July 5th, 2006

Missing the true impact of Vista UAC

Posted by George Ou @ 2:12 am

Categories: Security, Vista

Tags:

There were plenty of stories last week about Microsoft’s plea to not turn off Vista’s UAC security feature and plenty of criticism that UAC is dead before Vista even arrives.  Not only is this foolish because UAC is still being refined, but it’s missing the bigger picture of how the new security feature protects and benefits all Windows users.

Vista’s UAC has already had some improvements under the Beta2 build of Vista.  For example, the task manager will now run under a standard user context with administrative capabilities disabled whereas earlier builds of Vista would have demanded administrative escalation before the task manager even launches.  Future builds of Vista will streamline UAC even more and Microsoft’s ultimate goal is to never have any UAC prompts for all normal system operations.

Some are also complaining that Vista’s new secure desktop prompting feature is too annoying and that other operating systems like Mac OS X don’t do this.  Secure desktop prompting will dim out the entire desktop and prevent any interaction with the desktop until the prompt is accepted or denied but this truly is a useful security feature that is leading the way.  There are privilege exploits that will actually attempt to fool the user in to clicking "RUN" by masking out the entire dialog box.  Having a secure desktop prompting mechanism minimizes the possible confusion by locking out the desktop and letting the user know when they’re really being prompted for privilege escalation.

While fixing software to behave properly in the first place is ideal, it isn’t always feasible.  Microsoft’s solution for this is application "shims" that essentially lie to legacy applications to make them believe that they’re running with administrative privileges.  There are even applications that don’t actually need any administrative access but they will go and check to see if they have it and will fail if the answer is no.  Other applications try to write to protected regions of the system registry and file system which requires administrative access.  A shim will essentially lie to the applications that "yes you are an administrator" and seamlessly reroute any system level registry and file changes to temporary locations.  Microsoft will have thousands of these application specific shims but they may ultimately have to create some sort of automatic shimming mechanism for all the legacy applications.  The great thing about shimming is that it is not a compromise on security because the application is running in a standard user context and only thinks it’s running as an administrator.

The most significant part that’s lost in the discussion about Vista UAC is that it isn’t just about making standard user operation workable.  Internet Explorer 7 running under Windows Vista will operate in a special protected mode that forces IE7 to run in a jail cell.  If IE7 is compromised by a documented or undocumented future exploit, it will not have administrative privileges nor will it have access to your user files.  There have been documented exploits on Mac OS X where a proof-of-concept exploit in Safari’s browser will enumerate (lists) user files though it could have easily wiped them out or encrypted them for ransom.  I asked Microsoft if this new protected mode is available to ISVs and they responded that it was available to anyone.  This means that Mozilla Firefox which has had a significant history of exploits could be programmed to run in protected mode in Windows Vista.  If third party web browsers don’t employ this new security feature, they will be at a significant disadvantage to Vista’s native web browser.

Some people are saying that Vista UAC is annoying so they have turned it off and will never turn it on again.  The truth of the matter is that if they do turn it off then it will only endanger their own computers.  The fact that Windows Vista has UAC turned on by default will force all the major ISVs (Independent Software Vendors) to design their software correctly and not demand administrative privileges.  This default setting alone regardless of how many people ultimately turn off UAC is worth the price of admission.  The entire Windows community benefits when ISVs start coding responsibly which makes it possible to run Windows Vista in standard user mode whereas it was highly impractical to do so with Windows XP and before.  Once we examine the big picture of Window Vista UAC, it is hardly the failure that some would seem to suggest.