Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"Very Severe Hole" In Vista UAC Design

kdawson posted more than 7 years ago | from the she-said-he-said dept.

Security 813

Cuts and bruises writes "Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature. The issue is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges — and gives the user no option to let them run without elevated privileges. This means that a freeware Tetris installer would be allowed to load kernel drivers. Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

cancel ×

813 comments

Sorry! There are no comments related to the filter you selected.

An even bigger hole... (5, Insightful)

KingSkippus (799657) | more than 7 years ago | (#18003076)

There's a much, much bigger hole than any programmer could possibly exploit: The annoyance factor.

Last night, I restored my old XP partition after figuring I'd give Vista a shot for just a couple of days. You know, just to experience it myself instead of taking other people's word for what it's like.

The theme of Vista seems to be simple: Annoy the hell out of he end user. You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay? The list goes on and on. Almost every action in Vista is actually compose of two separate actions: the one you want to do, and the confirmation to do it.

After getting Windows Vista installed, I took an hour or so to configure my personal settings and install a couple of applications. I had to acknowledge somewhere between 50 and 100 dialog boxes asking me if it was okay to do what I was doing. No, I'm not exaggerating.

Now, I'm a very experienced computer user, and I've worked for over a decade supporting PCs, servers, networks, and so on. Yes, I know, I could disable UAC if I want to, but that kind of defeats the point of Vista's so-called beefed up security.

Even I became so numb to clicking OK in two short days that I wouldn't think twice about it. You want to move that shortcut on your start menu, is that okay? You want to install the Pwnzjoo virus, is that okay? You want to send your bank account numbers to Nigeria, is that okay? Yes, yes, yes, dammit!

If Microsoft wants to really get serious about security, they have to get it through their heads that it's not about locking everything down and popping up prompt after prompt after prompt to the user. It's about being smart, letting the user do normal things without interference or interruption, and having the level of alerts match the danger of what's being done.

As it is, Vista cries wolf so often that when the real wolves show up, I'd be surprised if any user, newbie or guru, listens.

Re:An even bigger hole... (-1, Troll)

ad0gg (594412) | more than 7 years ago | (#18003138)

Upgrade your software. Old software does stupid stuff which causes prompts, thats not vistas fault.

It's not the software. (4, Informative)

KingSkippus (799657) | more than 7 years ago | (#18003268)

That's the thing. Most of the prompts I was getting was not from software trying to do stuff, it was from normal operating system operations such as copying/moving/renaming/deleting files. Not OS files, but my own documents in my user directory. Not programmatically, but from me personally interacting with Explorer to manage my data. Stuff like changing the layout of my Start menu. Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.

Re:It's not the software. (5, Interesting)

787style (816008) | more than 7 years ago | (#18003516)

I had probably the most frustrating ten minutes i have ever spent on a computer before.

Start, typed in regedit enter.
Vista:Are you sure you want to run this program?
Me: Yes. I went OUT of my way, hit start, run and typed in the pogram name I wanted. Thanks for checking though. (click) ....
Edit the registry, close it. That was easy. ....
double clicked on setup. Stupid shield on my icon, what does that mean?
Vista: are you sure you want to run this? it's a program, you know.
Me: Oh that must be what the shield is for. Vista feels like it should protect me from software!
Vista: This is from AMD. Do you trust AMD?
Me: yes, they pay me. I trust them. (click) .....
Install......that was easy. ....
Oops, there's a problem. Well, let's grab the correct file from the build server and copy it over ...
Open my computer, go to program files ....
Vista: Are you sure you want to go there?
Me:Yes (click) ...
open up the application folder ....
drag a file from a network share to the application folder....
Vista: Are you sure you want to overwrite this file?
Me: Yes (click)
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Yes (click)
Vista:You are trying to copy from a network share to the program files folder. This isn't allowed. Hit ok.
Me: (Pounds head) (click) ....
Drag to Desktop. ....
Drag from desktop to application folder. ...
Vista:
Are you sure you want to overwrite this file?
me: for the love of god yes
Vista:A program wants to write to the Program Files folder. Is this ok?
Me: Die.Die.Die.Die.

Re:It's not the software. (5, Funny)

LiquidCoooled (634315) | more than 7 years ago | (#18003648)

Sounds like Clippy has been re-incarnated.

*shudder*

Re:It's not the software. (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18003650)

So, it's like an OS security version of Clippy, without the cute icon? Or a secure version of Microsoft Bob?

Well, I suppose it's better than having the same thing with the cute icon.

Re:It's not the software. (4, Informative)

ThinkFr33ly (902481) | more than 7 years ago | (#18003690)

Not OS files, but my own documents in my user directory.
I find that hard to believe, unless you're talking about pre-RC2 Vista. Operations on files which you own or have normal permissions to, such as all the files in your user directory, do *not* cause a UAC prompt. Simple as that. Think of it this way, if you were on Unix, it would simply deny you access to the file in question. You would then have to su root to get the job done. In Vista, it makes that elevation a lot faster and easier.

For repeated, but seperate operations (like installing a lot of applications when you're setting up your machine), you can disable UAC. This is basically the same thing as su root if your account is an admin account. Once you're done, re-enable it. It's really not that hard.

