Sign in
in
   
"It is the mark of an educated mind to be able to entertain a thought without accepting it."
-Aristotle

About Me

I am a co-founder of Notches, an early stage startup currently based in NYC. We are building a free, open reviews network that anyone can participate in and anyone can build on top of. You can find out more on our official blog.

Read more about my background.

Connect with me on...

Recent Readers

Flickr Photos

Tags

Monthly Archives
 

Warning:

This article is more than 45 days old. Given the speed at which the technology world moves, this post is probably somewhat out of date. Please keep this in mind when reading the post. If this is a tutorial, please check whether you are using the same versions mentioned in the article.

The UAC security flaw in Vista

User Account Control (UAC) is one of the key security mechanisms introduced in Vista.  In the past, the default account as an administrator. Following the principle of least privilege, the default Vista account runs with limited access, and Vista detects when something requires "administrator prompts", as mocked in the most recent Mac ad.

All told, this is a good thing. Unfortunately, Microsoft made some poor design decisions in the implementation, sacrificing some of the security for ease of use. Joanna Rutkowska summarizes the issue:

One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers! Why Tetris installer should be allowed to load kernel drivers?

How Vista recognizes installer executables? It has a compatibility database as well as uses several heuristics to do that, e.g. if the file name contains the string “setup” (Really, I’m not kidding!). Finally it looks at the executable’s manifest and most of the modern installers are expected to have such manifest embedded, which may indicate that the executable should be run as administrator.

This is a common problem I've seen in many systems where there is no differentiation in the level of trust. In fact, this is a big issue for me in a lot of social networks - they calculate "distance" based on your extended network, but to not account for the stength of any given connection. Certainly connections to my sister and my best friend are worth more than someone who randomly sent me a LinkedIn invite because we once had something in common but don't really know each other. In the same way, there are differing degrees of trust I want to offer executables.

After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:\Program Files and some keys under HKLM\Software and do nothing more.

It's unfortunate that people are turning UAC off, and it's unfortunate that Microsoft didn't do a better job modeling trust - but the bottom line is that UAC is a good start and offers a lot (not the least of which is running as non-administrator by default).

Only published comments... Mar 03 2007, 03:57 AM by Tim
Filed under: , , , , ,

View related posts

 

Mike said:

I will take control of my own PC (as administrator), thank you very much. I don't need Microsoft influencing every move I make on my own PC because they think I'm a dumb ass. As far as computer practices go, probably nothing has irritated me more than this UAC garbage. I find it extremely intrusive and rather insulting. If something or someone tries to install something I didn't want (like me clicking on a link or something and by doing so, a program tries to install that I didn't ask for), being notified of this is acceptable (so I can control if it gets installed or not). That's my definition of security. But this having to do extra steps in my everyday computer habits is un-acceptable. I'm a single computer user, always was, always will be, I'm quite capable of knowing what I need to do and what I don't on my own computer. I don't need the imaginary someone at my back constantly telling me I don't have access. I don't plan on going to Vista anytime soon but when I do, the UAC will be the first to go unless Microsoft makes some changes with it that I can accept.

March 4, 2007 7:08 PM
 

Jim said:

I also do not like this UAC stuff. It's the main reason why I will not go with Vista in the forseeable future (also because XP Pro still suits my needs quite nicely right now).

I do like Vista's feature of using memory more efficiently. It remains to be seen for me to use it and see if it indeed works in practice the way it's supposed to work in theory. I'll reserve judgment on that until I actually use it.

When I think of security, I think of being protected from something trying to install (invade) against my will that I didn't ask for (examples, something trying to install just by visiting a website or clicking on a link that says one thing and actually installs another). This is where Microsoft needs to focus more (and come up with a useable solution) instead of this "treating people like dummies" stuff of making our computers less user friendly and disrupting the daily computer usage of the user. IMO, this UAC was not well thought out by Microsoft at all.

March 4, 2007 7:52 PM

Recent Posts

Most Popular Posts

Legal disclaimer

Coming soon.

Articles

My stuff

Friends

Powered by Community Server (Non-Commercial Edition), by Telligent Systems