Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UAC Whitelist Hole In Windows 7

Soulskill posted more than 5 years ago | from the time-for-some-creative-rebranding dept.

Windows 496

David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. The exploit is simply to copy (or inject) part of its own code into the memory of another running process and then telling that target process to run the code, using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread. Ars Technica writes up the issue, proclaiming Windows 7 UAC 'a broken mess; mend it or end it.'"

Sorry! There are no comments related to the filter you selected.

If it was easy-- (5, Insightful)

Geoffrey.landis (926948) | more than 5 years ago | (#27104349)

Hey, if security was easy, everybody would do it.

Try OpenBSD (1, Informative)

gearheadsmp (569823) | more than 5 years ago | (#27104401)

It has great documentation and with NoScript I feel safe everywhere on the Internets.

No Script Bragging -- please stop (4, Insightful)

blahbooboo (839709) | more than 5 years ago | (#27104525)

It has great documentation and with NoScript I feel safe everywhere on the Internets.

You "no script" people are so funny with your need to Slashdot brag about using the internet without scripts. Yes, we get it, you're so amazing! The internet without scripts, wow that's so neat!

Re:No Script Bragging -- please stop (4, Insightful)

meist3r (1061628) | more than 5 years ago | (#27104575)

The internet without scripts, wow that's so neat!

You're doing it wrong. It's not about "No"Script it's about "Only those that are actually useful for the experience" Script but that would make a terrible extension name.

YeeeeHaaaaaw! Giddy up! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27104901)

Ride 'em cowboys, ride 'em hard. That'll learn 'em.

'Nother thing. That there ARSE Tech be a mighty big basher of them MS folks, prettin' near Hatfields and McKoys I reckon, so I wouldna give that there spout much thought.

Re:No Script Bragging -- please stop (0)

Anonymous Coward | more than 5 years ago | (#27104963)

Actually, that bragging serves a useful function: it's where I heard about noscript and through me several friends. Someone's bragging about security actually makes the internet more secure.

Granted, I learned about it from a more insightful comment than "YAY OpenBSD!"

Re:If it was easy-- (4, Interesting)

spyrochaete (707033) | more than 5 years ago | (#27104711)

I agree 100%. I guess I'm in the minority but I love Vista UAC. Fairly often I will carelessly click something, and UAC gives me a second chance to abort before it's too late. UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.

Re:If it was easy-- (1)

MikeURL (890801) | more than 5 years ago | (#27104877)

I tend to agree as well. People hate UAC in Vista precisely because it is pretty effective.

If I were to make a change it would be to provide a link in the UAC warning to a trusted site to describe the owner of the Authenticode. Right now I have no really good instruction to give a user when a UAC warning comes up other than to look at the publisher and try to guess if they are legit.

Of course unidentified publishers are "just say no" but the rest is pretty gray. If there were a link out to a site that described the process or the company seeking access it would make the whole process a lot more transparent. Instead it looks like MS went the route of moving UAC out of the way and now we're hearing about security holes every other week.

Re:If it was easy-- (5, Insightful)

schon (31600) | more than 5 years ago | (#27105017)

It sounds like what you're saying is that UAC is only useful for people who know what they're doing. You are savvy enough to recognize when it's protecting you from mistakes, but the average user won't.

UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.

My first car was made by Isuzu. Like many (all?) imports, in order to lock the door from the outside of the car, you had to hold the handle up as you closed the door. I asked why this was, and was told that it was a mechanism to prevent you from locking your keys in the car. You couldn't just carelessly close the door, you had to actively hold the handle up.

One hot summer day, I got out of the car, took off my coat, and put it inside. Out of habit (because I needed to do it every time) held the handle up as I closed the door. A few minutes later I realized that the keys were in my coat pocket. And the door was locked.

The designers of this car though they were making it harder to lock your keys in the car, but in reality they were simply training people to hold the handle up when they closed the door.

UAC reminds me of the exact same thinking. It doesn't really prevent you from making mistakes, it just conditions you to click "OK".

Re:If it was easy-- (3, Interesting)

Anonymous Coward | more than 5 years ago | (#27105215)

You are so right. I hate to be one of those "I am awesome because of X" but I have not run virus or malware software on windows in many, many years and I have not had ANY problems. Other than the reg getting full of crap and having to re-install, about once a year. My system doesn't slow and things are great. Now, how do you teach a user to think about what they are doing before they do it and to have enough knowledge to make an informed decision? You don't I guess. I try with my friends and family to keep them educated and to use no-script, firefox and to stay away from IE. It works but I still wind up cleaning their PC's of badware.

My point is that if I never get in the habit of "holding the handle" then in the long run I will be better off. Be aware of what you are doing and use that damn melon in your head.

Re:If it was easy-- (0, Offtopic)

newcastlejon (1483695) | more than 5 years ago | (#27105221)

I never heard of that. All the cars I have owned either prevent you from locking the driver's door when it's open or unlock the door if you close it when it's locked. (I assume you might bypass this by holding the handle as you described) For myself, I'd simply suggest that you lock doors after you use them rather than during.

Re:If it was easy-- (4, Insightful)

Kaboom13 (235759) | more than 5 years ago | (#27105275)

Thats really the problem with UAC. It comes up so often for no good reason, and gives no information to the user why it even came up. The only people with the technical skill to make intelligent choices about it don't need it. Of course, the problem in some ways is not even MS's fault. The reality is most Windows programs are doing things that trigger UAC prompts for no good reason. In the linux world, if an text editor or card game or whatever app required you to su every time you ran it, even when it didn't perform any functions that actually needed su level privileges, people would be pissed. But there's a lot of Windows apps that need to run as admin, even when their primary function has no need for admin level privileges. Their coders were just lazy, and instead of doing things following MS's guidelines, they take shortcuts that lead to big headaches for everyone down the line.
Most apps don't handle a deny in UAC gracefully either, they either completely crash or have wildly unpredictable behavior. When they should be telling the user why they need a UAC ok, and giving an option to gracefully quit or retry, they seem to prefer to pretend it doesn't exist.

I think everyone agrees, UAC as it stands is a clusterfuck. But I think MS deserves a little slack. They are fighting a major battle, trying to reign in the thousands of terrible windows coders and get them to finally play nice not being admin all the time. Granted it would not be as big a problem if they had not ignored it for so long, but 2000 and xp both prove that simply offering and recommending that users don't run as admin, and programs not require it, is not enough.
Hopefully MS will keep working and improving it, and app designers will get tired of their users complaining about UAC prompts and design their apps to only need admin(and thus an UAC prompt) at install.

Re:If it was easy-- (3, Interesting)

dna_(c)(tm)(r) (618003) | more than 5 years ago | (#27105327)

Nice car analogy!

I had a car that required you to close the driver's door with the key. Worked very well.

It was much more like sudo/gksudo/kdesudo. Only those with the key can make big mistakes.

Re:If it was easy-- (2, Funny)

thetoadwarrior (1268702) | more than 5 years ago | (#27105139)

I agree 100%. I guess I'm in the minority but I love Vista UAC. Fairly often I will carelessly click something, and UAC gives me a second chance to abort before it's too late. UAC is only useful 1 time in 20, but I thank my lucky stars that 1 time.

Your comment reminds me of that a shirt sold by T-shirt hell which said on it "What about the good things Hitler did?".

Re:If it was easy-- (2, Funny)

dna_(c)(tm)(r) (618003) | more than 5 years ago | (#27105351)

Your comment reminds me of that a shirt sold by T-shirt hell which said on it "What about the good things Hitler did?".