Stuff like changing the layout of my Start menu.
You'll only get a UAC prompt when modify start menu folders that are shown to all users. Why? Because these aren't folders you own. See my previous point. Also, why bother rearranging start menu folders in Vista? If you want to find something, type in the first couple of letters and it appears. It's MUCH faster than drilling down through folders.

Stuff like changing my desktop background. Stuff like copying a line of text from a web page in IE7 to paste in a document.
You're either making this up, or you were using something that was even pre-pre RC1. This simply does not happen with Vista post-RC1.

Re:An even bigger hole... (5, Funny)

dotpavan (829804) | more than 7 years ago | (#18003166)

offtopic, yet:

no doubt, thats why Dell is marketing its harware for Vista as great for "booting the OS, w/o running apps or games [googlepages.com] " (link via this [dell.com] )

Since when did booting an OS become a "feature" of the OS?

Re:An even bigger hole... (4, Funny)

halltk1983 (855209) | more than 7 years ago | (#18003318)

I see *someone* never used Windows 95!

Re:An even bigger hole... (4, Funny)

steveo777 (183629) | more than 7 years ago | (#18003528)

I think a full bootup a victory on Windows ME would be even more excuse for celebration.

Swinging a Blunt Object (5, Insightful)

CheeseburgerBrown (553703) | more than 7 years ago | (#18003226)

I think you're right. Microsoft has failed to appreciate the user psychology of interacting with authorization prompts in a way that would shame most retarded chimpanzees. The only explanation that doesn't invoke something more bizarre than Xenu is that they figured most Deltas would simply turn off the feature out of annoyance, and thus Microsoft would bear no blame in the subsequent (and likely rapid) zombification of said Delta's system.

"What? We put the thingy in. It's not our fault if idiotsticks turns it off because he's too lazy to take security seriously."

This is a way to let themselves off the hook, escalating user error to the root of all evil instead of, say, a hopelessly fractured and bloated development bureaucracy overseen by demented lizard people. This is a response to the criticisms about Windows having a default configuration more favourable to trojans than users, so they can now claim that the default configuration is solid. You changed a setting? The buck stops at you, sucker.

Maybe Microsoft needs someone with some insight into user behaviour and interface psychology on staff. I hear Steve Jobs has a reasonable hourly rate. (/me ducks)

Re:Swinging a Blunt Object (5, Interesting)

an.echte.trilingue (1063180) | more than 7 years ago | (#18003698)

You know what really gets me about the annoying Vista security model? It's that the one in XP isn't THAT bad, its just the default configuration that is THAT bad. If you (1) password protect the "administrator" account and (2) run as a non-admin user when not doing admin things (most of the time), you will eliminate many problems.

I know, I know, it is still not as good as *nix security, and there are lots of programs that need admin privileges to run properly (fewer these days, though), but it isn't that bad.

Take care

-mat

Steve is that you? (5, Funny)

tiltowait (306189) | more than 7 years ago | (#18003232)

Video version of the above commentary here [apple.com] .

Re:An even bigger hole... (5, Funny)

nuzak (959558) | more than 7 years ago | (#18003242)

You want to run an application, is that okay? You want to copy a file, is that okay? You want to change your desktop background, is that okay? You want to copy text from IE7, is that okay? You want to turn your machine into a child porn and warez server, is that okay? You want to delete an old text file, is that okay? You want to paste text into a form field in IE7, is that okay?

One of these things is not like the others,
One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?

Re:An even bigger hole... (4, Funny)

EXMSFT (935404) | more than 7 years ago | (#18003674)

Sorry, did I miss something? I was too busy clicking "Allow" 7 times to notice which one was bad. None of them were bad, were they?

Re:An even bigger hole... (2, Funny)

minus_273 (174041) | more than 7 years ago | (#18003280)

seems like you are coming to a sad realization [apple.com] cancel or allow?

Re:An even bigger hole... (1)

nuzak (959558) | more than 7 years ago | (#18003418)

The sad realization for me is that Apple's quicktime player for the PC is still a broken piece of nagware crap that can't play that movie.

Re:An even bigger hole... (1, Funny)

Anonymous Coward | more than 7 years ago | (#18003508)

Did you try your 8mm player?

Re:An even bigger hole... (3, Informative)

Rycross (836649) | more than 7 years ago | (#18003304)

Er what? For me, it only gave the nag screen when accessing the control panel, installing software, running software with administrative priveledges, or running Visual Studio. The Visual Studio thing is annoying, but other than that, all of the other things are the exact same sort of things that I have to sudo for in Linux. Except I'm not having to enter a password, just click a box. I'm not sure where the big gripe comes from, and honestly I feel like people are blowing it way out of proportion. Unless I'm coding (opening and closing Visual Studio) or changing the configuration of my machine, I never see the UAC box. So I barely see it during normal usage.

Re:An even bigger hole... (1, Insightful)

Khuffie (818093) | more than 7 years ago | (#18003622)

You forget, this is a Microsoft product. What's acceptable in OS X and Linux is simply evil, crap, bad, ridiculous, horrendous (continue with adjectives) in Windows.

Re:An even bigger hole... (1)

Rycross (836649) | more than 7 years ago | (#18003726)

It could be that as a matter of course I don't use Windows in the same way as these other people do, or they could be using beta versions. I'm not ready to chalk it up to zealotry just yet.

