UAC in Windows 7 still broken


Recommended Posts

It can and does elevate arbitrary code with the default security configuration.

Malware can run at adminstrative level without UAC prompts.

Rootkits can run at administrative level without UAC prompts.

Remote code execution exploits can run at administrative level without UAC prompts.

Legitimate applications can run at administrative level without UAC prompts.

How does Malware/Rootkit/RCE get on the system? If they are already on the system, they can do much damage to user profile/data without ever needing to dance around UAC exploits.

If Legitimate applications doing bad things is an issue then you can't avoid it as they can pretty much do the same thing in the user context.

This is an exploit but it is being blown out of proportion.

Link to comment
Share on other sites

Why exploit a beta product with technical users whose numbers are relatively few (and risk being caught) when you can wait a couple month for the product to be on millions of desks around the world?

Well, if it is a flaw, and Microsoft refuses to fix it, then why not start exploiting it now?

Link to comment
Share on other sites

How does Malware/Rootkit/RCE get on the system? If they are already on the system, they can do much damage to user profile/data without ever needing to dance around UAC exploits.

If Legitimate applications doing bad things is an issue then you can't avoid it as they can pretty much do the same thing in the user context.

This is an exploit but it is being blown out of proportion.

remote code executing through some other loophole perhaps?

Link to comment
Share on other sites

It can and does elevate arbitrary code with the default security configuration.

Malware can run at adminstrative level without UAC prompts.

Rootkits can run at administrative level without UAC prompts.

Remote code execution exploits can run at administrative level without UAC prompts.

Legitimate applications can run at administrative level without UAC prompts.

You mean, the oh-so-"secure desktop" is completely pointless then? Ok... should've guessed something like that :pinch:

Link to comment
Share on other sites

You mean, the oh-so-"secure desktop" is completely pointless then? Ok... should've guessed something like that :pinch:

The secure desktop is not spoofable when UAC actually works by prompting the user. This is a case where UAC can be directly and silently bypassed so that the secured desktop is never called in the first place, allowing full admin privilege to Medium IL programs (if the programs choose to use this hole).

Link to comment
Share on other sites

If they are already on the system, they can do much damage to user profile/data without ever needing to dance around UAC exploits.

This is an exploit but it is being blown out of proportion.

Just because they can do so much damage already, is no excuse to give up hope. They don't deserve a free pass to do more damage.

Link to comment
Share on other sites

Well, MSFT is faced with a dilemma here. Vista-style UAC was ironclad, but it annoyed the hell out of people. So they added a newer, toned-down UAC mode in W7. And then people (though probably not the same people) complain about it being too insecure.

But if you think about it from the perspective of people crying about UAC's annoyance, they did the right thing.

In Vista, you had 2 UAC levels:

* Ironclad and annoying

* No UAC

People who didn't like that top level had only one choice: no UAC.

In W7, you have 3 (well, 4, but the middle two are mostly equivalent) UAC levels:

* Ironclad and annoying (same as Vista)

* Has holes, but not as annoying

* No UAC

Maybe if MSFT defaulted to the Vista level in W7, there would be less of an outcry. But in terms of UAC itself, a weaker UAC is still better than no UAC.

Link to comment
Share on other sites

The problem, kliu0x52 is that your "has holes, but not as annoying" mode is 100% equivalent to "no UAC" from the perspective of malware. In other words, you'll be sitting there approving prompts for all your legitimate software while the malware just bypasses it.

So what is the point? What useful purpose does it serve? I don't see one. If you're going to leave it on the W7 default, you might as well turn it off. A weaker UAC is NOT still better than no UAC. It only gives you a false sense of security without doing anything useful whatsoever.

Link to comment
Share on other sites

100% equivalent to "no UAC" from the perspective of malware.

Of course; if something has malicious intent, it can bypass it. But it is still useful when dealing with things that do not have malicious intent (or whose malicious author not resourceful enough to take advantage of this) (e.g., stuff that sit in a gray area of being annoying but not overtly malicious) (though such situations may be few in number).

Link to comment
Share on other sites

Just because they can do so much damage already, is no excuse to give up hope. They don't deserve a free pass to do more damage.