I want one with "Remember Godwin's Law" on it.

OSX UAC (2, Insightful)

goombah99 (560566) | more than 5 years ago | (#27104781)

OSX has both the unix permissions and something like the UAC.

I find the UAC so mind boggling I don't use it. Some applications seem to respect it and some don't. e.g. if you can't do something in a Finder window, sometimes you can do it in a terminal window. I have not figured out what the pattern is or if the UAC are there to allow actual secure protection or just guard railings to keep the riff raff from doing stupid things.

I suspect the Windows folks would say the UAC is just guard railings not actual security.

Re:OSX UAC (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27104809)

Some applications seem to respect it and some don't. e.g. if you can't do something in a Finder window, sometimes you can do it in a terminal window.

The reason you can do things in Terminal that you can't do in Finder is because you're running as Admin, most likely for no good reason.
 
If you don't run as Admin, you're a lot safer. This is because, even if a script said 'cd Applications; rm *' it wouldn't be able to (non-Admin OSX accounts cannot modify the Applications folder).

Re:OSX UAC (0)

Anonymous Coward | more than 5 years ago | (#27105319)

I am not sure what the original poster was talking about. If I wanted to delete everything from within /Applications, I could do so from within the Finder.

I am trying really hard to think of something I could do from the terminal (without sudo) that I would be prevented from doing so in the Finder. I am having a really difficult time coming up with anything.

Re:OSX UAC (0)

Anonymous Coward | more than 5 years ago | (#27104911)

I'm curious about this. I don't own a Mac so I'd like to hear more about the things you can do in a terminal that you can't do in Finder. Are you saying that if you clicked on program YYY in Finder that UAC might nag you but if you were to go to the terminal and type "/path/to/YYY" that it will(might) bypass UAC? If so it sounds like the UAC isn't as integrated as Apple would have everyone think or they figure that anyone running a program from command line would know what they're doing in the first place but that wouldn't be a good assumption.

Please, tell me more.

Re:OSX UAC (1)

thetoadwarrior (1268702) | more than 5 years ago | (#27105183)

I suspect the Windows folks would say the UAC is just guard railings not actual security.

The proper term is now guide rail because a guard rail doesn't actually guard against anything and as usual, someone probably sued someone over the technicality after having an accident.

..bungle, bungle.... (5, Insightful)

gadget junkie (618542) | more than 5 years ago | (#27104361)

I still think that Microsoft will have a very hard time prying customers away from the fiercer of its competitors: WIN XP.

In all the financial institutions I work with, or know, WIN XP is the validated standard, and as far as I know no one takes the XP "expiry date" seriously, so no plan B is in place.

This is still in Microsoft favour, since no one is actively pursuing things like ubuntu/open office or such, but it's anyone's guess how long this state of grace will go on; after all, many applications work in terminal emulation, which is an ancient technology by any standard; why use Vista of Windows 7 for that?

Re:..bungle, bungle.... (3, Insightful)

myxiplx (906307) | more than 5 years ago | (#27104479)

Yup, Microsoft have a real fight on their hands retiring XP. I think Windows 7 is a huge improvement over Vista, I really like the thought that's gone into the new task bar (and can name probably a dozen users at our company who will benefit as they never did grasp the difference between a button to launch a program, and one to switch to the existing copy).

The new drive encryption stuff sounds promising too, as does AppLocker (provided you don't look too hard at it...).

But then I found that we don't get drive encryption without the full blown enterprise product, and associated subscription costs. AppLocker sounds painfully hard to implement, and while the task bar is nice, it's not really £50+ per user nice. So even though I think they're finally getting things right with Windows 7, I still can't see any good reason for us to upgrade. So far there's absolutely nothing that we can't achieve with XP.

And that's the crux of the problem: This is a business decision, it's straightforward cost/benefit analysis. Right now I can't see any benefit that even comes close to justifying the cost of the upgrade.

Re:..bungle, bungle.... (0)

Anonymous Coward | more than 5 years ago | (#27104485)

NEVER upgrade. Retire the old system when it dies (or becomes obsolete) and get the latest OS when you buy a new computer.

Re:..bungle, bungle.... (3, Informative)

Anonymous Coward | more than 5 years ago | (#27104519)

He's talking about use in a business. They're not going to have a deifferent OS on every desktop. They either keep buying XP with each new PC or they upgrade all existing PCs.

Re:..bungle, bungle.... (0)

Anonymous Coward | more than 5 years ago | (#27104763)

Reread the word NEVER.

Re:..bungle, bungle.... (1)

maird (699535) | more than 5 years ago | (#27104893)

For many companies getting "the latest OS when you buy a new computer" _is_ an OS upgrade. I used to work at a very large accountancy firm. They had a standard "load-set". Every new PC that came in the door got the load-set installed on it. I'm sure that's still true there. For many companies with lots of cubicles occupied by people all doing the same job I'm sure there is a pre-built load-set deployed on every PC when it arrives and before an employee gets it. Microsoft will have a hard time denying suport to lots of companies with tens of thousands of XP seats they don't want to...let's call it "replace with the latest OS".

Futurama Analogy (3, Funny)

nurhussein (864532) | more than 5 years ago | (#27104371)

Microsoft's approach to security is like putting too much air into a balloon! And when exploiters find a way around their measures, it's like.. a balloon, and... something bad happens!

Good thing it's a beta (4, Insightful)

Nimey (114278) | more than 5 years ago | (#27104383)

Aren't you glad this was caught in testing? Yeah, I am too.

Re:Good thing it's a beta (5, Insightful)

rsmith-mac (639075) | more than 5 years ago | (#27104591)

Unfortunately it's not a bug, or even a design flaw. Microsoft's in the position of trying to placate as many customers as they can. They tried doing security the "correct" way with Vista, only for the loudmouths of the world to run around telling everyone else that Vista sucked because they kept getting "those damned prompts." Hell, Apple even got in on the action and made TV advertisements about it lambasting Microsoft for doing security right*. So Microsoft does something about it: they scale back the security and scale up the convenience.

Now Peter makes a good point in the article that Microsoft should have stuck to their guns, and I agree with him. Users won't do the right thing unless it's also the easy thing, so now and then you're going to have to club them over the head and make them do the right thing anyhow. But if Microsoft isn't going to do this, then they're in effect (back to) designing an insecure OS, because that's what people want. At some point you have to trade some convenience for some security, it turns out most people (or at least the loudest of them) will trade away every bit of security for every bit of convenience they can get.

This isn't something that's going to be fixed. It's a design choice. It's what the people - in all their infinite stupidity - want.

* OS X has a pretty big hole: any admin user account can write to the Applications directory willy-nilly. Just like with Windows, people tend to use admin accounts for day-to-day work. From a high-level perspective, Vista does more things right than OS X does

Re:Good thing it's a beta (1)

MeanMF (631837) | more than 5 years ago | (#27104639)

It may be the "correct" way, but it's worthless if it's so intrusive that people turn it off completely - that just sets you back to the broken XP model. Finding a balance is a good thing, and the option is still there to set it back to "Vista" mode if you want to run that way.

Re:Good thing it's a beta (3, Insightful)

rsmith-mac (639075) | more than 5 years ago | (#27104649)

The only correct way is the secure way. Anything that allows code to run with admin privileges without user confirmation is a problem.

