On TV.com: Is DEXTER a Little Boring This Season?
BNET Business Network:
BNET
TechRepublic
ZDNet

February 13th, 2007

Hacker, Microsoft duke it out over Vista design flaw

Posted by Ryan Naraine @ 8:36 am

Categories: Browsers, Data theft, Hackers, Microsoft, Pen testing, Punditocracy, Vulnerability research, Windows Vista

Tags: Process, Security, Flaw, Microsoft Windows Vista, Microsoft Corp., Hacker, Attack, Joanna Rutkowska, Ryan Naraine

Joanna Rutkowska has always been a big supporter of the Windows Vista security model. Until she stumbled upon a "very severe hole" in the design of UAC (User Account Control) and found out — from Microsoft officials — that the default no-admin setting isn't even a security mechanism anymore. Joanna Rutkowska

Rutkowska, a hacker with a track record of defeating Vista's security mechanisms, believes UAC has a major flaw in the way it automatically assumes that all setup programs (application installers) should be run with administrator privileges.

"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

That's because Vista uses a compatibility database and several heuristics to recognize installer executables and, every time the OS detects that an executable is a setup program, "it will only allow running it as administrator."

This, in Rutkowska's mind, is a "very severe hole in the design of UAC."

"After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:Program Files and some keys under HKLMSoftware and do nothing more. I could do that under XP, but apparently I can’t under Vista, which is a bit disturbing," she added.

A few days after Rutkowska flagged the UAC shortcoming, Microsoft's Mark Russinovich wrote a detailed technical explanation of the way the mechanism works. One thing that stood out in Russinovich's explanation is an admission of sorts that the default configuration of UAC puts the user at risk of a sophisticated code execution attack.

Russinovich, a technical fellow at Redmond, writes:

As you experiment you’ll find that your actions are limited, but there are some design boundaries that you should be aware of. First, with the exception of processes and threads, the wall doesn’t block reads. That means that your low-IL command prompt or Protected Mode IE can read objects that your account (the standard-user version if you’re a member of the administrator’s group) can.

This potentially includes a user’s documents and registry keys. Even the ability of a process at low IL to manipulate objects of a higher IL isn’t necessarily prevented. Since processes running at different integrities are sharing the same desktop they share the same “session”. Each user logon results in a new session in which the processes of the user execute. The session also defines a local namespace through which the user’s processes can communicate via shared objects like synchronization objects and shared memory.

That means that a process with a low IL could create a shared memory object (called a section or memory-mapped file) that it knows a higher IL process will open, and store data in the memory that causes the elevated process to execute arbitrary code if the elevated process doesn’t properly validate the data.

That kind of escape, called a squatting attack, is sophisticated and requires the user to execute processes in a specific order and requires knowledge of the internal operation of an application that is susceptible to manipulation through shared objects.

Russinovich pegged it as a tradeoff between application compatibility and ease of use, explaining the weakness as a "design choice."

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

That explanation isn't sitting well with Rutkowska. In an e-mail interview, the Polish malware researcher said she was "pissed off" by what she perceived as Russinovich's flippant attitude to the potential risk.

"It seems like Microsoft realized that implementing UAC would be hard, so they decided not to call it a security mechanism anymore and that 'potential avenues of attack, regardless of ease or scope, are not security bugs'," she said, quoting directly from Russinovich's essay.

"I don't think it's fair after all this Vista security campaign we observed in 2006, where Microsoft was boasting about this new security model in Vista. This is not a proper way to solve security problems. Microsoft, instead of trying to diminish the problem, should work on the solutions (even if they expected to see a dozen of new attacks against UAC)," she added.

Rutkowska also took issue with this line from Russinovich's argument:

"[H]aving your elevated AAM processes run in the same account as your other processes gives you the convenience of allowing your elevated processes access to your account's code and data, but at the same time allows your non-elevated processes to modify that same code and data to potentially cause an elevated process to load arbitrary code…"

"This is not valid," Rutkowska declared. "If we followed this reasoning, then we would not be able to talk about security in our email clients nor web browsers, because they all also access data and code which are not trusted."

Her final thought: "I believe that the Vista security model is a good thing and that users can benefit from it, but Microsoft must change their attitude and start treating them as security mechanisms."