When user data is at equal risk, if I had to choose between "annoying" UAC prompts (weren't you one of those making fun of Vista for UAC?) and the "not so annoying" UAC prompts in 7 (that follows the same whitelist approach suggested by many during Vista's beta days) - I will choose the later just to improve public perception. This is what Microsoft did.

Remember UAC never protected what is most important on a computer - the user data but it only prevented OS/other software getting messed up.

What do you suggest is a better approach? Don't just back out saying it is Microsoft's problem. :p

Link to comment
Share on other sites

It's true that you don't actually need administrator access to access most things of interest on a machine (including user files and the network), but that's a separate issue.

How does changing the UAC default to something that does nothing useful at all "improve public perception?" To me it seems like they're in for a heavy backlash when 7 is released and the general public figures it out.

If they don't want it on the Vista level, they should just turn it off.

Link to comment
Share on other sites

It's true that you don't actually need administrator access to access most things of interest on a machine (including user files and the network), but that's a separate issue.

How does changing the UAC default to something that does nothing useful at all "improve public perception?" To me it seems like they're in for a heavy backlash when 7 is released and the general public figures it out.

If they don't want it on the Vista level, they should just turn it off.

Why is Windows 7 default not useful at all? It still enables IE's protected mode, registry/file system virtualization. It still protects important settings/OS location from accidental user action. I am sure there are other things UAC helps, just naming a few I remember.

Personally I prefer Vista mode and my 7 system is set to highest. The public perception part - I haven't read any Win7 review without the obbligatory "UAC is now less annoying than Vista".

Edit: now instead of not

Link to comment
Share on other sites

Uhm, to stop yourself from deleting your Windows folder? That kind of thing? Well, I somehow don't think that's what most people have in mind.

Actually, the weakened UAC wouldn't protect you from that since Explorer is on the auto-elevate list. :) Yes, if you want to protect yourself from malware (or more precisely, from malware that have already broken through the initial lines of defense and have gotten as far as execution), then of course the new UAC is useless. That was made public long before this thread was started. But it's also simplistic to say that defending against malware is the only thing that UAC is good for. For example, I like to be aware of and know when legitimate programs do stuff that require admin privs. What about the times when I install some app that comes bundled with an IE toolbar? Yes, I admit that the cases are few, but so?

For regular "Aunt Tillie" users, it's dubious that UAC would have been of much help anyway since such people are not going to be able to make an informed decision about what to click when the UAC prompt comes up. And in my experience, the only times that UAC has come in handy have been in those gray areas where an app is legitimate but may be doing something that I do not like. I've never had UAC pop up for malware because malware has never gotten past that critical first line of defense (the don't-be-a-dumb-user defense; and for cases where it does get past that defense, the user is probably an "Aunt Tillie" user for whom any sort of prompt is of limited effectiveness and who shouldn't have an administrative account in the first place; regular user accounts are not affected by this UAC hole, AFAIK). And so for me personally, having the advantage of UAC notifying me of what apps are doing while not having to go through the whole elevation business every time I rename a file outside of my user account is still worth something.

Yes, this means that MSFT has effectively abandoned UAC as a malware tool, and yes, I think that MSFT should be more frank about that so that people don't come under the delusion that UAC (under the new default setting) is a malware protection tool. But I personally think that the usability cost for UAC to be an effective malware tool was too great and that it's an extra line of defense that I could probably do without.

Link to comment
Share on other sites

Why is Windows 7 default not useful at all? It still enables IE's protected mode, registry/file system virtualization. It still protects important settings/OS location from accidental user action. I am sure there are other things UAC helps, just naming a few I remember.

Personally I prefer Vista mode and my 7 system is set to highest. The public perception part - I haven't read any Win7 review without the obbligatory "UAC is not less annoying than Vista".

Well, the problem here is that there is a lot of incorrect use of terminology. What people generally mean by "UAC" is just a subset of the functionality -- known as "admin approval mode" (AAM). The "UAC prompt" is actually the AAM prompt, and is separate from all the other UAC features. You can have one without the other, and you can easily turn off the prompts while still keeping the rest on so you can use things like protected mode.