Re:Good thing it's a beta (1)

MeanMF (631837) | more than 5 years ago | (#27104791)

They're trying to find a balance that is as secure as possible while encouraging as many people as they can to leave UAC enabled. It's not realistic to think that they can force everybody to run with Vista-style UAC. They're leaving that option in there for those that want it, and they're including new options for people who would otherwise disable UAC completely. Maybe it'll stop a lower percentage of attacks, but that's better than stopping none at all.

Re:Good thing it's a beta (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27104811)

The problem is that when the UAC box pops up 4 times for the same file copy, people will naturally start ignoring it / not paying attention to it / turning it off. They habitually start clicking yes to everything because clicking yes means they get to do what they want, whereas clicking no stops them from doing what they want.

This doesn't mean users want to trade "all security for convenience". It means users, shock and horror, actually want to use their computers to do what they want to do. If Microsoft cannot find a better way than to shove multiple nag boxes in your face every time you try and do one little thing, then they should immediately give up, because they are lost.

I remember a study done ages ago that said that most people don't even read the text in a message box. They choose the option that allows them to do what they want to do. Nobody wants to pick the option that prevents them from doing the action they initiated - why else would they have initiated it?

So why even pay attention to the box at all? After you've seen 50 of them, they are completely ignored. Users are not in the wrong here. It is not stupid to want to use your computer for something you want to do without being annoyed to death by idiocy.

Regardless of intent, UAC does not work for humans. The human mind actively circumvents it as noise, just as it does with thousands of other distractions we deal with every day. Since Vista is presumably being marketed exclusively to humans at this point, it must either fit with the way human minds work, or perish entirely.

The idea that UAC is great because of all those popups is ridiculous. The idea that users should enjoy those popups and actually be thankful of them is ignorant in the extreme. Microsoft has never made a worse UI decision in their entire history.

You can claim the users are 'infinitely stupid' if you want, but from where I sit, the only stupid person is you.

Re:Good thing it's a beta (2, Insightful)

MadAhab (40080) | more than 5 years ago | (#27104869)

Wow, I had better throw away my BSD and Linux boxes then. They have suid programs that run code with admin privileges without user confirmation!

Re:Good thing it's a beta (3, Informative)

Anonymous Coward | more than 5 years ago | (#27104705)

Bull-Shit

People do not tend to use "admin accounts" for day to day tasks on OSX. You have no idea what you are even talking about. OSX uses a sudo mechanism to elevate privileges (after authentication) for processes.

It is not annoying, and fairly secure. The design is possible since they are based on a proper multi-user OS (BSD) and multi user and privilege separation is not an afterthought.

Re:Good thing it's a beta (0)

Anonymous Coward | more than 5 years ago | (#27104807)

The whole sudo thing is what he means by "admin account." In most everyday cases, sudo can be implemented in such a way that its level of security is equal to that of the root/user model, but the point is that OS X has a flawed implementation that allows anyway who can sudo to write to the Applications directory without sudoing.

Re:Good thing it's a beta (1)

Darkness404 (1287218) | more than 5 years ago | (#27105377)

Um, honestly that kinda makes sense. I don't want to be prompted for my password when I try to install everything, I instead want to be prompted for the first thing in a long list of dependencies. For example, without having a package manager (which OS X does not natively come with) it would be equivalent to me having to "sudo apt-get install firefox" "sudo apt-get install firefox-dependency-1" "sudo apt-get install firefox-dependency-2" "sudo apt-get install firefox-dependency-3" etc, and being prompted for my password every time. Sure, it is slightly less secure, but I would prefer secure in the fact that it is reasonably secure without being annoying, because, if the security is too annoying I can't do my work, if I can't do my work, why am I using a computer?

Re:Good thing it's a beta (2, Interesting)

salesgeek (263995) | more than 5 years ago | (#27104813)

No. People piled on Microsoft because UAC was a nuisance and did little to improve security because even experienced users became conditioned to click on continue whenever they heard "bing".

It was the world's largest exercise in Pavlovian conditioning. The Unix sudo model tends to work much better, and there are far fewer points where root access is required to get a particular task done.

Re:Good thing it's a beta (2, Insightful)

goombah99 (560566) | more than 5 years ago | (#27104873)

* OS X has a pretty big hole: any admin user account can write to the Applications directory willy-nilly. Just like with Windows, people tend to use admin accounts for day-to-day work. From a high-level perspective, Vista does more things right than OS X does

It's true admin users can write to the app folder and even some worse stuff. Which is why people should not run as admin users all the time.

The difference in my experience is that running as a non-admin user on a mac is pleasant. If you have both an admin and non-admin account then life is good when you run as non-admin. anytime you need privledges it asks you for the admin user id and password. it's not disruptive.

I have not tried win 7 so I don't know if things have gotten better but it used to be that On windows doing simple things (like changing the clock time) often required admin access. Worse, many install applications would simply go belly up and die unless you were running as admin.

in otherwords being non-admin was the excpetion to the rule on windows to the point where it was painful to even try.

Now *nix folks have a bit of this problem as well. I've had many an makefile that would not run correctly unless you were root. (and many of those fail on NFS because of rootsquashing!).

On macs people tend to frequently run as admins by default not because they need to but because that's how an out of the box mac sets up the first account. The nice thing is that it's well worked out for the non-admin user.

Re:Good thing it's a beta (1)

gillbates (106458) | more than 5 years ago | (#27105101)

But if Microsoft isn't going to do this, then they're in effect (back to) designing an insecure OS, because that's what people want.

No, people don't want an *insecure* OS; they want an *easy to use OS* that is also secure. UNIX, Linux, BSD, and Apple got the security model right; Microsoft didn't. That's why in Windows, security and usability is a zero sum game. Had Microsoft gotten the security model right in the first place, UAC wouldn't be an issue.

At this point, backward compatibility and familiarity are the only things keeping Microsoft in the game. If they abandon their broken security model, they'll be obsoleted by Ubuntu or Apple. They really don't have much of a choice except to continue with their broken architecture.

Re:Good thing it's a beta (2, Insightful)

drsmithy (35869) | more than 5 years ago | (#27105289)

UNIX, Linux, BSD, and Apple got the security model right; Microsoft didn't. That's why in Windows, security and usability is a zero sum game. Had Microsoft gotten the security model right in the first place, UAC wouldn't be an issue.

From a low-level perspective, the security model in Windows is far superior to classic UNIX.

From a high-level perspective, the security model in Windows is the same.

What's your problem, again ?

Re:Good thing it's a beta (0)

Anonymous Coward | more than 5 years ago | (#27105343)

From a low-level perspective, the security model in Windows is far superior to classic UNIX.

[citation needed]

Re:Good thing it's a beta (0, Redundant)

mspohr (589790) | more than 5 years ago | (#27105127)

Unfortunately it's not a bug, or even a design flaw. Microsoft's in the position of trying to placate as many customers as they can. They tried doing security the "correct" way with Vista...

I don't think they did it right in Vista. What good is security that irritates users into clicking OK for everything (and to top if off, still has holes in it)?

I don't understand why they just didn't do it like Linux which has rock solid security and absolutely none of that irritating UAC dialog. They had five years to rewrite the OS and they still did a lame job of security.

Re:Good thing it's a beta (1)

AmiMoJo (196126) | more than 5 years ago | (#27105157)

I think part of the problem with UAC is that it tries to maintain backwards compatibility for applications, most of which just assume you are an administrator and proceed to pollute your system with all sorts of background tasks, explorer add-ons, codecs, toolbars etc.

