Opinion: Windows 7's UAC is a broken mess; mend it or end it

[bonsai]

Not sure I agree with his opinions, but a good article discussing the flaws of the revamped UAC in Win 7.

http://arstechnica.com/microsoft/news/2009/03/opinion-ms-should-kill-win7-uac.ars/2

Either these actions are dangerous and should generate prompts, or they're not and they shouldn't. For Microsoft to say that they're only dangerous when other people's programs do them makes a nonsense of the whole situation.

It is worth noting that running Windows 7 as a standard user, using over-the-shoulder elevation, avoids all these flaws, as it lacks automatic elevation. However, the utility of this mode in typical home scenarios is not obvious. The first (and only) user created during the Windows 7 install process is an Administrator-level user. For typical users to benefit from over-the-shoulder mode they would have to create a second account and switch to using that as their default. This may very well be the best practice, but in the real world it is unlikely to be of any value in most home user contexts. After all, if using a regular user account had been standard practice among home users there would never have been any need for UAC (and especially Admin Approval mode) in the first place.

 

[Eva_Unit_0]

I'd have to agree with their complaint. If MS programs are allowed to bypass UAC, it seems that all you'd have to do is write some malicious code to hijack a MS process, and bam, you've bypassed UAC. And really, this is a very common tactic that viruses use. They very often hijack a system thread to do their dirty work.

I think its dangerous to assume that your own code is automatically failsafe.


EDIT: I also think that MS is damned if they do, damned if they don't. No matter what they do with UAC people are going to bitch about it.

 

[heatlesssun]

So now the problem with UAC is that third party apps generate prompts when MS core parts don't? Holy cow. This doesn't make a lot of sense in that how does Microsoft know that third part apps are safe without certifying them?

Personally this horse is just dead. It's amazing how many people are saying that there was nothing wrong with UAC in Vista, after all of the bitching and complaining. Now any attempt to make it less annoying is now unfair to third parties?

 

[bonsai]

So now the problem with UAC is that third party apps generate prompts when MS core parts don't? Holy cow. This doesn't make a lot of sense in that how does Microsoft know that third part apps are safe without certifying them?

Personally this horse is just dead. It's amazing how many people are saying that there was nothing wrong with UAC in Vista, after all of the bitching and complaining. Now any attempt to make it less annoying is now unfair to third parties?

You fail to understand the article. It goes beyond just 3rd party apps, that's just an example of the bigger picture of the flawed mentality behind the implementation.

The problem he's pointing out there, is that malicious code can potentially piggyback on the auto elevation that Microsoft processes receive under Admin privilege. And as Eva pointed out it's not always safe to assume it's okay, even if it's your own code.

 

[heatlesssun]

You fail to understand the article. It goes beyond just 3rd party apps, that's just an example of the bigger picture of the flawed mentality behind the implementation.

The problem he's pointing out there, is that malicious code can potentially piggyback on the auto elevation that Microsoft processes receive under Admin privilege. And as Eva pointed out it's not always safe to assume it's okay, even if it's your own code.

No I got that, but at that point your machine has already been compromised, BEFORE any UAC prompts related to the Microsoft components were invloved.

The problem with this article and other like them is that they fail to take into account all of the hostility that UAC in Vista faced. Granted this aritcle seems to favor the Vista approach. But we already have that and look at how it was recieved. These articles don't offer any answers other than leave it like it was in Vista.

 

[Monkey God]

This is one of those where MS is damned if they do, damned if they dont.
Vista UAC worked, but for powerusers, it was just a PITA, I ended up turning mine off.

Ordinary users are morons anyways, so either they will turn it off, or click YES YES YES on everything that comes up because they dont know what it means anyways.

 

[pxc]

You fail to understand the article. It goes beyond just 3rd party apps, that's just an example of the bigger picture of the flawed mentality behind the implementation.

Summary: MS says UAC is one thing. Author wants it to be another. Author doubts MS will fix security problems in the *beta* OS before release (and even chides MS for fixing one problem ). Author grudingly admits UAC is not what he wants it to be. Author rants for 2 pages.

