Posted on 02/13/2007 10:59:28 PM PST by Spktyr
Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out — from Microsoft officials — that the default no-admin setting isn't even a security mechanism anymore. Joanna Rutkowska
Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.
"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.
That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator."
This, in Rutkowska's mind, is a "very severe hole in the design of UAC."
"After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can’t under Vista, which is a bit disturbing," she added.
A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.
Russinovich, a technical fellow at Redmond, writes:
As you experiment you’ll find that your actions are limited, but there are some design boundaries that you should be aware of. First, with the exception of processes and threads, the wall doesn’t block reads. That means that your low-IL command prompt or Protected Mode IE can read objects that your account (the standard-user version if you’re a member of the administrator’s group) can.
This potentially includes a user’s documents and registry keys. Even the ability of a process at low IL to manipulate objects of a higher IL isn’t necessarily prevented. Since processes running at different integrities are sharing the same desktop they share the same “session”. Each user logon results in a new session in which the processes of the user execute. The session also defines a local namespace through which the user’s processes can communicate via shared objects like synchronization objects and shared memory.
That means that a process with a low IL could create a shared memory object (called a section or memory-mapped file) that it knows a higher IL process will open, and store data in the memory that causes the elevated process to execute arbitrary code if the elevated process doesn’t properly validate the data.
That kind of escape, called a squatting attack, is sophisticated and requires the user to execute processes in a specific order and requires knowledge of the internal operation of an application that is susceptible to manipulation through shared objects.
Russinovich pegged it as a tradeoff between application compatibility and ease of use, explaining the weakness as a "design choice."
Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.
That explanation isn't sitting well with Rutkowska. In an e-mail interview, the Polish malware researcher said she was "pissed off" by what she perceived as Russinovich's flippant attitude to the potential risk.
"It seems like Microsoft realized that implementing UAC would be hard, so they decided not to call it a security mechanism anymore and that 'potential avenues of attack, regardless of ease or scope, are not security bugs'," she said, quoting directly from Russinovich's essay.
"I don't think it's fair after all this Vista security campaign we observed in 2006, where Microsoft was boasting about this new security model in Vista. This is not a proper way to solve security problems. Microsoft, instead of trying to diminish the problem, should work on the solutions (even if they expected to see a dozen of new attacks against UAC)," she added.
Rutkowska also took issue with this line from Russinovich's argument:
"[H]aving your elevated AAM processes run in the same account as your other processes gives you the convenience of allowing your elevated processes access to your account's code and data, but at the same time allows your non-elevated processes to modify that same code and data to potentially cause an elevated process to load arbitrary code…"
"This is not valid," Rutkowska declared. "If we followed this reasoning, then we would not be able to talk about security in our email clients nor web browsers, because they all also access data and code which are not trusted."
Her final thought: "I believe that the Vista security model is a good thing and that users can benefit from it, but Microsoft must change their attitude and start treating them as security mechanisms."
[UPDATE: February 13, 2007] Rutkowska wrote in to clarify a few things that appear confusing in the article above:
There are two different things, which should be distinguished:
1. The fact that UAC *design* assumes that every setup executable should be run elevated.
2. The fact that UAC *implementation* contains bugs, the one noted in the original blog entry that allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.
I was “pissed off” not because of #1, I was “pissed off” because Microsoft employee — Mark Russinovich — declared that all *implementation* bugs in UAC are not to be considered as security bugs (see fact #2).
True, I also don’t like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but, I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote my follow up titled “Vista Security Model - A Big Joke”.
I never considered UAC as a gateway but rather a guard.
Is it a pain? Yes. Installing games, Office, apps, etc. that damn prompt gets annoying.
However, I think it serves a very good purpose to alert you to a stealth program trying to install itself.
Downloading bunny pictures and all of sudden UAC pops up and wants to know if you want to install MistressJoanWhipme.exe. At that point running it as administrator doesn't even enter into the decision.
Sorry you had me up until that point. Compared to AIX and HP-UX, Solaris is barely usable.
