Coding Around UAC's Security Limitations

Mariam writes "Free software developers from the non-profit NeoSmart Technologies have published a report detailing their experience with coding around Windows Vista's UAC limitations, including the steps they took to make their software perform system actions without requiring admin approval or UAC elevation. Their conclusion? That Windows Vista's improved security model is nothing more than a series of obstacles that in reality only make it more difficult for honest ISVs to publish working code and not actually providing any true protection from malware authors. Quoting from the post: 'Perhaps most importantly though, is the fact that Windows Vista's newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up "for good security reasons" can be coded to work around these limitations with (relative) ease. The "architectural redesign" of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS.'"

Misleading Summary

[Manip]

I'm sorry but their "bypass" was to create a service running in an elevated state and then communicate with said service via exposed APIs.

I fail to see how they drew this conclusion:
"[UAC does] not actually providing any true protection from malware authors"

This isn't a hole in the system. If applications couldn't use services running at admin or system then the entire system would be damn near nonfunctional.

I mean how would you even play music without a regular application being able to communicate up safely to the driver?

The article is fine. The person who wrote the summary didn't actually RTFA and is just trolling. They haven't justified anything they've said.
 

Re:Where have I heard this before?

[peragrin]

well /Applications is for everyone. your supposed to install it there. Any where else and your app is misbehaving anyways.

In fact 99% of applications shouldn't need an installer for OS X. Just a drag to the /Applications folder. Installers are messy, if you need one your app is already designed wrong.

MSFT has turned a single user OS and tacked on multi user support, and then multi user security. OS X, and every *nix are Multi-user OS's. I not only have applications but also user specific applications stuff that only I can run, and stuff that only I can see.

You shouldn't have to be an admin to install a web browser, word processor , or spreadsheet. You should only be an admin if your installing it for everyone.

Re:Not a novel idea...

[SL Baur]

I used a similar method to get around a setuid() problem (whereby dropping a setuid program into the local uid meant it was unable to regain the "elevated", setuid, privilege again) in version 2.4 of a program I released on 20/06/1990: I fork()ed off a server process before dropping the uid of the process to that of the real user.

Obvious prior art. That technique has been used for decades.

Re:Easy, but it's Not, but it is?

[Anonymous Coward]

There's a difference between being hard to a honest programmer to work around UAC and being hard for a malware programmer to do the same.

Honest, "good" programmers should have no trouble whatsoever with whatever security systems there are to work with. Those should be designed to trouble malware, not the "good" software.

Malware programmers, however, have the purpose to work around and find loopholes in security systems and thus it MUST be hard for them to operate under any security system. After all, malware is trying to do nasty stuff in your system.

What this article is stating is just the opposite. As a Software Developer you are bound to have lots of shit coming your way if you intend to work on Wista because of UAC limitations. As a malware programmer, you can just easily overcome the "difficulties" and live happily ever after.

The problem with journalism, I'd say, is that it looks honest, but just isn't. Sometimes, however, bloggers don't have the ability to be clear and concise.

Re:A Service...

[TheRealSlimShady]

What you find in Vista (not XP unfortunately) is that a lot of the services that run with LocalSystem now run as "restricted" localsystem. They've profiled each service and figured out exactly what access it needs to run, and then granted that service those rights and no others. So while it looks like LocalSystem/Network Service it actually has reduced rights. Which is a good thing.

Re:Where have I heard this before?

[billcopc]

MSFT has turned a single user OS and tacked on multi user support

Yep, that's responsible for a huge number of Windows' problems. So why the hell did they do it ?

At home, I'm the only user on my machine. The wife occasionally checks a web site or plays a video on my rig, but ultimately I have no need for multi-user configs as there is only one account. I can't remember the last time I had any profile other than Administrator on my own box.

Casual users will create separate profiles, but really all they're personalizing is individual preferences. They still run all the same apps. Should these people need to jump through hoops like the UAC, just for the privilege of having their own set of bookmarks ?

Today's exploits operate in plain sight: "Click here to install TalkingMonkeyP2PsexTorrentScannerTweak.exe". The UAC still can't prevent stupid people from being stupid. They click "Yes" on ActiveX prompts, they'll continue to click "Yes" on UAC prompts because whatever malware they're installing, they made a conscious decision to click in the first place. Uninformed, but conscious. Might as well do away with the UAC and let users jump headfirst into trouble, like they always have and always will.

You know what would be more useful and effective than the UAC ? A "safety tip of the day" widget that forces common users to sit through a 2-minute tutorial with an exam at the end. Don't let them surf that day until they pass the exam. Educate the users, beat them over the head with the wisdom we geeks take for granted. That will make a real difference!

Re:Where have I heard this before?

[ericlondaits]

I've written lots of applications that use COM for IPC and it's incredibly easy to do... just define an object and it's methods on one side... instantiate and call in the other. If you use the right COM bindings (MFC, ATL, Visual Basic, JScript, etc) the code it's quite clean, short and to the point. ... granted, COM has a very steep learning curve, just like RPC, Corba, etc... but I guess that although it wasn't the path I took, you can use just a small portion of COM (over ATL or VB) for IPC without worrying about the underlaying structure, apartment models, class factories, reference count, etc.

Other than that, the IPC primitives Win32 provides (message queues, pipes, etc.) are about the same complexity than UNIX's and really shouldn't take that much code.

Re:Where have I heard this before?

[Allador]

Well sure. Thats almost always the case, regardless of platform.

Doing something sloppy and wrong is often easier and less time consuming than doing things right.

This article is just that case.

NeoSmart was getting a free ride by being bad developers, and assuming that everyone was running as admin, and that someone would always be logged into the box.

Now they're being forced to learn how to program correctly, and do things right, and yep, it takes more lines of code.

Doing things the right way almost always does, but you end up with a better product in the end.