Honestly, the article is a waste of time. Relatively few people want as many prompts as the initial version of Vista. I didn't mind Vista's UAC prompts even before SP1, but I like fewer unnecessary prompts. Win7 is even nicer to use. User initiated actions are different from malware trying to do the same things silently in the background. It's brain-dead for the author to lump the two together. MS will of course patch any auto-elevate vulnerabilities; it's retarded for the author to assume otherwise. So sad to see Ars slip into the click-bait business.

 

[bonsai]

MS will of course patch any auto-elevate vulnerabilities; it's retarded for the author to assume otherwise.

I think what he's pointing out is that it's not a security issue (though it has the potential to be one), it's a design issue, and the design is inconsistent and illogical.

The solution (in my mind at least, and what I think the author is saying) is that Admin mode is Admin mode, make as such; not the half baked solution that's in place right now. And as the author pointed out the default user should not be an admin.

 

[Vermillion]

Summary: MS says UAC is one thing. Author wants it to be another. Author doubts MS will fix security problems in the *beta* OS before release (and even chides MS for fixing one problem ). Author grudingly admits UAC is not what he wants it to be. Author rants for 2 pages.

Honestly, the article is a waste of time. Relatively few people want as many prompts as the initial version of Vista. I didn't mind Vista's UAC prompts even before SP1, but I like fewer unnecessary prompts. Win7 is even nicer to use. User initiated actions are different from malware trying to do the same things silently in the background. It's brain-dead for the author to lump the two together. MS will of course patch any auto-elevate vulnerabilities; it's retarded for the author to assume otherwise. So sad to see Ars slip into the click-bait business.

+1 to that. I saw this so called "news" last night and I blew it off because it was worthless.

I like UAC in Vista just the way it is. In fact with Windows 7 Beta I have sent feedback from multiple machines that UAC should be maxed out for security reasons right off the bat. Let people reduce security themselves. Then if they get infected it's their own damn fault.

 

[heatlesssun]

I think what he's pointing out is that it's not a security issue (though it has the potential to be one), it's a design issue, and the design is inconsistent and illogical.

The solution (in my mind at least, and what I think the author is saying) is that Admin mode is Admin mode, make as such; not the half baked solution that's in place right now. And as the author pointed out the default user should not be an admin.

Actually the more I think about it the more bogus some of this is. First of all UAC is not a security layer, its more of a UI layer. Even if you had UAC on full, if ANY component that required elevation has been compromised, how does UAC help in any way? If you went to change a setting in a component that's been compromised, a user with full UAC would see the prompt, AS EXPECTED and say yes. UAC in no way shape or form helps protect a system that's already compromised.

Secondly, the issue about third party components is a matter of trust. If third parties want to get there apps certified and MS had a facility to allow UAC to trust third party certificates that would be a way to go. Since MS is providing the OS and its components, I would hope that it can trust its own stuff. Without a certification process, allowing UAC to be bypassed would render it useless.

And no matter what, if something gets into a system that can disable UAC and alter core Windows components, there is a FAR more serious problem than any issue with UAC. That's just not supposed to happen. All UAC does really is warn the user when the user initiates tasks that COULD do these things. It doesn't stop them.

 

[pxc]

And no matter what, if something gets into a system that can disable UAC and alter core Windows components, there is a FAR more serious problem than any issue with UAC.

Yep. Both of the exploits demonstrated so far require a chain of events outside of UAC to occur anyways (download, then run a file and ignore prompts). UAC can never completely save someone from reckless behavior or ignorance.

 

[bonsai]

If you went to change a setting in a component that's been compromised, a user with full UAC would see the prompt, AS EXPECTED and say yes. UAC in no way shape or form helps protect a system that's already compromised.

I think what he's pointing out is that under Admin Approval mode there is no prompt, certain MS service are automatically elevated, which is fine - if you're an admin, but because the default profile in Win7 is an admin, you can easily run into issues. So you either make ALL processes prompt, including Microsoft processes, or you remove prompts altogether under Admin privilege and make the default profile a non-admin, which in my mind what should happen, because after all, if you're logged in as an admin you should know what you're doing.

As he says

There's no point in retaining Admin Approval mode as it currently stands, and it should be scrapped completely.

 

[Sovereign]

+1 to that. I saw this so called "news" last night and I blew it off because it was worthless.