UAC is actually pretty similar to having to type the root password on Linux or MacOS when trying to do something which could compromise security. Sure, it goes a bit further than Linux or MacOS (e.g. requiring permission to change the time) but mostly it just highlights how poorly most apps treat your system. IIRC one of the stated goals of UAC was to make programmers do less stupid stuff.

I'd rather they just ditched all the compatibility crap like the visualised filesystem and registry. Sure, it would break some apps, but it's better than trying to keep hundreds of old APIs and hacks around, especially from a security point of view.

Re:Good thing it's a beta (1)

drsmithy (35869) | more than 5 years ago | (#27105315)

Sure, it goes a bit further than Linux or MacOS (e.g. requiring permission to change the time) [...]

You need elevated privileges to set the time on a Linux system (as you should). It's been a while since I actually did it manually, but I would assume you do on OS X as well (and if you don't have to, then you should).

Re:Good thing it's a beta (1)

QuestorTapes (663783) | more than 5 years ago | (#27105263)

> They tried doing security the "correct" way with Vista, only for the loudmouths
> of the world to run around telling everyone else that Vista sucked
> because they kept getting "those damned prompts."

Can't agree.

"Correct" would be to plan security proactively. Vista UAC was entirely reactive. The "Correct" way of preventing a car accident is not to invest in the best, top of the line anti-lock brakes with the best computer technology to prevent collisions...it's to not follow the car ahead of you too closely.

Which is not to say that *nix is perfect. Merely that sudo is fundamentally different is requiring you to decide -before- running the install whether you want to escalate privileges.

Vista UAC waits until after you start the install and then throws up a message box, which users have already been conditioned to click "yes" on.

"Buy this [wotzit] for $20" is not the same request as "You can receive your free [wotzit] for only a $20 shipping fee". That's why scammers always use the second form; it's a loaded question.

> This isn't something that's going to be fixed. It's a design choice.
> It's what the people - in all their infinite stupidity - want.

Also have to disagree. You -may- be right. But since the people - in all their stupidity - have never been given a fair choice, but only the chance to select from a few deliberately stacked options, the question is, in my view, still unanswered.

Re:Good thing it's a beta (1)

MobyDisk (75490) | more than 5 years ago | (#27105301)

Vista's way isn't correct at all. BSD, Linux, did it right. Windows 2000/XP were almost right.

Here's the things that Vista does wrong with security:

1) Doesn't prompt for admin password. Instead, it just prompts Cancel / Allow.
2) Doesn't tell you what or why it is prompting.
3) Double prompts. (And worse)
* They needed to prompt for the duration of the app (or a time limit), not for each individual operation.
4) Prompts at places where security is not relevant, such as
- Modifying the start menu. Other OS's just modify your local one.
- Read-only access to system level items. Going to the various control panels should not require admin access.

What Microsoft should have done on Windows Vista:

- Modify XP so that the various built-in apps prompt for admin password when they actually need it. (Ex: Committing changes in control panel)
- Default users to limited users
- Chastise developers who do not write code to work as limited users. (They needed to do this back in 1993 with Windows NT - CERTAINLY by 2000 this should have been eliminated.)
- Make workarounds for specific applications that wrote things to the wrong place. Ex: Directing HKLM registry entries to HKCU.
- Make prompts for applications where the above workaround doesn't apply. That might be based on a white list of those few apps that are important enough to not break, but where the above workarounds were not sufficient, and where the manufacturer was unable to issue a patch in time.

Despite the workarounds I listed, my solution would have no really been any more work, since they already do heavy application testing and have tons of hacks and workarounds for compatibility. (Microsoft does a good job of this, overall). If they wanted to make a check box somewhere "don't prompt for admin password, just display cancel/allow" then that would be fine. But the point is, prompting twice at every stupid registry change or file I/O operation is too granular. Some times moving a file in the start menu displays multiple prompts instead of just a single one.

Re:Good thing it's a beta (2, Interesting)

Hal_Porter (817932) | more than 5 years ago | (#27104719)

This shows the benefit of Microsoft's development model. They have an (effectively) open beta so everyone interested will have downloaded the beta and tested it. Closed source, signed binaries and software that phones home (or DRM as slashdot inaccurately calls it) means that they can give away the beta and be confident that most (note: not all) people will stop using it when it expires and buy the full version.

In the meantime the software is going to be widely used and people will check for exploits like this. Many eyeballs make all bugs shallow as ESR pointed out. There are more eyeballs on Windows 7 than Linux, and more programmers working to fix the bugs the eyeballs find, because Windows is a multibillion dollar product. Even more profoundly, it's not just bugs that getting fixed. Any features in Vista that irritate people, like UAC are getting changed as well. That can only happen with commercial software. If it was FOSS the developers would just tell us that security was important and we mere users were idiots for not understandind this. With Windows they were forced to change things improve security in Vista and userfriendliness in 7.

Windows isn't even a monopoly either. Vistas flaws have seen the OS X market share increase. In response to that they are working hard to fix those flaws for 7.

This is the closed source empire, striking back. Don't expect Window's market share to drop by much if they keep behaving like this.

Re:Good thing it's a beta (1)

Windowser (191974) | more than 5 years ago | (#27104997)

If it was FOSS the developers would just tell us that security was important and we mere users were idiots for not understandind this.

And they would be right

Re:Good thing it's a beta (1)

drsmithy (35869) | more than 5 years ago | (#27105321)

Windows isn't even a monopoly either. Vistas flaws have seen the OS X market share increase.

Note that from a legal perspective, Windows and OS X are not competitors, so OS X's marketshare has zero impact on whether or not Windows is a "monopoly".

Except this should have been caught WAY earlier (1)

SmallFurryCreature (593017) | more than 5 years ago | (#27104815)

The flaw is fundemental to the design, this is NOT a coding error, the entire idea is flawed. It should have died at the drawing board. For it to have made it to the beta shows just what is wrong with software development especially at Microsoft.

For the famous car anology, a brake that malfunctions under stress is something you find during a driving test. A brake that is only attached to one wheel, that being the spare should have been caught a bit earlier. But of course the car industry isn't that stupid, that is because car makers are liable for any damages. Software makers aren't.

A bit early for this comment? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27104393)

Isn't Windows 7 still unreleased as a final product? One would think they could, idk, fix it possibly? I think all this doom and gloom about it being worthless is a little early.

Re:A bit early for this comment? (1)

thetoadwarrior (1268702) | more than 5 years ago | (#27105229)

They could but they won't. They programmed it to work that way.

Just rip off the band-aid (4, Interesting)

dgr73 (1055610) | more than 5 years ago | (#27104409)

I had my try with UAC and came to the conclusion that it's just a lose/lose situation for Microsoft.

Lose 1. They're basically advertising to users that "The feature you're about to use is buggy as hell and totally insecure, so you'll have to accept the responsibility for using it". Great way to sell a product.

Lose 2. It's so annoying, people just turn it off completely, thus negating any "security" it supposedly provides

The only upside is that they insulate themselves legally by having the user do the "not recommended" thing whenever they use the OS. Then again, they've never been much to accept responsibility for security problems anyways, it's kind of a moot point.

Re:Just rip off the band-aid (5, Insightful)

Shados (741919) | more than 5 years ago | (#27104483)

Its not a bandaid, since its basically a copy of what every other OS does and is considered critical. Run as a least priviledged user and elevate only when necessary. The only real differences is:

If you have an account thats not administrator, but is part of the administrator group, you still need to elevate.
Its awkward and sometimes not possible to elevate an explorer window or the control panel (so you would only need to elevate once for multiple operations)
You need to elevate an installer even if you only want to install a program for yourself, not computer wide.