[UPDATE: February 13, 2007] Rutkowska wrote in to clarify a few things that appear confusing in the article above:

There are two different things, which should be distinguished:

1. The fact that UAC *design* assumes that every setup executable should be run elevated.

2. The fact that UAC *implementation* contains bugs, the one noted in the original blog entry that allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.

I was “pissed off” not because of #1, I was “pissed off” because Microsoft employee — Mark Russinovich — declared that all *implementation* bugs in UAC are not to be considered as security bugs (see fact #2).

True, I also don’t like the fact that UAC forces users to run every setup program with elevated privileges (fact #1), but, I can understand such a design decision (as being a compromise between usability and security) and this was not the reason why I wrote my follow up titled “Vista Security Model - A Big Joke”.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 196 Talkback(s)
RE: Hacker flags 'very severe hole' in Vista UAC design
I ran an installer program (I can't remember if it was an old setup.exe or just the .MSI program).. Anyway I ran it on vista not running as admin.. It didn't shut it down when it asked me if it should... (Read the rest)
Posted by: DonBurnett Posted on: 07/24/08 You are currently: a Guest | | Terms of Use
Vista is all about DRM  whisperycat | 02/13/07
no matter how cynical you get it's impossible to keep up  broadway al | 02/13/07
Same song, millionth verse...  bpolhemus@... | 02/13/07
Leftists are ignorant?  salimbag | 02/13/07
Fees??  ericseba | 02/14/07
Per machine, not per Windows license  mds_z | 02/15/07
Correction  mds_z | 02/15/07
Proof?  ericseba | 02/16/07
Why they agreed to that.  Spiritusindomit@... | 05/21/08
You've proven his point  mrleo1957 | 02/14/07
Monopoly - definition  Dr. John | 02/14/07
Odd...  Dr. John | 02/14/07
It's not an agreement everyone has  Spiritusindomit@... | 05/21/08
wow...where is rod serling... cuz we must be in the twilight zone  jmelnik | 03/09/07
Re: same song, millionth verse  alflanagan | 02/14/07
Typical MSFT Attitude  Chad_z | 02/13/07
She's right  John L. Ries | 02/13/07
There are plenty of programs that don't need installation  georgeou | 02/13/07
Just a question...  zkiwi | 02/13/07
Installer needs admin, runtime does not  georgeou | 02/13/07
That's the problem: stupid installers  Leria | 02/14/07
Sims  Dr. John | 02/14/07
Have to disagree, in part...  3D0G | 02/14/07
I agree  Computer_User_1024 | 02/13/07
It's a choice, not a hole  georgeou | 02/13/07
I have to take exception to this phrase  Scrat | 02/13/07
But I can give you several examples  georgeou | 02/13/07
What about developer tools?  Mr_Dave | 02/13/07
It isn't a matter of dev. tools  Mark Miller | 02/14/07
Or a problem with MS security  mds_z | 02/15/07
the mac ad says it better  broadway al | 02/13/07
Adds are for the simple minded.  No_Ax_to_Grind | 02/13/07
And if you think I can't bring a Mac to it's knees ...  mrlinux | 02/13/07
So, in your hypothetical example the Mac is copying Vista?  Still Lynn | 02/14/07
simple minded  broadway al | 02/14/07
All the experts say Vista is more secure.  georgeou | 02/13/07
Dave (MS Zealot) Maynor?  Rick_K | 02/13/07
Feature comparison  Ryan NaraineZDNet Moderator | 02/13/07
Over the Line Journalism  yyuko@... | 02/13/07
hrmm..  dmaynor | 02/13/07
Take your choice  klumper | 02/13/07
C'mon yyuko...  Dr. John | 02/14/07
How Do You Know?  Ole Man | 02/13/07
"expert"?  drew1313 | 02/13/07
ONE PERSON = All the experts?  V-Train | 02/14/07
Experts?  Mercat | 02/15/07
Security really isn't everything  larry@... | 02/13/07
Secure and usability  terrym@... | 02/14/07