I like UAC in Vista just the way it is. In fact with Windows 7 Beta I have sent feedback from multiple machines that UAC should be maxed out for security reasons right off the bat. Let people reduce security themselves. Then if they get infected it's their own damn fault.

QFT. No matter what MS does, someone complains about it (Vista's UAC was annoying, Win7's is not enough, etc. etc.) I left UAC on in Vista and honestly I don't see too many prompts every day. There are programs that I expect prompts from (although it may be a poorly written app) such as Stardock LogonStudio or SPSS. Most of the time I see only a few prompts a day, if that.

All this pissing and moaning about UAC seems to focus more on what could happen, if for some reason you have this irrational desire to stare at the contents of the Device Manager or use some other system feature that requires elevation all the time. I use a Mac at work sometimes, and it makes sense to require a password/confirmation on some of the settings changes.

Win7's UAC is great, but I agree--max it out and then if someone doens't like it they can turn it down. Also, people need to remember: you can have the best security software in the world (whatever you think that is) but nothing, absolutely nothing can protect a computer against a user determined to do something stupid.

 

[heatlesssun]

I think what he's pointing out is that under Admin Approval mode there is no prompt, certain MS service are automatically elevated, which is fine - if you're an admin, but because the default profile in Win7 is an admin, you can easily run into issues. So you either make ALL processes prompt, including Microsoft processes, or you remove prompts altogether under Admin privilege and make the default profile a non-admin, which in my mind what should happen, because after all, if you're logged in as an admin you should know what you're doing.

As I said, the point here is a matter of trust. Logically Microsoft can trust its components but can't make that assumption about a third party component unless its been certified some how. That's the point that the author in the article is completely ignoring.

 

[bonsai]

I think these 2 points sum it up nicely:

4 With Windows 7, Instead of modifying their application-level software to use UAC better, Microsoft have taken the easy way out and modified UAC to allow their software -- and only their software, or so they intended -- to elevate for free, without prompting.

In other words, Microsoft are still avoiding the refactoring work which their code has desperately needed since the early versions of Vista.

5 In doing so Microsoft have created several obvious, easy-to-exploit and inherent flaws.

Had they created secure silently-elevating processes then, perhaps, they could have argued that their code deserved special trust; they could have argued that it was too dangerous to allow silent elevation for any third-party code. They failed spectacularly to so and thus cannot be allowed to argue either point. Beta or not, you design security in from day one, not at the last minute. Even if they patch over some of the security issues the fact is that the system is inherently flawed and more holes will be found in time. The best they can do, without drastic changes, is obfuscate things.

Another thing: The design of UAC in Vista shows that Microsoft had already predicted the very problems they are now opening up in Windows 7. Things which Vista's UAC went out of its way to prevent are now not only allowed but used routinely.

From: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html#mistakes

 

[heatlesssun]

Leaving UAC as it was and refactoring the Windows applications & applets to use UAC better would have made Windows better for all types of user and would have encouraged people to move to non-admin accounts, all without creating such large security issues.

This author isn't attacking UAC per se, but Microsoft's implementation of it and to I think he has a much more valid point than the first article you referenced.

 

[Eva_Unit_0]

As I said, the point here is a matter of trust. Logically Microsoft can trust its components but can't make that assumption about a third party component unless its been certified some how. That's the point that the author in the article is completely ignoring.

See, but this is exactly the point. Microsoft is assuming that it can trust its own code, but I think that's folly considering how many exploits in the past have involved hijacking a system process. And sure, I'm sure MS would patch those issues as soon as possible, but that doesn't bring much comfort to you if your system gets jacked in the week it takes for that to happen.

 

[heatlesssun]

See, but this is exactly the point. Microsoft is assuming that it can trust its own code, but I think that's folly considering how many exploits in the past have involved hijacking a system process. And sure, I'm sure MS would patch those issues as soon as possible, but that doesn't bring much comfort to you if your system gets jacked in the week it takes for that to happen.

This logic is flawed in that trust doesn't mean unbreakable. Trust means that you know something about what you're trusting, nothing else. To trust something that you know nothing about is the foundation of most desktop attacks.