If those 3 main things were fixed, it wouldn't be much different from sudo, and even has some advantages over it. But people spoiled by running constantly as administrator, or worse, being so arrogant that they think UAC is just "for noobs", would still disable it.

Re:Just rip off the band-aid (4, Insightful)

similar_name (1164087) | more than 5 years ago | (#27104609)

But people spoiled by running constantly as administrator

I don't know if users are more spoiled or programmers are. Most users don't know the difference until a program request it. I find it interesting that you can install Mozilla as a user into a user folder but then you can't install Adobe Flash for it unless you're an Admin.

Re:Just rip off the band-aid (1)

choseph (1024971) | more than 5 years ago | (#27105023)

You don't have to elevate for a self-only install provided the developer made the installer correctly. As long as you aren't writing to common areas like programFiles, you are free to install to the user's profile folders without requiring admin elevation.

Re:Just rip off the band-aid (1)

MeanMF (631837) | more than 5 years ago | (#27105281)

Installing applications into a non-priviliged area doesn't sound like a good idea. If a user can write to it without elevation, then anything they run can also write to it without elevation. The idea of putting applications in Program Files is that once they're installed, the files are no longer writable.

Re:Just rip off the band-aid (1)

MobyDisk (75490) | more than 5 years ago | (#27105329)

Since its basically a copy of what every other OS does

Under the hood, yes, it is what other OSs do. The problem is that the UI was terrible. Your second point hits the nail on the head.

Microsoft could have easily fixed this in a service pack to Vista.

In practice, I can run Windows XP as a limited user, and modify the short cuts on the start menu so that they prompt me to run as admin, and I can get Windows Vista without all the pain. I wanna change 10 things on the start menu? I just click "edit start menu" and type in the admin password. Sure beats 20 prompts to move 10 shortcuts.

Re:Just rip off the band-aid (0)

Anonymous Coward | more than 5 years ago | (#27104513)

If they would just put some granular control in there it wouldn't be that bad. I tried it for a few weeks and the same few programs set UAC off every time. Yes I want to allow YES I'm sure Just let me do it already I know what the program is. Repeat every time you want to use the program.

Re:Just rip off the band-aid (1)

PNutts (199112) | more than 5 years ago | (#27104557)

Lose 1. They're basically advertising to users that "The feature you're about to use is buggy as hell and totally insecure, so you'll have to accept the responsibility for using it". Great way to sell a product.

It's about elevated privleges and the same as the prompt I get I AIX sudo.

Lose 2. It's so annoying, people just turn it off completely, thus negating any "security" it supposedly provides

Some people do find security annoying and turn it off. Good luck to them.

Then again, they've never been much to accept responsibility for security problems anyways...

How much responsibility should they (Microsoft) assume when users ignore the prompt or turn off UAC and then open that eCard from someone they don't know? Oops, I forgot. This is Slashdot. Any comments defending Microsoft is a moot point.

Re:Just rip off the band-aid (1)

Daniel Weis (1209058) | more than 5 years ago | (#27104561)

Your post reeks of troll.

Lose 1: So any permissions based system that requires privilege escalation is "buggy as hell and totally insecure"? I suggest you open a shell in linux and type "reboot". Oh, crap - we need more privileges to do that! Would you want any individual without the correct privileges to restart the system? (Although then again, you may be running as root, in which case I might have to ask - WHY?).

Lose 2: Seriously? Users come first. They want all their stuff to work just as it used to and they (sort of) want to be secure. There's a trade off here that Microsoft is making that is a completely understandable business decision. They are trying (and for the most part, succeeding) to please everyone.

Your position reminds me of this: http://xkcd.com/538/ [xkcd.com]

In the real world, software development is about trade offs and pleasing your customer base - not perfect algorithms and rms everywhere... Most users can't tell the difference between a secure system or not - but they sure as hell can tell when program XYZ won't run.

Re:Just rip off the band-aid (0)

Anonymous Coward | more than 5 years ago | (#27105061)

Lose 2: Seriously? Users come first. They want all their stuff to work just as it used to and they (sort of) want to be secure. There's a trade off here that Microsoft is making that is a completely understandable business decision. They are trying (and for the most part, succeeding) to please everyone.

No they're not. As it is this is a toy system. Hopefully this is only in the beta. If it stays in the release we're better off disabling UAC and giving up the pretension that there is something resembling security here.

If Microsoft has to go to these lengths then they should probably be considering taking all control away and just keep a whitelist of acceptable apps that users are allowed to install. I doubt that would go over well but in the end it's the only way to preserve this 'it just works' model of theirs and yet produce an OS that can be secure enough to be trusted outside of a lab.

Re:Just rip off the band-aid (1)

annerajb (1155635) | more than 5 years ago | (#27105013)

i never wanted to upgrade to vista but since i work at making games. i wanted to work on directx 11 and 64 bit so i had too. they prompts get annoying BUT. you have to realize something those prompts are what let you use your computer without getting a virus or accidentally deleting the wrong files. so i learned to live with the prompts for the greater good. ie my security. but some people prefer convenience instead of safety.

Re:Just rip off the band-aid (0)

Anonymous Coward | more than 5 years ago | (#27105149)

It's amazing how posting to Slashdot makes one unable to process the word "lose". Usually it's a confusion with "loose", but we see it's also with "loss". Quick summary: lose is a verb, loss is what was lost, and loose is an adjective. So to say "Lose 1" is nonsense; you probably mean "Loss 1".

Mend it or end it? (3, Insightful)

Igarden2 (916096) | more than 5 years ago | (#27104427)

Let's see, how long did it take for M$ to realize many users weren't thrilled with IE and it's so called security? I'm betting UAC is here to stay for a loooooong time. They will just keep trying to patch it and in the process further irritate users.

Re:Mend it or end it? (1, Offtopic)

fat_mike (71855) | more than 5 years ago | (#27104819)

Seriously, it is 2009, can we knock off the stupid M$.

Re:Mend it or end it? (0)

Anonymous Coward | more than 5 years ago | (#27104957)

Don't worry, M$ is on the way out. Window's Vista is a failure, Vista7 is a failure and staff are being fired by the droves. Be patient. It's not a question of if it's gone, but when and of how many small companies it will attack and destroy on the way out.

Re:Mend it or end it? (0)

Anonymous Coward | more than 5 years ago | (#27105151)

Looking at their financials, Mc will be more like it soon.

Security is often an all or nothing affair. (0)

Anonymous Coward | more than 5 years ago | (#27104451)

If you are using Windows 7 and want to be protected against silent elevation then turn UAC up to the highest level.

1. Set UAC to full
2. ???
3. Profit

I don't understand the fuss over UAC (5, Insightful)

rjmx (233228) | more than 5 years ago | (#27104509)

First, let me say where I'm coming from. I've been using Linux for over twelve years; I have two full-time Linux servers at home, and a desktop and a laptop that both dual-boot Linux and Vista. I have an XP box and a Linux box at work, where I'm a Linux/Windows sysadmin and programmer, and I do most of my serious stuff there on the Linux box. At home, I stay in Linux most of the time, and I just boot into Vista when I want to run iTunes, or a game, or something else that only runs on Windows.

That said, I actually like Vista. As I see it, its main problem is that is needs a fairly hefty machine to run it. If you're trying to run it with less than 1G of memory, or a not-very-fast processor, forget it. It certainly works for me.

And I don't mind UAC at all. When it comes up, it's usually trying to tell me that I'm about to do something that may have serious consequences, and that I need to think about what I want Vista to do before I press OK. It just takes a moment, really.