I guess making it more difficult for yourself to accidentally delete/modify system files/settings (does it though with the default setting?) is about the only use left for 7's AAM, but that certainly isn't what it has been sold as, no do I think it's something many people really want. People generally hate being second-guessed.

Link to comment
Share on other sites

Well, the problem here is that there is a lot of incorrect use of terminology. What people generally mean by "UAC" is just a subset of the functionality -- known as "admin approval mode" (AAM). The "UAC prompt" is actually the AAM prompt, and is separate from all the other UAC features. You can have one without the other, and you can easily turn off the prompts while still keeping the rest on so you can use things like protected mode.

I guess making it more difficult for yourself to accidentally delete/modify system files/settings is about the only use left for 7's AAM, but that certainly isn't what it has been sold as, no do I think it's something many people really want. People generally hate being second-guessed.

Yeah what is more popularly know as "silent UAC mode". That is even more useless than 7 default - right? I wasn't only commenting on the UAC prompt btw.

Link to comment
Share on other sites

Yeah what is more popularly know as "silent UAC mode". That is even more useless than 7 default - right? I wasn't only commenting on the UAC prompt btw.

Maybe some call it that, I don't know. It's in no way more useless than the 7 default. The two offer the exact same level of protection against code elevating without your consent (none at all). The only difference is that the former doesn't bother you with pointless prompts.

Link to comment
Share on other sites

Vista-style UAC was ironclad, but it annoyed the hell out of people.

Vista Uac was *meant* to annoy the hell out of people:

http://www.dailytech.com/Microsoft+Designe...rticle11464.htm

David Cross, a product manager responsible for designing UAC, gave the real reason for UAC at the RSA 2008 conference in San Francisco yesterday. "The reason we put UAC into the platform was to annoy users. I'm serious," remarked Cross.
But in terms of UAC itself, a weaker UAC is still better than no UAC.

Given that logic, I guess you would also say that a condom with holes is better than no condom, huh? :pinch:

Face it, Uac is not meant to be a defense against malware and such, so it shouldn't be taken for one. Uac is only there to keep users from doing stupid things, like e.g. deleting important system files, and nothing beyond that!

Brandon himself also said that Uac is not a security measure against malware and such, that should be clear enough.

For actual security, you still need a 3rd party security solution.

Link to comment
Share on other sites

Vista Uac was *meant* to annoy the hell out of people:

So? Security has always been a tradeoff with convenience. Saying that it's supposed to annoy people is just a restatement of that principle. Perhaps I should have been more explicit: "It annoyed people more than they would have liked to be annoyed." In other words, for a number of people, it was too much of a tradeoff.

Given that logic, I guess you would also say that a condom with holes is better than no condom, huh? :pinch:

That's a flawed analogy because-- *sigh* I'm not going to rehash what I said in post #40. Just read it for my response to that particular point.

For actual security, you still need a 3rd party security solution.

For actual security, nothing beats common sense. Me? Admin user. No anti-spyware. No anti-malware. No firewall. Never had an infection in nearly two decades of computing. It's really not that hard if you know what you are doing.

Link to comment
Share on other sites

For actual security, nothing beats common sense. Me? Admin user. No anti-spyware. No anti-malware. No firewall. Never had an infection in nearly two decades of computing. It's really not that hard if you know what you are doing.

While you're right that common sense is the best security, not having a firewall isn't a good example of said common sense. It's far easier to avoid malware running with default XP SP2 or SP3/Vista/7 settings than taking the time to disable built-in security features. Again, if you have common sense, you likely won't get infected the usual way, but not having firewalls are the reason worms like Blaster and Sasser were so destructive.

Link to comment
Share on other sites

not having firewalls are the reason worms like Blaster and Sasser were so destructive.

Not having patched the system despite the the patch having been out for months when the worms hit probably played a bigger role. And a hardware incoming firewall is a good way to limit exposure, but I don't believe in outgoing firewalls (since that's effective only once you've been hit) or software firewalls. But that's off-topic. :)

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.