 

[Eva_Unit_0]

This logic is flawed in that trust doesn't mean unbreakable. Trust means that you know something about what you're trusting, nothing else. To trust something that you know nothing about is the foundation of most desktop attacks.

lol you're preaching to the choir. I know that trust doesn't mean unbreakable, that's exactly what I've been saying. Allowing your own code to bypass your OS's security measures is a bad idea because, as you stated, even the most trusted code is not "unbreakable."

You can wax philosophical all you want about what it "means" to trust, but at the end of the day, if you allow certain programs to bypass UAC you are opening a door to allow other pieces of code to bypass UAC too. There are a lot of brilliant coders out there. Someone will find a way to piggyback the automatic escalation. I just don't understand why MS would open themselves to having to deal with that.

 

[heatlesssun]

lol you're preaching to the choir. I know that trust doesn't mean unbreakable, that's exactly what I've been saying. Allowing your own code to bypass your OS's security measures is a bad idea because, as you stated, even the most trusted code is not "unbreakable."

You can wax philosophical all you want about what it "means" to trust, but at the end of the day, if you allow certain programs to bypass UAC you are opening a door to allow other pieces of code to bypass UAC too. There are a lot of brilliant coders out there. Someone will find a way to piggyback the automatic escalation. I just don't understand why MS would open themselves to having to deal with that.

No, I don't disagree with the idea that if you make it easier to bypass UAC that malware can take advantage of it. But once again, silent elevation would only occur if you are running as an admin anyway which to be honest is the real issue here. UAC is NOT a security layer. Why do people insist on making it something it is not?

 

[pxc]

There are a lot of brilliant coders out there. Someone will find a way to piggyback the automatic escalation.

At that point, you're already hacked to have a program escalating itself. If someone runs a trojan, they may already have given it escalation and it could do any of the "right" things to install itself on *any* OS.

Unfortunately most of the arguments against UAC are missing the forest for the trees. To get from A to C, there is another place in-between (B) where "other stuff" happens. The "other stuff" is either an action initiated or approved by a person, or an exploit of a vulnerability, both of which can happen on any OS.

Let me give typical examples:

1) User visits a web page and is "tricked" into downloading and running an .exe. There are prompts in IE (i'll ignore 3rd party browsers and other software... see #5) for both continuing the download and for running the .exe since .exes and other executables are blocked* by default.
2) The user hits a drive-by download. Again the user is prompted and it requires user intervention to continue. The old silent installs from IE6 are dead.
3) The user runs a program he downloads. Again, IE blocks downloaded executable files by default and it requires user intervention to continue.
4) As part of #3, the user chooses to continue and gets a UAC prompt (yes, those still happen in Win7). At this point, the user allows the action, as part of a chain of events to purposely install an infected file. The file could register as a service, set itself up in scheduler or do any of the normal things an elevated programs allows. This is no different from other OSs at this point where the users has explicitly allowed escalation.
5) The system is exploited by a 3rd party utility/plug-in or application that carelessly uses auto-escalation. You're out of luck there, pal. But at least you will eventually know who to complain to and hopefully the vendor gets a bad reputation for security. The world is looking at you, Adobe and Sun.

*blocked means that the program (examples: .exe, .bat, .vbs, .chm, etc) will prompt when it's double clicked (or executed at the command prompt) or when run is selected while downloading. You can clear this by going to the file properties and clicking the unblock button.

 

[heatlesssun]

At that point, you're already hacked to have a program escalating itself. If someone runs a trojan, they may already have given it escalation and it could do any of the "right" things to install itself on *any* OS.

Unfortunately most of the arguments against UAC are missing the forest for the trees. To get from A to C, there is another place in-between (B) where "other stuff" happens. The "other stuff" is either an action initiated or approved by a person, or an exploit of a vulnerability, both of which can happen on any OS.

Let me give typical examples:

1) User visits a web page and is "tricked" into downloading and running an .exe. There are prompts in IE (i'll ignore 3rd party browsers and other software... see #5) for both continuing the download and for running the .exe since .exes and other executables are blocked* by default.
2) The user hits a drive-by download. Again the user is prompted and it requires user intervention to continue. The old silent installs from IE6 are dead.
3) The user runs a program he downloads. Again, IE blocks downloaded executable files by default and it requires user intervention to continue.
4) As part of #3, the user chooses to continue and gets a UAC prompt (yes, those still happen in Win7). At this point, the user allows the action, as part of a chain of events to purposely install an infected file. The file could register as a service, set itself up in scheduler or do any of the normal things an elevated programs allows. This is no different from other OSs at this point where the users has explicitly allowed escalation.
5) The system is exploited by a 3rd party utility/plug-in or application that carelessly uses auto-escalation. You're out of luck there, pal. But at least you will eventually know who to complain to and hopefully the vendor gets a bad reputation for security. The world is looking at you, Adobe and Sun.