A voice of reason...  Dr. John | 02/14/07
Metaphorically a problem.  CyeKat | 05/02/07
There is such a thing.  Dr. John | 02/14/07
Why should it be a choice?  bportlock | 02/13/07
Because, silly...  Dr. John | 02/14/07
numerous choices  zoroaster | 02/13/07
An old joke  solyom@... | 02/15/07
There goes ZDNet again  Jaschink | 02/13/07
Just switch to MAC or LINUX  kokuryu | 02/13/07
How Apple's security functions  GuidingLight | 02/13/07
You're either living in Fantasyland...  Gordon Gonsalves | 02/13/07
Your the one living a Fantasy  jnimble | 02/14/07
Vista Most Secure?  mwiley_z | 02/14/07
It was the most secure ever.  Dr. John | 02/14/07
Before posting please understand what can you are opening...  Mercat | 02/14/07
I apologise...  Gordon Gonsalves | 02/15/07
How is this different from Mac installers?  rlawler | 02/14/07
it depends...  impala_sc | 02/14/07
You're right about OS X installers...  Gordon Gonsalves | 02/15/07
Sort of  maldain | 02/13/07
Yes, no, and sometimes...  No_Ax_to_Grind | 02/13/07
Hacker - Vista design flaw.  jnlubken@... | 02/13/07
Vista's security must be pretty good given all the FUD...  ye | 02/13/07
Perhaps that explains...  zkiwi | 02/13/07
Re: Vista's security must...  alflanagan | 02/14/07
It's not the discussions that are FUD. It's the...  ye | 02/14/07
The more secure your operating system is the more public each flaw becomes  MacGeek2121 | 02/14/07
Ya know, if it weren't for all the ranting  Kid Icarus-21097050858087920245213802267493 | 02/13/07
She complains of MS's Attitude!  andrej770 | 02/13/07
Ah-1, ah2, ah3, rah rah rah, yeeeaahh! Microsoft  Ole Man | 02/13/07
Taken from the original chant  John Zern | 02/13/07
mean way to say right thing  blindguyinanorgy@... | 02/14/07
In general there two levels of installation - period  FirstNLastN | 02/13/07
UAC is Microsoft's sudo  osreinstall | 02/13/07
Not quite the same  TtfnJohn | 02/13/07
Sure it is.  osreinstall | 02/13/07
But with Linux...  KWierso | 03/09/07
It's not automatic/You misunderstand  toadlife | 02/14/07
I can't decide  wjkahlssmd@... | 02/14/07
The pragmatic side  osreinstall | 02/14/07
The Ludicrous Side  Dr. John | 02/14/07
You are not too bright.  osreinstall | 02/14/07
Vista and XP  alaniane@... | 08/30/07
Leave her alone!!!  yyuko@... | 02/13/07
I wish I had your faith...  bpolhemus@... | 02/13/07
I'm with yyuko  Tranman123 | 02/13/07
Not relevant to the conversation  John L. Ries | 02/13/07
The thing is...  bpolhemus@... | 02/14/07
You shoulda been...  Dr. John | 02/14/07
??  dmaynor | 02/13/07
Hmmm  maldain | 02/13/07
Kind of  Nemglan | 02/14/07
Message has been deleted.  hegira1 | 02/13/07
Security is a matter of desire, and M$ isn't remotely interested  njic@... | 02/13/07
You think your average geek user could care less about security  mrjonno | 02/13/07
One big difference . . .  njic@... | 02/13/07
That...  IAHawkeye | 02/14/07
Where is Non Zealot on this one then! Tossing  hirez | 02/13/07
Wil this problem be fixed in Windows 7?  B.O.F.H. | 02/13/07
Focus  a_lesueur@... | 02/13/07
MS = BS  ghot@... | 02/13/07
You should...  IAHawkeye | 02/14/07
This is completely damning.  Resuna | 02/13/07
INSTALLERS!!!  TacoSauce | 02/13/07
Two bad choices don't = a good choice  ghot@... | 02/13/07
I used to feel your pain....  IAHawkeye | 02/14/07
history of ms os  impala_sc | 02/14/07
A few you missed  alaniane@... | 08/30/07
UAC Vulnerability?  danzig6 | 02/13/07
There goes MS again  solar_satellite | 02/13/07
I really LIKE Joanna Rutkowska!  Jeff Hayes | 02/13/07
Not to mention...  bpolhemus@... | 02/14/07
Cancel or Allow  Reverend MacFellow | 02/13/07
Love the "Security" Apple ad  Richard Flude | 02/14/07
She looks like Q in a wig!  Reverend MacFellow | 02/13/07