But what are the options for Joe Sixpack? (1)

EmbeddedJanitor (597831) | more than 7 years ago | (#18003308)

I agree fully that the above is broken for everyone, and does nothing but give MS a sort of indemnity ("Got a virus? Well we did warn you..."), but what really good options are there for Joe Sixpack?

The *nix model also has a far way to go for Joe Sixpack users too. Want to install software? Need root? How many people can remember root passwords etc?

Still, the hardest part of using *nix for Joe Sixpack is managing permissions of devices etc. Want to use a serial port? Got to set up permissions. If it is a USB serial port, then you have to do this every time you boot/plug in (unless you're hairy chested enough to write a script).

The capabilities of the technology have far outstripped the capabilities of the average user.

Re:But what are the options for Joe Sixpack? (1)

glittalogik (837604) | more than 7 years ago | (#18003716)

The 'sudo' command in Ubuntu et al at least means you only have to remember your own password, not a separate one for root. USB functionality still has a ways to go though.

Re:An even bigger hole... (4, Informative)

Anonymous Coward | more than 7 years ago | (#18003452)

I've been running Vista RTM since release and I hardly see any UAC prompts. The only times are when I run VMware or install a program.

You want to run an application, is that okay?
That's the applications fault. Most applications shouldn't need administrative rights to run, and if they've been written properly they won't prompt. WinRAR 3.61 never prompts for me, but 3.62 has UAC prompts for everything. AFAIK "Windows XP Certified" programs require programs to be written so that they can run without elevated privileges so this is nothing new. People just assumed that everyone would run in an Administrator account and ignored those guidelines.

You want to copy a file, is that okay?

That never happens unless you're copying files into protected directories such as Program Files or the Windows directory. I copy files around all the time without UAC prompts because I keep them in my User directories or an external hard drive.

You want to change your desktop background, is that okay?
This is just FUD. That never happens. If you right click on an image in IE7 and set it to background a regular IE prompt will appear, but no UAC.

You want to copy text from IE7, is that okay?
I can copy text just fine, doesn't seem to prompt for me.

You want to delete an old text file, is that okay?
See above, only in restricted directories.

You want to paste text into a form field in IE7, is that okay?
I just tried copy and pasting info into the login page at Bank of America and I get no prompts. Even copy and pasting into sensitive fields such as "Social Security Number" on a Citibank credit card application resulted in zero prompts.

UAC prompts are annoying and frequent when you first do a complete reinstall because you'll be installing applications and drivers that need elevated privileges. After that you should not encounter it in your day to day activities. I see a UAC prompt once a day and that's only because I use VMware. If I used Virtual PC I could avoid it completely.

MOST computer users buy their PCs from Dell, HP, etc and they are preloaded with drivers and some basic software. The regular user won't be seeing as many UAC prompts because they'll be installing only a few programs (music player, possible word processing, games).

So that's where clippy went! (4, Interesting)

giafly (926567) | more than 7 years ago | (#18003550)

The truth is out. Microsoft didn't kill clippy [cnn.com] in MS Office, they just moved him upstairs to an entire operating system designed to ask unwieldy and confusing [eweek.com] questions.

This link allegedly tells you how to turn the questions off [microsoft.com] , but unfortunately I can understand the words, even most of the sentences, but the whole thing is just dreadful, "As a result, IT departments often cannot gauge the holistic health and security of their environments." Can anyone help?

Re:An even bigger hole... (0, Flamebait)

chrismgtis (1062106) | more than 7 years ago | (#18003568)

It sounds to me that you're the one crying wolf. Quit whining. Vista doesn't do as much to annoy you as you just claimed. I have absolutely no issues whatsoever with Vista Ultimate at the current time. Then again, I am the one that ran XP with absolutely no virii, malware, performance issues or other problems whatsoever, unlike most people who can't seem to grasp how to use a computer correctly.

Re:An even bigger hole... (4, Insightful)

EXMSFT (935404) | more than 7 years ago | (#18003612)

UAC is so amazingly, fundamentally flawed. Has been from the beginning. As you noted, it's susceptible to user numbness. It's also susceptible to the dancing pigs phenomenon, something mentioned by Microsoft's own Steve Riley (see http://www.microsoft.com/technet/community/columns /secmgmt/sm0405.mspx [microsoft.com] , and search for the words "dancing pigs".

Mac has issued a salutation. Allow or deny? Comedy gold, and yet Apple hit the nail on the head.

My expectation is that at least 50% of Windows Vista consumers will turn UAC off entirely, and the remaining 50% will ignore it (psychologically disable it) to the point that it may as well be disabled - especially applies in the enterprise computing world where Joe won't be allowed to turn it off, but still wants to do whatever he wants. Meaning that in the default configuration of users as hobbled admins, every Vista user is then an admin. Just like they are in XP. Really validates 5 years of hard work on security.

lets get this straight (1)

President_Camacho (1063384) | more than 7 years ago | (#18003098)

Hacker Joanna Rutkowska has flagged a "very severe hole" in the design of Windows Vista's User Account Controls (UAC) feature.

It's not so much a "hole", as it is an "orifice".

