February 14th, 2007

What the UAC 'hole' is really about

Posted by George Ou @ 3:56 am

Categories: Desktop, Security, Vista

Tags:

Fellow blogger Ryan Naraine had a blog "Hacker, Microsoft duke it out over Vista design flaw" where he reported on a disagreement between elite researcher Joanna Rutkowska (Singapore-based Coseinc) and elite programmer Mark Russinovich (formerly Sysinternals and acquired by Microsoft).   I've spoken with both of these people and I have a lot of respect for both of them.  Rutkowska did some ground breaking research on Hypervisor-based Rootkits that hijack an operating system by sticking them in a hardware-based virtual "Matrix" prison.  Russinovich is one of the elite programmers with Sysinternals which cranked out a lot of really powerful and well coded utilities for managing and maintaining Windows.

I had a hard time believing some of the characterizations of Rutkowska's positions and that prompted me to contact Rutkowska first hand.  It turned out she had already notified Ryan Naraine to correct her positions and you'll see her clarifications on the end of Naraine's blog.  What Rutkowska was upset over was the Russinovich's position that UAC implementation issues were not to be considered security bugs.

From where I stand, I don't see either party as wrong.  Rutkowska sees a design weakness in Vista UAC where it can be made much better with a little more granularity of control, and Russinovich doesn't want to see this characterized as a bug in the software when this is clearly a design issue.  Plenty of these types of design issues have been inaccurately played up as if Microsoft screwed up the code again and I can understand Russinovich's and Microsoft's defensiveness on the issue.  Rutkowska actually goes as far as saying that she understands the design decision as a compromise between security and usability.  David Maynor also joined in on the debate and added that if you are prompted for an admin password to install an app on a Mac or you use sudo to elevate privileges in Linux to make install something, then it's no different from what Vista UAC is doing.  So it seems to me that all parties involved here pretty much agree.

[Update] - Joanna adds this clarification.
Please, note that Russinovich's post referred to *implementation* bugs in UAC and that they should not be treated as "security bugs" (and this is what shocked me!).  I don't see how his post tells anything about the "elevated-installs" issue - which has nothing to do with *implementation* bugs in UAC.

UAC has taken a lot of bashing from the blogsphere and media and it isn't even handed considering the fact that it is no different from Mac or Linux privilege escalation mechanisms.  In Rutkowska's blog, she writes:

Many people complain about UAC, saying that it’s very annoying for them to see UAC consent dialog box to appear every few minutes or so, and claim that this will discourage users from using this mechanism at all (and yes, there’s an option to disable UAC). I strongly disagree with such opinion - I’ve been running Vista more then a month now and, besides the first few days when I was installing various applications, I now do not see UAC prompt more then 1-2 times per day. So, I really wonder what those people are doing that they see UAC constantly appearing every other minute…

While it's true that Vista UAC is no different from Mac or Linux privilege escalation, we must remember that the old argument that "everyone else is doing it" just doesn't cut it when you're the most dominant desktop operating system in the world and the biggest target for Malware.  While Vista's security record in the first three months (referring to enterprise and MSDN rollout) in public has been stellar by any standard on any operating system, we have to expect that Malware pushers will be using a lot more social engineering as their weapon of choice against Vista once it inevitably becomes the dominant operating system led by the retail sector.  There are simply too many people downloading "warez" (pirated software), applications and games that people think will be cool to try out, and "free" adult videos that require one of those "special" root me Codecs in order to "play" and your average Joe or Jane won't know any better.  While one might be tempted to say "it's their problem", it eventually becomes everyone's problem because those suckers become a massive army of zombies that can spew spam and DDoS (Distributed Denial of Service) attacks.

What Rutkowska suggests is that UAC should have more than just a yes/no option on privilege escalation but a yes, limited yes, and no option.  Under Windows XP, Rutkowska is able to run as a limited user with add only privileges to the "Program Files" directory and the HKLM Software registry hive but Vista takes this choice away from her because of the way that UAC works.  I would add to that add only permissions list the "Public Desktop" so that launch icons can at least be installed for everyone.  The vast majority of applications shouldn't need any more privileges than what's listed here and they certainly shouldn't ever have the ability to modify the OS kernel unless they're signed by a trusted Certificate Authority.  If Microsoft would adopt this as the standard permission model for the vast majority of applications then it would vastly improve the Trojan Malware situation.  People will essentially be able to more safely "taste" applications without the risk of nuking their entire OS.  As for the "disagreement" among the parties involved here, no one's really wrong and I think we may be talking past each other when everyone's positions is a lot closer than we think.

[Update 2/16/2007]: Microsoft blogger Stephen Toulouse's response on this issue