*blocked means that the program (examples: .exe, .bat, .vbs, .chm, etc) will prompt when it's double clicked (or executed at the command prompt) or when run is selected while downloading. You can clear this by going to the file properties and clicking the unblock button.

Correct. Microsoft points this out and most say that it is an excuse. And when you run as an standard user this all of this UAC bashing becomes irrelevant. This might be the biggest non-issue issue that is coming out of Windows 7 thus far. If this is all there is to worry about Windows 7 is in for pretty smooth sailing.

 

[Gorankar]

I, for one, want the default level of UAC in Win7 to be the same as it currently is in Vista. Add some tick boxes in system properties, or an icon pointing to an applet for altering UAC's settings in control panel, so those that want to alter it's behavior or turn it off can do so easily. But the default should be what it is now for Vista IMHO.

 

[Joe Average]

"FUD, FUD, FUD, FUD, FUD, FUD, FUD, FUD..." sung to the tune of "Spam" by Monty Python... that's all I got running through my mental media player right now.

 

[Vermillion]

"FUD, FUD, FUD, FUD, FUD, FUD, FUD, FUD..." sung to the tune of "Spam" by Monty Python... that's all I got running through my mental media player right now.

Come on Joe, can't you let the MS haters have something meaningless to bitch about and ruin a great OSes name?

 

[bonsai]

Here's a video showing how the exploit is very real and how illogical MS processes (calc.exe and notepad.exe) are given free reign over elevation rights. The last part of the video discusses the problem in better detail, and gives some good solutions to the problem which Microsoft refuses to fix.

http://leo.lss.com.au/W7E_VID_INT/W7E_VID_INT.htm

And in this video that shows him using the exploit to completely empty out the System32 folder.

http://nudel.kelbv.com/W7E_VID_DRA/W7E_VID_DRA.htm

 

[pxc]

Seconds into that les.com.au video: "You can change UAC to its highest setting to prevent what you are about to see."

Yawn. Again, this has been pointed out a couple of times in this thread already. If you want Vista security, change the setting to full prompts. And at the point the video demonstrates, you would need to already be hacked to do that stuff anyways. It's game over even before the video starts.

 

[bonsai]

If you want Vista security, change the setting to full prompts. .

Still you fail to understand. Microsoft could have completely avoided this situation if they hadn't have made half assed changes to UAC in WIn7. That's the point the original and this author is making.

 

[pxc]

That's the point the original and this author is making.

If you wouldn't selectively read and quote, the Ars author wants Win7 UAC to be something it's not. I have pointed that out to you already. All the elevation hacks demonstrated require that the computer already be breached in order to run the code to do this stuff. It's a waste of time explaining this over and over so...

bye, PLONK!

 

[bonsai]

If you wouldn't selectively read and quote, the Ars author wants Win7 UAC to be something it's not.

Yeah he wants it fixed.

And regarding your other point - it makes no difference how the machine was originally compromise, the exploit still exists. If Microsoft fixed the problem, even if the machine was originally compromised, the exploit wouldn't work.

 

[Joe Average]

No, you don't understand. Microsoft should not get a finger pointed at them just because some lamers out there - and this is truly the point that matters so pay attention - decide to spend all their time, skills, and so-called intelligence to do nothing but find ways to purposely fuck up (read: exploit) issues in Windows that nobody in their right minds (again, an important distinction) would ever even dream of creating or pushing in their wildest nightmares.

People seem to think that companies are cranking out perfect code and it's a pipe dream. The only perfect program I've ever seen is:

10 PRINT "HELLO"
20 GOTO 10

Because pretty much everything else is flawed. Now, if Microsoft had just created that program, there's be some life-life no-life scumbucket piece of shit that would do something to find or create an exploit even in those two simplest lines of computer programming ever.