Re:lets get this straight (0)

Anonymous Coward | more than 7 years ago | (#18003324)

It's not so much a "hole", as it is an "orifice".

Well, technically it's really a "greased gaping orifice".

Interesting security model - automatically allow anything the user installs to ass rape the entire system. It would have been nice to allow an app to be installed with user privileges to that it can't do any more damage than the user himself.

So what's new? (2, Insightful)

jmac880n (659699) | more than 7 years ago | (#18003108)

I believe that even RPM on linux runs the install scripts with admin access...

Re:So what's new? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18003156)

I believe that even RPM on linux runs the install scripts with admin access...
Yes, but you generally have to be logged in as root in order to install the RPM...

Re:So what's new? (2, Informative)

drinkypoo (153816) | more than 7 years ago | (#18003168)

I believe that even RPM on linux runs the install scripts with admin access...

If you install an RPM of unknown providence, you deserve what you get.

Otherwise, the packages are presumed to have been tested by the maintainers and to not destroy your system.

There is no such structure in Windows-land. You clearly do not understand how the system works if you think the two are comparable.

Re:So what's new? (1)

minus_273 (174041) | more than 7 years ago | (#18003322)

i know of more than one incident where deb and rpm servers have been compromised.

Re:So what's new? (1)

evilRhino (638506) | more than 7 years ago | (#18003626)

This is offtopic, but are those sigs for real? Looks like something out of 1984.

Re:So what's new? (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18003736)

If you install an RPM of unknown providence, you deserve what you get.

Realistically, this is not a good answer. OS's should provide a consistent mechanism for installing and managing software, not one method for software from the OS maker and one for commercial software (or none). Further, the assumption that any given piece of software can either be trusted or not is outdated and needs to die a quick death. All software on a machine should be limited by mandatory access controls and new software should be limited by a combination of an included ACL and a system assigned one based upon the trust level for that application.

I can forgive Linux distros and even OS X for not implementing this by default yet, since they do not have a real malware problem that actually affects most users, but this should have been implemented in Win2K at the latest, when everyone realized it was a serious problem in Windows.

Re:So what's new? (5, Informative)

DoofusOfDeath (636671) | more than 7 years ago | (#18003220)

I believe that even RPM on linux runs the install scripts with admin access...

Yes, but at least in the RPM case, a regular unprivileged user cannot cause an untrusted program to run with kernel-level permissions. In Linux, that user would have to enter a privileged password (for sudo or root login). On Vista, a regular user who has no admin rights can choose to execute an installer program with kernel privileges.

That's the same in Vista (3, Informative)

Sycraft-fu (314770) | more than 7 years ago | (#18003326)

If you are a standard user, you have to enter a password to elevate privileges. However Vista has a compromise mode of sorts. You can run as an administrator, but leave UAC on. This allows you to elevate without entering a password. You still have to elevate privilege, but it requires no password. Turning UAC off makes administrator accounts function as they did in XP where you have privilege at all times.

Re:So what's new? (3, Interesting)

lukas84 (912874) | more than 7 years ago | (#18003382)

I'm sorry, but you are wrong.

A regular user without admin rights can't run any program with admin privileges, ever. Of course said user can use runas (or their graphical counterpart), and give the program U:PW for administrative privileges.

Now, the default user Vista creates at install time is an administrator - but the default token said user gets is the same of a regular user. Now, if you want to run a setup program, Vista will elevate the privileges of such administrator accounts to the administrator level.

It's really quite similar to sudo, except that it doesn't prompt for passwords. But, if you want, you can do even that, through group policies.

Re:So what's new? (1)

bflong (107195) | more than 7 years ago | (#18003224)

True, although that's because you have to be root to install the package with rpm to begin with. Which means you *know* that it's executing with root privileges.

Re:So what's new? (1)

Joe U (443617) | more than 7 years ago | (#18003660)

So, the dialog box in Vista with the big 'hey, this requires elevated access' message isn't telling you a thing.

Re:So what's new? (1)

repvik (96666) | more than 7 years ago | (#18003228)

Can anyone but root install rpms?

Re:So what's new? (1)

whoever57 (658626) | more than 7 years ago | (#18003640)

Can anyone but root install rpms?
I don't think there is anything inherent in the RPM system that requires root access. Root access is normally required because the rpm file modifies files and directories that are owned by root during the installation. However, if the rpm were to be installed using a path that the user had rights over, no files were required to be installed as owned by root (or other priviledged user) and the rpm command was used in such a way that the system rpm database was not modified, then the rpm could be installed by a regular user.

You ought to watch those irrational beliefs . . . (5, Insightful)

mmell (832646) | more than 7 years ago | (#18003230)

Let's say rather that you need root authority to install rpm packages for use by all users.

rpm itself doesn't require root authority, and if everything you intend to do with rpm happens in directories to which you have write authority, rpm will work just fine.

By default, rpm does use directories (notably, in /var) which will require running with root authority; but this can be overridden with command line switches (say, to install an rpm which will only be used by you).

RTFM.

Re:You ought to watch those irrational beliefs . . (1)

FooAtWFU (699187) | more than 7 years ago | (#18003396)

More importantly, rpm doesn't run as setuid root (at least not on any sane system...)