So why is everybody complaining about it? Have I missed something?

Re:I don't understand the fuss over UAC (1)

SpaceLifeForm (228190) | more than 5 years ago | (#27104573)

It is 'Security Theater', it will not stop botnets from being formed.

Re:I don't understand the fuss over UAC (1)

arndawg (1468629) | more than 5 years ago | (#27105365)

It is 'Security Theater', it will not stop botnets from being formed.

IT will not STOP. But it will help the users that are smart enough to know that their excel document shouldn't require admin-privelegies!

Re:I don't understand the fuss over UAC (5, Insightful)

Sycraft-fu (314770) | more than 5 years ago | (#27104657)

People are bitching because they want to, as the saying goes, have their cake and eat it too. They want their OS to keep them safe. When something bad could happen, they want the OS to jump in and say "Hey there, this could have serious consequences, you sure?" However, they don't want to be bothered to think. They want this all automatic. They want the OS to magically know if things are bad, and thus only bother them in that case. They want security, but without any responsibility.

Also some bitch because it is Microsoft. There are more than a couple MS haters out there that will hate on any and every thing MS does. If someone else does it, it is good, if MS does it, it's bad.

So there isn't going to be any shutting up either group, unfortunately. You can't have magic security that keeps you safe, but never asks you questions. Personally, I was hoping MS would stick to the real security route: Have UAC a true privilege separation, with no exceptions. Yes this means you have to click a button when you want to do something as admin. Deal with it, it isn't as though it is that often in normal use, and it isn't as though it's a big deal. However, they are apparently caving in and making it less frequent by making things that don't have to obey the rules. Well guess what? When something can go around the rules, something else can use that hole to sneak through.

It would be like having a security checkpoint for weapons. Everyone gets scanned and searched. However you decide "Well little old ladies aren't a threat, they wouldn't bring a weapon, so let's not inconvenience them, we'll let them go through." Then someone uses a little old lady to sneak a gun in. Maybe it is even done with out said lady's knowledge. They are able to circumvent your system because of your exception.

Yes... but... (5, Insightful)

TerranFury (726743) | more than 5 years ago | (#27104885)

I agree in spirit, but the implementation is bad.

I once tried to write a "sudo for Cygwin" that would bring up the UAC confirmation box and run a program with associated elevated permissions in Vista. (Other people have written programs that they call "sudo for Vista," but none of them do what I want. In particular, they don't run programs in the same console.) In the process of poking through the security APIs, I learned a little about what a mess UAC is uder the hood.

Windows NT/XP has a perfectly good security model, if only people would use it. In some ways it's more sophisticated than Linux's: For instance, file permissions are more fine-grained on NT. The problem really hasn't been with XP/NT; it's been "social:" it was the culture of software development on Windows to too often require, unnecessarily, that users have administrative rights.

Microsoft's solution in Vista was to restrict the rights of administrators and add GUI confirmation boxes. This was the wrong solution, I think. In my (admittedly armchair-quarterback's) judgment, the right one would have been to,

1 - Keep traditional XP-style administrator and user accounts, with roughly the same privileges as they'd always had.

2 - Require OEMs to ship computers with user, rather than admin accounts, enabled. Randomly-generated default admin passwords should be written on a sticker on the front of the PC's case.

3 - Add a "sudo" mechanism, perhaps with the following modifications from 'nix sudo to make it easier for novices:

... a - The sudo prompt pops up automatically when a program attempts to do certain classes of things for which it does not have privileges. This differs from Linux, in which a program will simply fail with an "Insufficient permissions" error; this would be pretty opaque to novice users I think.

... b - "sudo" could be configured (and perhaps should be by default) so that it is sufficient to click a "confirm" button in lieu of typing in a password.

This is almost what UAC is. But the devil is in the details. What Microsoft actually did was make "Administrator" accounts into something more like "user" accounts, and add a level of privilege yet higher than administrator. But it feels tacked-on, and not really "at home" in the NT security model, which in fact provides plenty of control on its own over what rights different users and groups have, if only it were used correctly.

In other words, Microsoft shouldn't have restricted Admin accounts in this poorly-documented way; it should have instead added a sudo mechanism to make it more feasible to run as a User, and kept the nicely-documented and well-designed security model that NT has always had but people have simply never used.

Re:Yes... but... (1)

noctrl (452600) | more than 5 years ago | (#27105253)

a - The sudo prompt pops up automatically when a program attempts to do certain classes of things for which it does not have privileges.

No, this opens up for social attacks.
Please remember that regular computer users will doubleclick on anything (including landmines) and will in general have no clue on what elevated privileges means.

This differs from Linux, in which a program will simply fail with an "Insufficient permissions" error

And this IS the correct way to do it.

Bug? (1)

Altreus (1492723) | more than 5 years ago | (#27104511)

Is this a bug? I mean, with Microsoft's track record and unwillingness to learn from mistakes, I can only theorise that this is actually a feature.

The problem (5, Insightful)

Sycraft-fu (314770) | more than 5 years ago | (#27104567)

Is that whiny users want something that magically protects them, but doesn't bother them. That's a nice idea and all, but you can't have that. You can't have it both ways with something like this: Either it is a real separation of privileges like it is in Vista, or there's going to be holes.

Well, they gave people the real security that they'd been crying about with Vista. When UAC is on it is a no bullshit, you have to escalate to do things as admin. There aren't exceptions or the like, you escalate when you need admin. This does mean it asks in a lot of situations. Well, there's no avoiding that. Like I said, no exceptions. It is also very granular. It isn't one of these "Oh just click it once and we'll escalate everything for the next few minutes," things. That again would be insecure. No, it is per item. That thing and that thing only gets the elevated privilege.

But people whined and bitched, including many of the same people who whined and bitched in the first place, so now they are backing off. Well, as part of that, you open up some potential holes. Sorry, but that's just life. If there are exceptions to the rules, then something can make use of those exceptions.

You can't have a system that magically knows what the bad apps are, and only asks permission on those, well at least you can't without some sort of draconian trusted computing BS. That's what users want, but they can't have it, it isn't possible. Thus you've got three choices:

1) Allow everything for administrators. Assume the admin knows what they are doing, and let them do whatever they want. Don't ask for permission for any action. This is the Windows XP method. It's very convenient, but also means that you'd better be careful.

2) Have truly separate permissions, and require escalation. Everything has to go through the procedure, no exceptions. This is the Vista method. Means you get asked a lot (though personally I don't find it bad at all) but it is secure. Nothing gets to slide through because there aren't special cases.

3) Have separate permissions, but allow exceptions to make things easier. Ask only in certain situation, or only so often. Just let everything else go by. This is the Windows 7 method (and also several variants of Linux I've seen). Fairly convenient, and more secure than #1, but only superficially so. Because there are exceptions, there are back doors for things to sneak through.

So really, users have to come to terms with what they really want. The "I want it to protect me from bad things, but not bother me," doesn't work. That is akin to saying "I want security to make sure nobody sneaks a weapon on a plane but I don't want to go through a security checkpoint." No, sorry, doesn't work that way. If it is really going to work, then it has to be consistently applied to everyone or everything.

Re:The problem (1)

leomekenkamp (566309) | more than 5 years ago | (#27104755)

In which of your three choices would you categorize MacOS X? And this is a genuine question, not fanboism.

Re:The problem (1)

Sycraft-fu (314770) | more than 5 years ago | (#27105293)

I haven't used OS-X enough to render an informed opinion on that. We are a Windows/Linux/Solaris shop at work so I use OS-X only rarely, and then usually only as an "end user" type not as an admin.