Go figure.

"If it ain't broke, fix it. If it is broke, some idiot will do everything in his power to find a way to exploit it and get pretty much high as a kite because of it..."

Which is something that Microsoft can't possibly be held responsible for... and they can't be expected to "protect" us either. UAC isn't about security, that is a known fact, regardless of what the naysayers believe. Too bad they're too stupid to figure it out...

 

[bonsai]

No, you don't understand. Microsoft should not get a finger pointed at them just because some lamers out there - and this is truly the point that matters so pay attention - decide to spend all their time, skills, and so-called intelligence to do nothing but find ways to purposely fuck up (read: exploit) issues in Windows that nobody in their right minds (again, an important distinction) would ever even dream of creating or pushing in their wildest nightmares.

Wow... if you think real hackers, and virus writers (not day programmers who in their spare time test out UAC, which is how the exploit was found) don't "spend all their time, skills, and so-called intelligence to do nothing but find ways to purposely fuck up (read: exploit) issues in Windows that nobody in their right minds (again, an important distinction) would ever even dream of ", then you're delusion. But please continue to close your eyes, shut your ears, and be an Microsoft apologist and the problems might just go away on their own. And I thought you were a proponent of better security... I guess that doesn't mix well with fanboi.

 

[Joe Average]

lalalalalalalalala.

It's a curse, I assure you.

 

[Gorankar]

SYNTAX ERROR

 

[jimmyb]

Yep. Both of the exploits demonstrated so far require a chain of events outside of UAC to occur anyways (download, then run a file and ignore prompts). UAC can never completely save someone from reckless behavior or ignorance.

This change does open the door to attacks which don't require reckless behaviour or ignorance on behalf of the user though. You crucially left out of your example a scenario that wouldn't cause the user to get a prompt:
1) The MS whitelisted application is vulnerable and exposed to the network.
2) Some other non-whitelisted MS application is vulnerable and exposed to the network, allowing a chain of exploits to be executed.
3) Some 3rd party application is vulnerable and exposed to the network, allowing a chain of exploits to be executed. ie/ open vulnerability in firefox + open vulnerability in a whitelisted MS program.

Now obviously this is a conscious design decision, but it also by any metric a reduction in security, which people might legitimately object to. Personally I don't care.

 

[pxc]

This change does open the door to attacks which don't require reckless behaviour or ignorance on behalf of the user though. You crucially left out of your example a scenario that wouldn't cause the user to get a prompt:

I listed common examples of what usually happens when someone is infected. Nothing implied it was a complete list. Read it again, slower this time.

Even your examples seek to ignore that little problem of "stuff happens" that I described... at one point you have a clean system, then "suddenly" you're infected. If you've been infected (a mystery to how it happens for some LOL), there has been a chain of events leading to that and UAC isn't going to save someone who has already allowed it to happen by okaying prompts, and UAC isn't going to prevent 3rd party apps that ignore guidelines or misuse auto-elevation.

And just to repeat it for the nth time, if you're concerned about UAC in Win7 move the slider up a notch. It won't hurt too much. Really, I've even done it myself.

 

[jimmyb]

I listed common examples of what usually happens when someone is infected. Nothing implied it was a complete list. Read it again, slower this time.

And nowhere did I say you implied it was complete list. Perhaps you should read slower.

I did say that you left out some fairly important examples. In particular, you left out the possible avenues of infection that don't require user intervention (as in UAC prompts, or downloading a file), nor require a ignorant or negligent user.


Edit: I'll add, my first example doesn't require a chain of events before infection. If the whitelisted process is visible to the network then an infection can happen directly; unless you consider connecting to the internet as a "chain of events" which has to happen.

 

[TheRapture]

This is one of those where MS is damned if they do, damned if they dont.
Vista UAC worked, but for powerusers, it was just a PITA, I ended up turning mine off.

Ordinary users are morons anyways, so either they will turn it off, or click YES YES YES on everything that comes up because they dont know what it means anyways.

So true. My UAC has been off since about 10 minutes after my fist install of Vista. It was, and is, annoying.

 

[sdotbrucato]

So true. My UAC has been off since about 10 minutes after my fist install of Vista. It was, and is, annoying.

And to think, I need a password for all UAC prompts. . .