I KNEW I was forgetting to mention something . . . (1)

mmell (832646) | more than 7 years ago | (#18003494)

important.

Yes, that's the whole crux of the matter - rpm can't (shouldn't) automagically elevate its priveledges - in fact, once running, it's running with the authority of the UID which launched it - period. No priveledge elevation on the fly here (and I consider that a really good thing)!

Re:I KNEW I was forgetting to mention something . (1)

Joe U (443617) | more than 7 years ago | (#18003600)

Spoken like someone who doesn't use Vista as a limited user.

You still have to authenticate with administrator access before you run the installer. There is no on-the-fly elevation.

Re:So what's new? (1)

evilviper (135110) | more than 7 years ago | (#18003284)

I believe that even RPM on linux runs the install scripts with admin access...

If you invoked the command as root, of course it does. If you installed the RPM as a non-root user into a folder you have write access to, it doesn't.

With RPMs, however, you have a simple command-line option to tell it NOT to execute script commands. And RPMs are just simple packages (like tar) and you can open them up, examine them, modify the script, etc. as much as you like. No such thing in the Windows world, where installers are encrypted cab files, only accessible to the installer binary, and all the commands and settings that are needed, are completely hidden inside the EXE.

Re:So what's new? (1)

wmshub (25291) | more than 7 years ago | (#18003310)

You don't have to run RPM as root.

At one job I had no root access to my Linux box, but I wanted to install a newer openoffice from RPM (I was having trouble getting the build from the source tarball to work). I was able to create my own RPM database, then install OO with modified paths into a directory off of my home dir. It worked great, I was up and running OO after about 15 minutes of fiddling and reading man pages.

But you have a point in that most (all?) distributions are set up for RPM to be run only by root.

Re:So what's new? (0)

Anonymous Coward | more than 7 years ago | (#18003492)

Pathetic. So what do we know abut you? A, you're using a GUI (double-click to install). B, you apparently have some kind of horked-up auto-install for RPMs in Linux which I've never heard of before. C, and worst, you are logged in as 'root' by default which is the world's biggest no-no and means you're about as pathetic a user as anybody in windows (and as unprotected).

If this post was anything besides pure ignorance it was FUD.

Re:So what's new? (0)

Anonymous Coward | more than 7 years ago | (#18003590)

I believe that even RPM on linux runs the install scripts with admin access...

Nope - on Linux you have complete control.

An installer isn't going to run with root permission unless you've explicitly chosen to login/su as root. People may often do this, but it's certainly not necessary.

No reason you can't give yourself permission to, say, /usr/local, and install there.

A typical software installation is just copying files, so it doesn't need special priviliges.

Re:So what's new? (1)

Azarael (896715) | more than 7 years ago | (#18003676)

That's why you can build many applications from source and install them in user space. If you don't want to install software as an admin, then you don't have to.

Another approach. (4, Funny)

Lethyos (408045) | more than 7 years ago | (#18003118)

Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.

Re:Another approach. (1)

nadamsieee (708934) | more than 7 years ago | (#18003210)

If only there was a platform that offered such a simple an effective solution.

To the non-geeks: Why are you reading Slashdot?!?!?

Oh, and he is referring to just about any POSIX(-like) implementation: Unix, Solaris, Linux, etc.

Re:Another approach. (1)

mihalis (28146) | more than 7 years ago | (#18003440)

I think he is probably specifically referring to Mac OS X

Re:Another approach. (2, Interesting)

QuantumG (50515) | more than 7 years ago | (#18003442)

Actually, he was refering to App Bundles.. a Mac concept that has been replicated on Linux about a dozen times but has never taken.

Re:Another approach. (2, Informative)

nadamsieee (708934) | more than 7 years ago | (#18003510)

a Mac concept that has been replicated on Linux about a dozen times but has never taken.

A user has had the ability to install stuff in her home directory on POSIX machines for oh... probably since POSIX machines have been around. This isn't a "Mac concept". At most Apple has polished the idea to make it easy for non-geeks. And don't forget that OS X a.k.a Darwin is a POSIX-like implementation.

Re:Another approach. (1)

QuantumG (50515) | more than 7 years ago | (#18003638)

It predates Darwin..

Microsoft already invented that! (1)

chopper749 (574759) | more than 7 years ago | (#18003354)

They just haven't put it into windows yet. They have to write up a patent app first, and then get the press release ready saying that everyone is copying their creative stuff.

Re:Another approach. (2, Informative)

drinkypoo (153816) | more than 7 years ago | (#18003402)

Why not just let the user copy the application bundle to wherever they have write permissions? That application then executes with the privileges of the user that invokes it. If only there was a platform that offered such a simple an effective solution.

Just to be a pedant, I would like to mention that you can in fact do this on Windows. However, applications developers seem to be in love with the registry, despite the fact that it really offers them no benefits whatsoever. I mean, it's slower than just putting all that data in flat files...

I have lots of programs that work fine when I just copy them from one windows installation to another. Most of them are in my games folder, though.

Re:Another approach. (0)

Anonymous Coward | more than 7 years ago | (#18003524)

I think that was the whole "balance ease of use with compatibility" thing. I bet a lot of installer applications need admin priviledges. What if I need to change security descriptors on some files so all users can write to them, e.g. log files? You'd think with all of the confirmation boxes in vista that one more box with password prompt wouldn't hurt. MSI should need to be suid root.

