Monday, July 13, 2009

UAC is not (that) broken in Windows 7

Note 25-11-2011: I initially planned to pair this post with another post discussing the flipside – that injection-based attacks still pose a risk, and it would be better for Microsoft to have left the default at the maximum setting, and force the user to use a Standard account. Since Leo Davidson (the discoverer of the flaw) replied below, I also intended to post a response to his reply – however, both got sidelined and forgotten. This post is left here intact for historical purposes.

A few days back, Long Zheng (who has my upmost respect as a blogger) published (another) article about UAC. Before we discuss that, let’s summarise the article linked at the top of his, written by Microsoft’s Mark Russinovich:

  • UAC was made primarily to make life easier for standard users. Ergo, standard users could use Vista with relative ease, as opposed to, you know, pretty much not at all.
    • It does so by using a split token – users would run in standard mode, and get a prompt to elevate when needing admin privs.
    • In this way, people could set up an admin account for big swabs of admin fun, while using standard accounts normally without having to switch to the admin account for e.g. installing stuff.
  • Many people were complaining that they still had to get great swabs of prompts to elevate to admin while they were using an admin account. Still others complained about redundant and unneeded prompts.
    • Microsoft responded to this by cutting down on multiple prompts and removing unnecessary prompts.
    • They also added a security token to some programs that will make those programs autoelevate some tasks in admin mode. That way, admins can do their great swabs of admin stuff without getting a prompt every minute or so. Pre-emptive comment: that was an exaggeration to make a point. I know their must be something seriously wrong with my computer to get a prompt a minute.
  • UAC is not a security boundary. In the end, it is up to the user to decide whether or not to run that program.

Zheng’s primary point of contention is that programs will inject code into other programs to elevate themselves to avoid the hassle of doing it themselves. This ignores several things:

  • It is actually harder to inject code into another service than to set up an elevated COM interface (or autoelevate your program.)
  • People doing this are just begging for their programs to be broken in the next release of Windows.
  • It is unlikely that any major software developer is going to do this, since they usually submit their programs through WHQL, which are sure to pick up on this practice.
  • Programs can do this anyway – that is, piggyback on some other programs’ UAC prompt using injected code. Once someone else's code is running, “your system” isn’t *your* system anymore.
  • If you’re a virus writer, it’s easier to tell your users to elevate first than to go through the hassle of code injection.
  • Finally, standard user will still get the prompt. If you are running as admin, you either a) should know what you’re doing, or b) shouldn’t be admin in the first place.

I’ve also seen some people claim that this allows Microsoft to parrot “make your programs UACified” without doing it themselves. Er, no, because they still have to make it work in standard user. The whole admin thing is to make it easier to set up your computer, then set up a standard account.

Having said all that, I do think Microsoft is making a mistake, and I for one will be pushing the UAC bar all the way to eleven. However, treating it as some inherent flaw in UAC is missing the whole point, which was to run as standard user without switching accounts.

As an added bonus, Rafael Rivera (who I also have a lot of respect for) asks why the icon is a shield if it’s not protecting users. I can think of a few reasons:

  • Its use steams from the Security Center in Windows XP which was (shock horror!) a shield. Although Security Center is no longer in Windows 7 (replaced by the Action Center), the icon remains for non-confusion.
  • (submitted by Bad Analogy Guy:) Like a proper shield, it’s up to the bearer to decide whether or not to hold it up or down. However, knights don’t wear shields when they’re hunting, nor do lords when they’re beating up peasants *ahem*, making proclamations and laws and whatnot, because they can be reasonably sure that they’d be safe.
  • Marketing and programmers don’t talk very well to each other.

Have a great day, I’ll be here all week. Try the veal.