Those were comments by Slashdot users; I just reposted them for the amusement of FReepers...
Do you have a recommendation for a Linux installation for running a network monitor and firewall? I have a P3 450 with two nics sitting right here that I've been meaning to dedicate to that purpose.
What I'm looking for is a cook book to configure the system for security, and a recommendation for the firewall app. This system would be the first connection point for a simple home network.
pwn3d is cheesy internet slang for "owned" -- i.e. a hacker has taken control of an unpatched computer.
These days, hackers want to control hundreds or thousands of computers to relay spam or commit denial of service attacks.
Unfortunately, I don't have enough time and space to list all the options here, but I can get you started.
Take a look at OpenBSD, which despite the name is designed as an ultrasecure operating system. This makes it a poor choice for a desktop operating system and an excellent choice for a server, router, or other network appliance duty. There are many router projects built off OpenBSD, including some that run off a single floppy or CD. Google for "OpenBSD router" and you should find quite a lot of info.
It's computer slang. "Owned" means that you've been screwed by someone. "Pwned" indicates that you've been totally screwed by someone.
Oh, forgot to mention - there will be no separate firewall app needed. IPFW is included in just about every distribution of Linux/BSD.
Use both. Outpost is very good.
Guess I'm older than I thought I was. :-)
Thank you for the advice gentlemen:
1) It is a hardware firewall I am running.
2) I just turned on "auto-update" and caught up in my patches.
The reason I ran unpatched was my friend advised me that the eventual slowdown in my machine would force me to buy another, due to the patches slowing it down so much.
But thinking more about why my friend would say this, I realize that SINCE HE USES IE (Internet Explorer), this is a much more likely source of slowdowns due to the spyware and junk he would attract to his machine.
Agreed?
Spktyr: I hope you are wrong.
Ad-Aware, Spybot S&D, and AVG AntiSpyware Free are your friends. Download them from download.com and run them immediately.
Then take your machine over to housecall.trendmicro.com and do a full scan.
Your friend is an idiot. I like that kind of idiot, they generate so much work (and therefore money) for me!
Windows-based software firewalls are a sick joke.
If you mean the software firewall built in to Windows...I agree.
If you mean any software firewall that runs on a Windows OS...what alternative is there if you don't want to chuck Windows?
Any software firewall is Windows-based in that regard.
Sorry you had me up until that point. Compared to AIX and HP-UX, Solaris is barely usable.
Well, truth be told, SunOS on the old Sun III workstations was a real breath of fresh air. The GUI was new to most *IX users at the time.
Mark
ROFL!
Thus the difference between people who only go for the money and those who truly want to build a quality product. Michael Eisner looked only at profit, and we all know what happened to the quality of Disney animation after Wells (Disney prez, COO) died and Katzenberg (studio head, now Dreamworks) left, and Eisner totally took over.
You see the difference in Ballmer's recent speech. He basically said the new Windows was just there to keep the revenue coming in. Apple improves Leopard also because they want to push the envelope of what an OS can do. This is why Apple is known for innovation, and Microsoft is not.
Microsoft will improve if necessary to avoid getting run over. Another good example is IE, which sat with no improvements for years until Firefox became a danger, and then Microsoft just played catch-up.
I've been in programming for a while, but I've also been in design. The worst thing I normally see is programmers coming up with "the great idea" that completely forgets the human nature of the user at the other end.
This is summed up well in #32: "and the 1 out of a million clicks when your supposed to say No, you click Yes because that is what you ALWAYS HAVE TO DO TO GET ANYTHING DONE."
It's basically the boy who cried wolf.
Yup. There is a small learning curve. Of course Darwin will weed out the incompetents who are bound to get virii anyhow.
Doesn't Mac have a similar "feature"?
Yes, it's one of the features of OS X that Microsoft is trying to copy. But the OS X warning doesn't come up very often, only when installing software or updates, so there's no "cry wolf" aspect.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.