MSI already has the "Install for all users/Install for just me" built into it, but that only does the shortcuts, not the binaries. To implement what you describe, the application needs to inherit it's security descriptors from the shortcut. I'm not sure if it works that way already or not.

Re:Another approach. (1)

Knackered (311164) | more than 7 years ago | (#18003610)

What if I need to change security descriptors on some files so all users can write to them, e.g. log files?


Why should you need to change security descriptors? If you can write the log, you can probably truncate and modify it too, introducing possibilities to cover up spyware or rootkit installes. Why don't you have a logging API that writes the log with the correct permissions instead, callable from the user's sandbox?

Re:Another approach. (1)

lintux (125434) | more than 7 years ago | (#18003544)

This sounds very much like how one usually installs software on Mac OS X... Just drag a directory (which looks like a single file in the Finder) to your /Applications folder (or anywhere else, if you prefer, or if you can't write to /App) and you're done.

Re:Another approach. (1)

DrSkwid (118965) | more than 7 years ago | (#18003720)

The concept was introduced on the NeXT Machine.

Executable installers.... (3, Informative)

croddy (659025) | more than 7 years ago | (#18003120)

Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model. Things like APT have other nightmare scenarios (what if someone compromises the repository?), but not having to run shitty little EXEs to install applications isn't something I miss from Windows.

Re:Executable installers.... (1)

heffrey (229704) | more than 7 years ago | (#18003320)

Er, I think this refers to the Windows Installer service which isn't exactly a "shitty little EXEs".

That said, Installer is so complex and so hard to deploy under, perhaps a return to the good old days of "shitty little EXEs" would be an improvement.....

Re:Executable installers.... (1)

evilviper (135110) | more than 7 years ago | (#18003448)

Well, as long as your OS still relies on the ancient "executable installer" model for software distribution, you're going to be stuck making design decisions to accomodate that model.

Sure, it's a stupid model, but they are gradually moving away from it... They introduced .MSI for installation programs to replace EXEs, they're far from perfect, but it's a step up that should help eliminate these privilege problems.

It took them decades to get rid of the single-user model for applications, and I expect getting rid of EXE installers will take even longer.

Re:Executable installers.... (1)

scribblej (195445) | more than 7 years ago | (#18003746)

You do know that when you install software via APT it can run scripts to do anything it likes... right? The package might not be an executable, but apt will happily execute parts contained therein.

I'm all for bashing Windows, too, but in this case you've got nothing to laugh about.

Okay, I'll admit there are options to apt, which, if used, might help detect and avoid this kind of problem (like, installing as a user to a different set of install directories, rather than sudo apt-get install foo) but few people follow those safer steps.

No, the reason apt wins over Windows isn't because there is no executable factor. There is. But apt wins for other reasons, like having some 16,000 packages available and signed for by the distributor (Debian) -- there's very little chance I'm ever going to install a "third-party" binary on my system in the first place. Also, having the full source available for all those packages doesn't hurt, either...

"balance" ease of use (2, Insightful)

gvc (167165) | more than 7 years ago | (#18003142)

Ease of use and compatibility with DOS/Windows is a major reason that Microsoft got us into this security mess. The default user in XP was an administrator with no login password. Non-priveleged accounts were practically useless, mainly because you couldn't install any software using them. Now Vista is touted as allowing non-priveleged accounts, but the price you pay is that any old installer is priveleged. What an advance!


While I'm at it, why does a printer (or other non-intrusive peripheral) driver have to have unfettered access to the life blood of the OS?

Eh? (2)

nagora (177841) | more than 7 years ago | (#18003144)

Does this mean that Vista does not allow users to install local copies of programs (eg, Tetris)?

Absolutely shocking... (2)

jtobin (988724) | more than 7 years ago | (#18003148)

...they're trying to install Tetris? Haven't they heard of Crack Attack?

Excuses Excuses (1)

bostons1337 (1025584) | more than 7 years ago | (#18003158)

"Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

So are they saying they already knew about the hole and just waited for someone to find it or is this one of those typical Microsoft excuses?

Re:Excuses Excuses (1)

Joe U (443617) | more than 7 years ago | (#18003542)

No, it's a potential risk.

As in:
Yes, if you elevate yourself to admin you can ruin your system.
Installing software usually requires admin access, so you have to authenticate, opening yourself up to admin.

Super elite hax0r Rutkowska is worried that by default, installers usually need to be run as admin.

Apple was right.. (1, Redundant)

HockeyPuck (141947) | more than 7 years ago | (#18003194)

Normally I don't give any credit to marketing droids... but Apple's "Security" switcher ad is right on target:

http://images.apple.com/movies/us/apple/getamac/ap ple-getamac-security_480x376.mov [apple.com]

bwbwbahaha (1)

TheCouchPotatoFamine (628797) | more than 7 years ago | (#18003404)

priceless - didn't see that one.. OUCH!

Re:Apple was right.. (0)

Anonymous Coward | more than 7 years ago | (#18003712)

It would be funnier if the Apple installer didn't do the same thing.

Further proof (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18003214)

...that security needs to be designed in from the start to be effective, not a bolted-on afterthought.