Re:The problem (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27104857)

You can't have a system that magically knows what the bad apps are, and only asks permission on those, well at least you can't without some sort of draconian trusted computing BS. That's what users want, but they can't have it, it isn't possible. Thus you've got three choices:

This is what I hate about modern computer security. So "You can't have a system that magically knows what the bad apps are" but my mother is supposed to magically be able to disassemble the machine code by visual inspection and reverse engineer a formal proof that the code is safe to run?

These sorts of questions are a complete cop-out by the designer. The user never has enough information to make an informed choice. Either they click "yes" to everything or "no" to everything because how are they supposed to decide on a case-by-case basis? Astrology? Asking their cat? Taking a whizz on the keyboard and seeing what words are formed?

I assume that in almost all cases the real reason they are being asked is just to shift the blame for the shitty state of normal computer security onto the users.

In any event the security model you are assuming is so incredibly limited - a two-level authorisation framework where you assume the important thing is protecting system integrity. Many people are quite fond of their data as well, which is stored under the user priviledges. That's why the user/root distinction on Linux doesn't really help me as a home user - the only things I care about are on ~/ and the rest is more-or-less a stock install with a few modified config files. Sure an exploit on a program running as my user account couldn't affect /etc, but it could sure affect ~/docs/banking.

Re:The problem (1)

DarkOx (621550) | more than 5 years ago | (#27105039)

As to the two level problem in Unix, its not you can be a member of multiple groups you don't have to use ACLs and ~/docs/banks does not have to have write access for your default group. Oh and groups can be password protected as well. As a home user where you have total control over the system you would be free to create as many user accounts as you like as well. I for one do things like banking and taxes in a different account than I do everything else. I run those apps, browser included for banking under sudo and only use that account for those activities.

You could do much the same on Windows, even XP with its run as feature. I suspect it would be just as secure. The problem with the Microsoft world is not the software its the expectation that the user does not have to understand the tools. To get any work done at all you have to trust somebody some time.

You need to to turst your OS vendor.
You need to trust you business parterners
and you need to trust you know you are really dealing with each via some CA authority or similiar at some point.

Beyound that you probably need to run things unprivileged in their own sandbox. So maybe you don't use your same account for surfing the web and youtube and the like as your do for your work, and use a third account for your finacnces and record keeping. All separate with their own tokens(passwords most of the time).

If you are going to run some kind of script or install a new version of software like a browser that might get run in the accounts you care about you need to trust the provide or read the source if its something manageable like a script.

No matter what software you are using the computer does not think it only does. You will never have security as long as the user is not expected to KNOW something about how the machine works and what tools they have at their disposal to know who their dealing with. To use the car analogy would you expect a car to be safe in the hands of someone who does not know how to drive?

Re:The problem (0)

Anonymous Coward | more than 5 years ago | (#27105303)

The root/user model doesn't protect your data and it was never meant to do that. It protects the system from the users and the users from each other.

If you want your data to be secure and safe you surely need other means of protection, like encryption and backups. But the point is, if you can't protect your system then every added security is meaningless.

And for your first point. You are right in that you can't expect users to magically know what is secure and what is not. But I don't come to the same conclusion. You can't expect people to just know how to handle a car in a secure way either. They have to learn it.
Why can't we expect that of computer users? You don't have to know much to use UAC to your advantage. I don't know much about what a program does when the prompt shows up either. But I know that my actions triggered that dialog.
Showing up when opening some administrative tool: expected to show up, just click ok.
Showing up with a normal program: better do some research about it.

Thats what they need to know to keep their computer quite safe and be happy with UAC. It needs some effort of them, but so does everything else in the world.

Re:The problem (0)

Anonymous Coward | more than 5 years ago | (#27104947)

> 2) Have truly separate permissions, and require escalation. Everything has to go through the procedure, no exceptions. This is the Vista method. Means you get asked a lot (though personally I don't find it bad at all) but it is secure. Nothing gets to slide through because there aren't special cases.

Actually, this is also the Linux method, with one major difference: Vista escalation is once per every action, whereas on Linux you can also get "at most once per X minutes" (with a bit of a security problem) or "for that specific application" or for me most important "for this console window".
Differences to windows:
1) I can actually get stuff done with that console Window (personally I also consider PowerShell as combining the disadvantages of a programming language with the disadvantages of a shell combined with a lack of command-line tools).
2) The "for that specific application" exists in Windows, too, except for the one application I consider most important: the Windows Explorer. You can hack it to work for it, but then each explorer window runs in an extra process. Just a "give me one explorer window with full admin"-feature I suspect would make many power-users happy.

Re:The problem (0)

Anonymous Coward | more than 5 years ago | (#27105063)

It's easy to take the attitude that the users are idiots, particularly since most of us are developers who have to deal with the supposed idiocy of users all the time. But seriously stop and think about how far we will get if we blindly take that attitude.

Developers (particularly in OSS ego-land) seem to have this attitude that the solution they've provided is the best and that there's a set way to do something and if the user doesn't like it they have to put up with it. It can be reasonable, but it can also be a case of developer ego blocking the real issue. Case in point: gedit has had an open bug for 2 years now relating to saving files on CIFS shares. The developers have essentially stated that certain functionality causing the problem is necessary and the bug will not be fixed, resulting in the situation that there is a severe problem saving files on CIFS shares in gedit out of the box. If users can't use or complain about your program, is it your fault or the users? "Assume users are idiots" is right up there with "don't trust user input".

I'm not saying that the UAC whitelist is the way to go, but a blanket attitude that security is done a certain way and the users are wrong is not going to improve the user experience, move product or convince users that it's worth upgrading. And in the end it's the users who are using your software.

UAC was an interesting experiment (2, Interesting)

Eric Desrosiers (678902) | more than 5 years ago | (#27104583)

Microsoft went an interesting way with UAC and security in Vista. If you are running as a normal user, then if you attempt to do an operation that requires elevated priviliges, then you get prompted for an admin user id and password. Which is what you want.

Where it goes weird is if you are running as administrator then it prompts you with the allow or deny box. This is silly for power users, but for people who only used the older versions of windows and don't know much about the other user rights model in other OSes, then at least it does provide some information that some software is trying to do something significant.

I always thought the point of UAC was to push people to run as a normal user for their day to day operations. However, I don't believe Microsoft attempted to do even a little bit of education and the UAC prompt itself is not very informative.

However, I don't think Microsoft should be blasted for UAC: They tried something new and interesting to attempt to make their OS more secure.

As for the story, as long as the behavior when running as a normal user is not affected, then I don't really think it matters.

Re:UAC was an interesting experiment (1)

John Hasler (414242) | more than 5 years ago | (#27105349)

> I always thought the point of UAC was to push people to run as a normal user for their
> day to day operations.

Then non-admin would be the default. Is it?

Mend it or end it. (3, Funny)

ciderVisor (1318765) | more than 5 years ago | (#27104597)

"Ending is better than mending. The more stitches, the less riches; the more stitches ..."

Human error (2, Insightful)

mc1138 (718275) | more than 5 years ago | (#27104635)

Microsoft's problem is that they tried to fix human stupidity with a technical solution. The problem with UAC is that people would either just click ok without reading, or turn it off entirely. Then, complain that windows was insecure. What Microsoft failed to really come to terms with, is that there are a lot of dumb users out there that will circumvent everything, go to all the nasty porn sites they can, and get viruses that they will then blame on something other than their own user error.