If only MS TRIED to make Windows secure  Macheads | 02/14/07
Just in the numbers  O_tempore_o_more | 02/14/07
Russinovich and sysinternals  doas777 | 02/14/07
Does she not understand the purpose of UAC?  TasteeWheat | 02/14/07
Ever heard of...  IAHawkeye | 02/14/07
Two different issues  TasteeWheat | 02/14/07
Actually, I don't  alaniane@... | 08/30/07
So what? It's Microsoft be damned no matter what.  Winfan | 02/14/07
Hello  IAHawkeye | 02/14/07
Linux and Mac require administrative privileges to install software too  mail880277@... | 02/14/07
Have even used OS-X or Linux?  Zen380 | 02/14/07
The password dialog is nothing more than a GUI...  ye | 02/14/07
sudo does not equal root  impala_sc | 02/14/07
Really...  IAHawkeye | 02/14/07
There is the rub!  miyojim | 02/14/07
most do not  impala_sc | 02/14/07
Sorry to disappoint you  Macheads | 02/15/07
UAC is a way for MS to say they tried  robert@... | 02/14/07
You know...  IAHawkeye | 02/14/07
MS = Mostly Secure?  nick.bunyan@... | 02/14/07
Hard Labor Jail for Malware Writers  ericseba | 02/14/07
You forgot...  Dr. John | 02/14/07
Daily  ericseba | 02/14/07
The Windows NT lineage is abnormal  miyojim | 02/14/07
It sounds  alaniane@... | 08/30/07
registry is a cancer  way_z | 02/14/07
Forget Trying To Secure Windows...  blackfalconsoftware@... | 02/14/07
Real Flaw or Bad Press?  Narg | 02/14/07
Glass Ceiling  Matt.Fahrner@... | 02/14/07
Listen to her MS can, but would it avail?  miyojim | 02/14/07
Even if UAC wasn't automatic...  rlawler | 02/14/07
Effective Administration by OS or Admin?  emmarx1@... | 02/14/07
the point is automatic escalation is bad  impala_sc | 02/14/07
LET'S TELL BILL!  BALTHOR | 02/14/07
Another problem caused by not having a package manager  Sxooter_z | 02/14/07
installing is an administrative task  smarria@... | 02/14/07
compliant install process needed  Mark Miller | 02/14/07
Correction  Mark Miller | 02/14/07
Mac OS : drag & drop install  impala_sc | 02/14/07
Package Installer is built in  smarria@... | 02/14/07
Good idea....  Macheads | 02/15/07
One can tell ...  ttocsmij | 02/14/07
Your email is so combative  smarria@... | 02/14/07
I disagree, Rutkowska is right.  impala_sc | 02/14/07
In other words ...  ttocsmij | 02/14/07
what is holeless anyway  blindguyinanorgy@... | 02/14/07
your a fool  doas777 | 02/14/07
Secure OS  Dr. John | 02/14/07
Excellent point!!  ericseba | 02/14/07
Cite source please...  jasonj@... | 02/14/07
Your email is so combative  smarria@... | 02/14/07
"reduced previleges installer"  alinconstantin | 02/14/07
rights control?  impala_sc | 02/14/07
why heuristics?  impala_sc | 02/14/07
Should We Boycott Windows Vista?  Evisscerator | 02/14/07
Remember BillyBully  Sowhatsupyouranus@... | 02/14/07
Facts versus Utopia  a_gautier | 02/14/07
I beleive that sould not be considered a security flaw  waldoalvarez00@... | 02/14/07
Security is human based  Codexena | 02/15/07
perspective  Codexena | 02/15/07
The Vista on sale isn't the Vista originally advertised.  Dr_Zinj | 02/15/07
Got a little problem with Mark, huh?  z3lk3 | 02/15/07
Security  citizen_200@... | 02/18/07
Security  citizen_200@... | 02/18/07
Security  citizen_200@... | 02/18/07
vista  lynster430@... | 02/20/07
Microsoft security and Russinovich  someonewhoknows | 02/23/07
She's right- this is a major hole  jbullis | 03/09/07
security isn't the issue  inertman@... | 03/09/07
re: security isn't the issue  Robert_JR | 03/23/07
RE: Hacker flags 'very severe hole' in Vista UAC design  tatianahunt | 03/24/08
And yet...  Spiritusindomit@... | 05/21/08
RE: Hacker flags 'very severe hole' in Vista UAC design  DonBurnett | 07/24/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More