When are they finally gonna give up this retarded backward-compatibility-at-all-costs mindset and *really* rewrite Windows from the ground up? Microsoft owns Virtual PC for Christ's sake, so it's not like they couldn't include a sandboxed "classic" Windows for app compatibility for a few years.

The one thing Apple did that Microsoft really ought to copy, they don't. Figures.

Re:Further proof (1)

NastyNate (398542) | more than 7 years ago | (#18003718)

This seems to be on of the first time the 'defectivebydesign' tag that appears on all Windows articles is very appropriate. As opposed to the practice of blindly tagging all Windows articles this way.

Tetris is a brand name (-1, Offtopic)

tepples (727027) | more than 7 years ago | (#18003222)

From the blurb: "This means that a freeware Tetris installer would be allowed to load kernel drivers."

Point of terminology: Except for one PC DOS based prototype by Vadim Gerasimov [oversigma.com] , Tetris [tetris.com] software is not freeware. Calling Quadra [sourceforge.net] , Lockjaw [pineight.com] , Bedter [abednarz.net] , or Emlith [emurasoft.com] "Tetris" is just as incorrect as calling RC Cola or Coca-Cola "Pepsi" or calling GNU "UNIX", because it's not.

</anal-retentive>

Corrected: "This means that a freeware Soviet Mind Game installer would be allowed to load kernel drivers."

Re:Tetris is a brand name (4, Funny)

blackmonday (607916) | more than 7 years ago | (#18003406)

Your post is even funnier if you read it out loud in the Simpson's "Comic Book Guy" voice.

Re:Tetris is a brand name (1)

repruhsent (672799) | more than 7 years ago | (#18003476)

You don't get outside much, do you?

What? (5, Interesting)

jamesshuang (598784) | more than 7 years ago | (#18003234)

So let me get this straight... deleting a shortcut [flickr.com] brings up a pile of popups, but installing something doesn't?! Who's trading security for annoyance here?

Balancing Security with Ease of use (5, Funny)

ThatsNotFunny (775189) | more than 7 years ago | (#18003238)

Looks like "Ease of Use" is the morbidly obese 10-year-old kid on this see-saw, and "Security" is up in the air with her legs dangling, and all the kids are lookin' up her skirt.

Re:Balancing Security with Ease of use (1)

bostons1337 (1025584) | more than 7 years ago | (#18003292)

LMAO, very nice comparison between the two.

Re:Balancing Security with Ease of use (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18003480)

Balancing Security with Ease of use...

The problem I have is that many people, including security people, assume that ease of use and security are polar opposites and it blinds them to real problems. If you require users to change their password every day you're reduced ease of use and security because you've motivated people to work around our security (possibly with post-it notes. There are plenty of real ways to increase the security of Windows and increase usability as well by providing users with more and better information and options as well as removing unneeded decisions. The worst part about all this, in my mind, is that MS as a monopoly is in the unique position of being able to enact sweeping reforms that require developers to adopt new practices to improve security, but MS doesn't do it.

In a nutshell: (1, Insightful)

Recovering Hater (833107) | more than 7 years ago | (#18003254)

Microsoft programmers *still* don't understand the basic principals behind user access controls or how to implement security. Nothing to see here, move along.

Re:In a nutshell: (1)

gstoddart (321705) | more than 7 years ago | (#18003584)

Microsoft programmers *still* don't understand the basic principals behind user access controls or how to implement security.

I don't think you need to pin this on the individual programmers.

Blame it on management decisions, and a huge, bloated codebase that historically MS hasn't been ab;e to fully consume internally. Some apps will use the new hotness, some will rely on old technologies which are deprecated, and some will use the ones which aren't formally documented.

Microsoft has become a huge juggernaut. I'm sure the individual programmers are trying to do their best -- it's just a very unweildly mountain of technology, and not everyone can see all of the same rocks. :-P

Cheers

DOOM: History repeats itself (5, Funny)

MarkGriz (520778) | more than 7 years ago | (#18003266)

Wasn't it the failure of the UAC that allowed the demons from hell to infiltrate Earth?

I guess MS didn't learn anything from id.

Re:DOOM: History repeats itself (4, Funny)

chrisb33 (964639) | more than 7 years ago | (#18003538)

You think UAC is bad now? Just wait for Vista II: Hell on Earth [wikipedia.org]

Why is Intel making 80 core CPU's? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18003428)

Microbucks has requested they need 79 to do security checks.

Tiers of Joy (1)

3D Monkey (808934) | more than 7 years ago | (#18003450)

IANAP but shouldn't there be a way for the OS to know the difference between an app that wants to install kernel level code and one that just wants to let you play Tetris? If so, couldn't it be implemented in such a way that you are only asked for security clearance (press the OK button) if the former is true? Seems like a tiered system would be the best way to balance security with ease-of-use.

After 8 trillion years of hype and build up I'd figure this would be the least that Vista would do for it's users.

Troubling ... (4, Interesting)

eck011219 (851729) | more than 7 years ago | (#18003456)

... particularly because Vista was supposed to address some of the problems Microsoft had when trying to balance security and ease of use in XP. We now live in a very dangerous time as far as digital stuff is concerned, and I think continuing to hide as much security from people as possible (while paying lip service to it in other ways like UAC) is foolish. End users are going to have to learn to be careful, and learn a little bit about security. Cars didn't used to have locks, either. Times change, and people have to adapt to it to some extent.

