Hacker, Microsoft duke it out over Vista design flaw (UAC broken by design)

Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out — from Microsoft officials — that the default no-admin setting isn't even a security mechanism anymore. Joanna Rutkowska

Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.

"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator."

"After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can’t under Vista, which is a bit disturbing," she added.

A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.

As you experiment you’ll find that your actions are limited, but there are some design boundaries that you should be aware of. First, with the exception of processes and threads, the wall doesn’t block reads. That means that your low-IL command prompt or Protected Mode IE can read objects that your account (the standard-user version if you’re a member of the administrator’s group) can.

This potentially includes a user’s documents and registry keys. Even the ability of a process at low IL to manipulate objects of a higher IL isn’t necessarily prevented. Since processes running at different integrities are sharing the same desktop they share the same “session”. Each user logon results in a new session in which the processes of the user execute. The session also defines a local namespace through which the user’s processes can communicate via shared objects like synchronization objects and shared memory.

That means that a process with a low IL could create a shared memory object (called a section or memory-mapped file) that it knows a higher IL process will open, and store data in the memory that causes the elevated process to execute arbitrary code if the elevated process doesn’t properly validate the data.

That kind of escape, called a squatting attack, is sophisticated and requires the user to execute processes in a specific order and requires knowledge of the internal operation of an application that is susceptible to manipulation through shared objects.

Russinovich pegged it as a tradeoff between application compatibility and ease of use, explaining the weakness as a "design choice."

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

That explanation isn't sitting well with Rutkowska. In an e-mail interview, the Polish malware researcher said she was "pissed off" by what she perceived as Russinovich's flippant attitude to the potential risk.

"It seems like Microsoft realized that implementing UAC would be hard, so they decided not to call it a security mechanism anymore and that 'potential avenues of attack, regardless of ease or scope, are not security bugs'," she said, quoting directly from Russinovich's essay.

"I don't think it's fair after all this Vista security campaign we observed in 2006, where Microsoft was boasting about this new security model in Vista. This is not a proper way to solve security problems. Microsoft, instead of trying to diminish the problem, should work on the solutions (even if they expected to see a dozen of new attacks against UAC)," she added.

"[H]aving your elevated AAM processes run in the same account as your other processes gives you the convenience of allowing your elevated processes access to your account's code and data, but at the same time allows your non-elevated processes to modify that same code and data to potentially cause an elevated process to load arbitrary code…"

"This is not valid," Rutkowska declared. "If we followed this reasoning, then we would not be able to talk about security in our email clients nor web browsers, because they all also access data and code which are not trusted."

Her final thought: "I believe that the Vista security model is a good thing and that users can benefit from it, but Microsoft must change their attitude and start treating them as security mechanisms."

[UPDATE: February 13, 2007] Rutkowska wrote in to clarify a few things that appear confusing in the article above:

1. The fact that UAC *design* assumes that every setup executable should be run elevated.

2. The fact that UAC *implementation* contains bugs, the one noted in the original blog entry that allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.

I was “pissed off” not because of #1, I was “pissed off” because Microsoft employee — Mark Russinovich — declared that all *implementation* bugs in UAC are not to be considered as security bugs (see fact #2).

True, I also don’t like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but, I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote my follow up titled “Vista Security Model - A Big Joke”.

Some amusingly horrifying (or horrifyingly amusing) excerpts from that Slashdot thread...

by KingSkippus (799657) * on Tuesday February 13, @04:08PM (#18003076) (http://skippus.blogspot.com/ | Last Journal: Sunday June 19, @07:25AM)
There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.
Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.
The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.
After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.
Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.
Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!
If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.
As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.

* * * * * * * * * * * * * * * *

by 787style (816008) on Tuesday February 13, @04:33PM (#18003516)
I had probably the most frustrating ten minutes i have ever spent on a computer before.
Start, typed in regedit enter.
Vista:Are you sure you want to run this program?
Me: Yes. I went OUT of my way, hit start, run and typed in the pogram name I wanted. Thanks for checking though. (click) ....
Edit the registry, close it. That was easy. .... double clicked on setup. Stupid shield on my icon, what does that mean?
Vista: are you sure you want to run this? it's a program, you know.
Me: Oh that must be what the shield is for. Vista feels like it should protect me from software!
Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click) .....
Install......that was easy. ....
Oops, there's a problem. Well, let's grab the correct file from the build server and copy it over ...
Open my computer, go to program files ....
Vista: Are you sure you want to go there?
Me:Yes (click) ...
open up the application folder ....
drag a file from a network share to the application folder....
Vista: Are you sure you want to overwrite this file?
Me: Yes (click)
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Yes (click)
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
Me: (Pounds head) (click) ....
Drag to Desktop. ....
Drag from desktop to application folder. ...
Vista: Are you sure you want to overwrite this file?
me: for the love of god yes
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Die.Die.Die.Die.

* * * * * * * * * * * * * * * *

by hackstraw (262471) * on Tuesday February 13, @05:36PM (#18004468) (http://www.spamgourmet.com/)
Sounds like Clippy has been re-incarnated.
The sad thing is that I've seen Clippy like once or twice years ago, and that is what I thought this dialog reminded me of, but worse because from what I remember Clippy would start yelling at you when you did anything, and you could just tell him to go away, but now its worse because the operating system blocks and asks you to click a bozo box every time you do anything?
* smashes head on desk *
Let me be clear, I don't use MS software because it is not designed for a computer professional like myself. To be honest, I don't know who its designed for, or if its even designed at all.
The first time I heard Windows was having this UAC thing, I knew that it would suck as only Microsoft could make it suck. I knew it would annoy the hell out of the user so bad that it would do one of two things. 1) annoy them to the point that they just turn it off (I understand this is allowed in Vista) 2) annoy the user and they don't turn it off, they just bend over and take it, and the 1 out of a million clicks when your supposed to say No, you click Yes because that is what you ALWAYS HAVE TO DO TO GET ANYTHING DONE.
* smashes head on desk again *
Microsoft can't even rip off existing security models that work like the elevated priveledges in OS X. Microsoft embarasses me as a computer professional, and I don't even use their stuff, because people associate MS with computers.
Thanks for the grandparent post for sharing their experience, and thank you Apple, Linux, and Sun for making computers usable.
Oh, and I almost forgot.
Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges -- and gives the user no option to let them run without elevated privileges.
Isn't this the case where 99.9% of the time YOU WANT TO BE ASKED? Didn't Microsoft invent the term "driveby install"?
* smashes head on desk again *

Looks cute ,is she marred?

Her contact details

Don't get your hopes up, she writes...

CONTACT: joanna at invisiblethings dot org

NOTE: I do my best to answer all of the mails I get (excluding spam), so If you have sent me something and haven't got any response for few days that's probably because the message was filtered out by some anti-spam filter (either on my or your side) or by me incidentally...
In this case, please try resending it, preferably from a different account and with more informative subject matter in the title. I'm sorry for the inconvenience.

UPDATE (2007): Unfortunately, I’m no longer able to answer many of the emails I get. Please do not write to me asking for an advice of "how to become a hacker" or "how to develop your career in IT security" - I really can’t help you here. Also, there is quite a little chance that I will respond to a marriage proposal sent via email. Still, however, I do appreciate all those emails from all my fans (sic!) around the world, even if I don’t have time to answer them all. Please also note, that I’m very busy and I really do not have time to make on-line friends, so please do not feel disappointed when I don’t answer your "lets be friends inquiry". If you sent something really important and I didn’t respond, you might try sending it again after a few days. I’m really sorry for all those unanswered emails - I still appreciate them all though!

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.