Re:Human error (1)

Heather D (1279828) | more than 5 years ago | (#27105133)

Truth. I'm not a fan of MS but it does seem that they cannot win with this. People just want the trains to run on time and they'll get that and damn the consequences.

The end of the empire? (2, Insightful)

Trip6 (1184883) | more than 5 years ago | (#27104651)

I'm mostly an office user and switched to Mac - there's no way I'll run Vista or, at this point, W7 (which looks like a Vista retread). I'm not at all alone. How fast will MS OS share decline if W7 doesn't stop the bleeding?

It's all a workaround (2, Insightful)

AnalPerfume (1356177) | more than 5 years ago | (#27104665)

Windows was designed as a single user system with the user sitting at the box. As soon as you connect it to other boxes via a network it's dead. All of Microsoft's plans for Windows security are based around trying to get a level of multi-user protection into a system not designed for it. They are desperately trying to apply a band aid to a broken leg with solutions like UAC; some of the damage may be limited but it's not a great solution and will never be, no matter how much they work on it.

The only solution is to scrap Windows altogether and build a new multi-user OS from scratch.....or do what Apple did; take the BSD kernel, add a few bells and whistles with a fancy skin and pretend they invented it. The two areas they have a problem if they go that route, is that they are hemorrhaging money on the products they do have on the market since more and more people are deciding that they don't want what Microsoft are offering them, and that they have the world convinced that the Microsoft way is king, that any change is bad because it's confusing and means relearning.....which would be an issue if they changed Windows with another OS.

Companies only put work into a product if that somehow feeds results back into the profits. Like any company, they want to do as little for the most gain. Constantly tinkering with the security applications is much easier and cheaper than a complete rewrite. It also helps when you have a software sector which rely soley on your incompetence. The anti-malware companies wouldn't exist if you did your job right, they also have to compete with each other as to who can cover your ass the best; which also lets you cut back on spending money to really make it secure.

As the internet evolves, as people find new ways to use and abuse it, Windows gets more and more obsolete. The more FOSS improves, evolves and continues to offer users flexibility, freedom, security and stability, Windows gets more and more obsolete. It's only a matter of when, not if it becomes a minority player.

Re:It's all a workaround (2, Funny)

ettlz (639203) | more than 5 years ago | (#27104743)

The only solution is to scrap Windows altogether and build a new multi-user OS from scratch....

And what might they call this... this New Technology?

OWAIT

Re:It's all a workaround (1)

npcompleat (942042) | more than 5 years ago | (#27104945)

For those who don't know, Windows NT has an interesting ancestry:

VMS ----> WNT

Here's another example of the same relationship:

HAL ---> IBM

Full Featured Windows API (3, Funny)

Sponge Bath (413667) | more than 5 years ago | (#27104683)

...APIs such as WriteProcessMemory and CreateRemoteThread.

At first glance I was wondering why Microsoft would supply and API function CreateRemoteThreat().
Even for Windows, that would be a little out there.

The first thing I will do after getting Win 7... (3, Interesting)

sam0737 (648914) | more than 5 years ago | (#27104741)

...is to re-configure the UAC to make it as strict as Vista.

Hell, UAC is good. It's better than sudo. With sudo I will be tempted to use "sudo -s".

The most common scenario to meet an UAC dialog for me is when installing new apps or drivers. Other than that, you shouldn't really see an UAC dialog...
Most of the apps I came across have adopted to require no admin privileges. After all, it's the App fault to requires UAC in the first place for those doesn't really need admin privileges.

BTW, I think in Win 7, AFAIK all Microsoft signed EXE are exempted for UAC prompt by default. There isn't a whitelist but simply all MS signed binaries are exempted.

Re:The first thing I will do after getting Win 7.. (1)

InsertWittyNameHere (1438813) | more than 5 years ago | (#27105067)

Hell, UAC is good. It's better than sudo.

I'm not quite sure I'm convinced. I saw a documentary on this a few months ago that made it quite clear that the UAC doesn't really offer much value and is very annoying at best. I don't remember what it was called but it ended with the following quote (maybe you can use it to track it down online?)

"You are coming to a sad realization. Cancel or allow?"

imagine if AT&T phones failed on 911 calls (-1, Flamebait)

mtrachtenberg (67780) | more than 5 years ago | (#27104769)

People need to start developing ways to prevent Windows 7 systems from connecting to the internet.

I'm serious. Is there any international standards body that can recognize this for the problem it is?

Microsoft continues to use its status to put code on gazillions of computers that allows easy creation of herds of denial-of-service botnets.

This is as criminal as if AT&T, when it was a monopoly, distributed telephones that failed half the time on calls to 911. We accept it only because we're used to it.

Summary of the stupidity (4, Insightful)

v1 (525388) | more than 5 years ago | (#27104913)

In the original Vista release, this activity would cause an annoying back-to-back double elevation: once to create the folder, and again to rename it to its intended name. Service Pack 1 streamlined this a little, reducing it to only a single elevation, but Microsoft clearly wanted to get this down to zero.

NO! Bad monkey, no cookie! There is NO reason to allow ANYTHING to write to my /Program Files (or /Applications if you prefer) folder without my permission. None. Zero. I want a prompt. Yes, just one, but I want a prompt!

And that passes right into the hands of an almost unbelievable standard method in windows:

Unfortunately, the "Microsoft-signed application" restriction is easily bypassed using a standard Windows trick that allows one process to insert code into a second process, as long as both processes are being run by the same user. The limitations of the file management component are probably unavoidable (it can only do the things it has been programmed to do, after all), but it turns out it doesn't really matter. The file management component can place files into various locations on the system that an unelevated user cannot; an auto-elevate program can then be tricked into loading those files and executing code from them.

The result is, just as with the rundll32 problem, silent and automatic elevation, able to do anything.

WHY ON EARTH would you arbitrarily allow any random program a user is running to pass commands to a signed application that by its signature can walk right through locked doors?? I'll admit there probably are instances where you would like to pass commands (requests) to another app to handle something, you either (1) have to severely restrict the scope of the requests it will process, or don't sign it to give it rights to do whatever it pleases. This is like a mall security guard being given the keys to the maintenance halls, and the guard letting any joe public in that asks him. Either give him some common sense or take away his keys. A filemanager that has the power to do anything you ask it to, and will do so blindly and willingly, is just a jaw-dropper.

Sometimes the scope of Windows security stupidity astounds me. And yet they consistently keep finding ways to top themselves.

Fix the HTML control (1)

argent (18001) | more than 5 years ago | (#27105213)

Back out the huge mistake introduced in 1997 with Active Desktop... the ability of the HTML control to grant untrusted code full local user privileges. Building layers of soft internal sandboxes between local user processes is fine and dandy, but it won't provide a fraction of the benefit of reducing the surface area to initial infection.

Remove the ability of the HTML control to grant local user access. Make ANY privilege escalation from a hard sandbox (via ActiveX, .NET, or active scripting, or even passing off a URL or downloaded object to a helper application) require an explicit operation (either ahead of time, as in KHTML's 'IO Slaves', or through a callback) from the process that launched that instance of the HTML control.

Then, provide a wrapper that implements the old API, but require the user to explicitly launch this legacy mode and run any application that uses the legacy API inside a hard sandbox (either a virtual machine, or if the Windows APIs can be sufficiently firewalled something like a FreeBSD Jail) that provides no long-term storage visible outside that sandbox.

Nothing less is going to solve Microsoft's security nightmare.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?