That said, I personally very much liked the Vista user experience (I'm back to XP for now, but I had the beta and RC1). But after the first couple of days, I turned off UAC (and besides, I like to manage my security myself). It did nothing but ask me if I wanted to do what I was doing. Like another early poster here, I almost immediately reverted to clicking any damn OK button I saw. And God knows, I turned the sound off almost immediately. Moreover, I turned it off because it seemed like a talented Bad Guy would simply bury his Evil Code in something that seemed benign, and Joe User would just click through it. But all of that has been covered at great length in these hallowed halls already.

My point is still this: the bad guys are out there now. That's just reality. Telling people not to worry and to go back to sleep doesn't serve anyone anymore. I don't think power user knowledge is necessary for the average person, but frank awareness of basic online safety puts it in the hands of the individual user to some extent, and eases some of the strain for the OS designers/engineers. Because while MS has made some dumb and dangerous mistakes in the past, I still think of it this way: when you're designing any piece of software, you can't completely anticipate the security issues that will come up a year down the road, and you can't reduce how hard a user will work to circumvent your attempts to protect them, no matter how inobtrusive they may be.

I'm not defending MS for its past mistakes, oversights, poor execution, and so on, but I do think people need to pony up a little more energy to protect themselves. I'm no security expert, but it just seems like responsible living to me.

Oh, this is rich ... (3, Insightful)

gstoddart (321705) | more than 7 years ago | (#18003458)

Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use.

Microsoft has created a culture of choosing between security/good/whatever and 'ease of use'. Going all the way back to older versions of Windows in which there was no user permissions model.

Hearing that all frigging installers are going to want admin perms is a frigging joke. Part of the reason Windows is insecure is you can't do anything without being an admin. It's not like it even supports a model whereby you install the software into your own location. Every piece of software expects to be able to write registries, replace system DLLs, and generally crap into a few common folders.

I mean, well over a decade I could download any old UNIX software, untar it, set an environent variable, and just run the damned software. No root perms needed, just glorious, easy to run/trivial to uninstall software.

This means that people aren't going to install their animated cursors in a sandbox which only affects them. They'll do it as admin, and potentially bork the whole machine.

This just makes me laugh.

Cheers

Sigh ... "Microsoft's Mark Russinovich" (0)

Anonymous Coward | more than 7 years ago | (#18003702)

That phrase brings a tear to my eye.

Re:Oh, this is rich ... (1)

rilister (316428) | more than 7 years ago | (#18003706)

Interesting that they would wheel out Mark Russinovich to paper over this crack: his Sysinternals operation was only bought by MS about six months ago, right? He seemed like he made a career working around bad design choices or omissions in Windows.

He even produced the famous joke-BSOD screensaver that perfectly mimics a b0rked windows installation...

Is he being forced out for street-cred purposes? "Hey, Mark thinks it was a good idea!" - I wonder what he'd say OFF the record about this....

Hole? (1)

Henry V .009 (518000) | more than 7 years ago | (#18003522)

And synaptic won't run without root privileges. So what?

Re:Hole? (1)

Todd Knarr (15451) | more than 7 years ago | (#18003670)

Synaptic will run quite nicely without root privileges. All it needs is the proper access to it's database (if you're installing or updating, you obviously need write access), but it can get that without being root if you set things up right. Now if it doesn't run as root then packages that want to install things in root-owned system directories might have problems, but a) that's the whole point and b) you can usually have such packages installed somewhere not root-owned by using the right incantations.

Re:Hole? (2, Insightful)

Henry V .009 (518000) | more than 7 years ago | (#18003714)

I knew that reply was coming. Yes, the expert user can force synaptic into running without root privileges. However the new Ubuntu user who tries to start it up is simply going to hit a "enter your password" prompt at the get-go.

The expert Vista user can get around running installation programs as the Administrative user as well. It's the same issue.

Cancel or Allow? (1)

fahrbot-bot (874524) | more than 7 years ago | (#18003540)

Microsoft's Mark Russinovich acknowledges the risk factor but says it was a 'design choice' to balance security with ease of use."

So, requiring software to use (possibly unnecessary) elevated privileges to install thus allowing unrestricted access to the system and circumventing all user security is a "design choice"?

As the Mac vs. PC commercial goes, "You are coming to a sad realization. Cancel or Allow?"

Re:Cancel or Allow? (1)

Sebastopol (189276) | more than 7 years ago | (#18003580)

This reminds me of the piss-poor attempt at security in Firefox extension certification.

Sorry, Mark Russinovich is RIGHT. (0)

nweaver (113078) | more than 7 years ago | (#18003634)

From the article, a comment by Mark Russinovich:

So if you aren't guaranteed that your elevated processes arent susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption..

This is it, 100%. The problem with so much of Windows XP is that you had to run as administrator for silly things like games and everything else. These account-internal privilige levels are to simply allow the non-admin account to be able to do anything at all, and the "all installers are Admin" is a reasonable if somewhat permissive cost to pay, as it is better than the "Everything is admin" which is what it used to be.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?