
That said, for all your “security experts” that disagree with Mark, my problem is that I’ve yet to see any of these experts actually address what Mark has said about this. They seem to simply ignore what he’s said and repeat their talking points. Why is that?
That said, for all your “security experts” that disagree with Mark, my problem is that I’ve yet to see any of these experts actually address what Mark has said about this. They seem to simply ignore what he’s said and repeat their talking points. Why is that?
I can’t speak for others, but I don’t personally know what this Mark person has said. I haven’t paid attention to such things and I don’t even know who he is except that he works for Microsoft. But if you care to list his points here maybe I can address atleast some of them? Not that I am an expert in security, though.
“Mark” is Mark Russinovich, co-founder of Winternals/Sysinternals, now part of the Windows core team following Sysinternal’s acquisition by Microsoft.
His position is basically that UAC is not a security boundary, and it’d require more effort and more guarantees to make it one. It was designed primarily to make it more convenient for users to run with limited rights most of the time (and in-turn push developers to code for that environment). Malware that assumes admin rights will still break, and he has demoed a scenario of malware exploitation of UAC on Windows Vista (via elevation prompt spoofing), which while not perfect in his demo, would likely fool many users. And since the spoof is done on a standard user account, it also results in disclosure of the admin’s credentials.
This TechNet article contains links to the demo and other articles he’s written about UAC and other features in Windows that are security boundaries.
http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx
Actually, I thought that was what the other side of the argument were doing. They keep repeating “It’s not a security boundary” while we keep saying, “We know, but what about X Y Z”, which is almost never answered.
See the various forum threads linked at the top of my web page for lots and lots of responses to Mark’s article from various people.
Also note: If you have a standard user account and use elevation *at all* then that isn’t a security boundary either. Still think “it’s not a security boundary” is a good enough excuse to ignore easy-to-use flaws?
Either way, the Windows 7 defaults make no sense.
If MS felt the need to cave into the people irritated by prompts then they should’ve turned them off by default. (NOT turned off UAC itself but set the prompts to silently elevate.)
Instead we get prompts inflicted on 3rd party apps, apparently just to make it look like UAC is still doing something and there hasn’t been a big U-turn on it, while it’s also been made magically less annoying in Microsoft’s apps (whose poor usage of UAC was largely to blame for people’s annoyance!)… which in turn made it easy to bypass UAC in ways which MS have explicitly said they don’t care about. At the same time MS say it would be too dangerous (or something) to allow users to choose which apps get (or don’t get) the special abilities which MS have given their own apps.
How does that make sense?
Prompts or no prompts. Pick one!
Edited 2009-06-24 03:26 UTC
Third paragraph of the article says:
As always, you can fix this by setting the UAC slider in Vista to its topmost position.
Shouldn’t it say Windows 7 instead?
Naturally.
Instead of using a list of signed folders and files, Microsoft should introduce virtualization of the whole filesystem per user. Then there would be no need for signed objects’ lists.
Even if MS did a complete 180 and forced the user into a secure by default type setup on install, what do you want to bet “Joe User” wouldn’t leave it that way for more than 5 minutes? The second it popped up asking for any sort of password they’d go screaming off to somewhere like Digg looking at the magically top rated article about how to turn the “annoying crap” off and go back to what they’re used to.
Even if MS did a complete 180 and forced the user into a secure by default type setup on install, what do you want to bet “Joe User” wouldn’t leave it that way for more than 5 minutes?
Ah, yes, but then MS could do a spank bottom just like the *Nix community (including Mac OS X) does in such cases. If a user actively and willingly wreaks havoc in the security defaults of the system and then comes whining that the Big Bad Cracker took his candy, you can wash your hands and say deservedly that it is the users fault.
Nice? No. Effective? Highly. We don’t have much *Nix users run as root by default.
Besides, if MS implemented it this way and the user didn’t like being told he was an idiot for his own self sabotage, where would he go? All other mainstream systems already have the same policy.
this so called “security” feature (not bondary) is unimportant to me. I would never rely on this to stop any program from running at any level of privileges. even without UAC vista is still very secure. If something is launching then I launched it and am responsible for it.
I understand the point that it would have been nice to have this feature implemented correctly, but for me I disable it all together and am still running a very, very secure from my point of view. I also reccognize the fact that if microsoft upgrade this “feature” to the category of “bondary” it will be a real pain in the ass for them, but if they let it as it is, what good is it ? (except to stop your kids from installing something for example and being able to install a program for them without the whole logging process)
Please stop complaining that UAC doesn’t properly protect someone using an administrator account from running software with administrator rights.
The proposal of pushing the slider all the way up is not going to result in a more secure system since as Mark Russinovich describes (see http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx ) there are other ways to elevate without triggering the UAC prompt.
This is like giving the whole world the keys to your house (by running as admin), and then complain that your burglar alarm (UAC) doesn’t always warn you or keep the burglars out.
The goal of UAC is to get users and developers to move to normal user accounts over time, instead of running as admin all time. If someone logs on as an admin to perform admin tasks, I can understand that getting UAC prompts all the time is an annoyance.
In the end, I tend to agree that making the upper-most slider position the default is a rather low-cost change and experienced admins can always slide it down. But I don’t think this should be taken as being a big security issue.
Instead, start pushing for a better solution, by telling users to run as a normal user (and use the over-the-shoulder admin/runas when needed), by asking Microsoft to clarify its longer-term strategy and to improve the user account creation at install time, and so on.
Edited 2009-06-24 07:14 UTC
You want to know why Windows defaults as admin? As a guy that has been building and servicing Windows boxes forever I can answer that: GAMES. The biggest use of Windows by home users is games. Heck even my 67 year old mom refuses to have a PC that doesn’t have her old AoE on it. And nearly all the games except those that are really new(and sometimes not even those) have to be run as admin or you have to jump through tons of complex hoops to get them to work.
So if you want to know why MSFT and the OEMs don’t set it up as a limited user it is simple. It is because their support lines would be ringing off the dang hook from all those whose games would not run even if they elevated the install. The simple fact is nearly every non corporate Windows box out there is a game box first and everything else second. Even the girls that say “games are childish” end up having a “guilty pleasure” game or two installed. I know because I’m the guy they hire to fix them when they mess them up. Even the really old machines(circa 2001-3) have been brought in by my customers still being used to play their favorite older games.
So blame whomever you want, but as someone who has tried to set up games on limited accounts for my customers I can tell you it’s a fact: Windows games don’t work on limited accounts. They freeze, they crash, or they just don’t run at all. And you wanna deal with the huge amount of PO’ed users burning up your support lines when their games don’t work? MSFT and the OEMs don’t want to deal with them either, which is why Windows will default to admin for the foreseeable future.