It seems that many people didn’t fully understand why I wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous post – Vista Security Model – A Big Joke... There are two things which should be distinguished:
1) The fact that UAC design assumes that every setup executable should be run elevated (and that a user doesn't really have a choice to run it from a non-elevated account),
2) The fact that UAC implementation contains bug(s), like e.g. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug I pointed out in my article, which allows a low integrity level process to send WM_KEYDOWN messages to a command prompt window running at high integrity level.
I was pissed off not because of #1, but because Microsoft employee - Mark Russinovich - declared that all implementation bugs in UAC are not to be considered as security bugs.
True, I also don't like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that UAC forces users to run every setup program with elevated privileges (fact #1), but I can understand such a design decision (as being a compromise between usability and security) and this was not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason why I wrote "The Joke Post".
Tuesday, February 13, 2007
Subscribe to:
Post Comments (Atom)
15 comments:
I agree. security in vista seems to be just a different mechanism, not a better one. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y seem to have improved on many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various bugs from systems past, but in doing so, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are leaving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS open in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r areas. Wouldn't it just be easier to rebuild cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground up instead of trying to improve upon a system that has shown in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past to be flawed in so many ways?
There are three types of setup programs on Vista:
Regular Setup (Admin)
Managed (fully protected)
Web Install (OneClick install)
Only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first runs elevated. The ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r two are restricted by eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r managed permissions or sandboxed by IE.
Mark's posting is frustrating because Mark is speaking to technical fact in a manner that is obtuse, and isn't in sync with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 marketing-type statements that Microsoft makes.
Mark says that UAC elevations and integrity levels do not define new Windows security boundaries, and, as such, attacks against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se features aren't attacks against "security". This is all true, assuming you understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 minutae he's talking about. Distinguishing between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 established Windows security architecture (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LSA, desktops, security prinicpals, ACL's, privileges, etc) and this integrity level retrofit is pretty minute, but it's accurate.
It's silly that Mark said this in this way, because a user with a Vista-based PC that has been taken-over by malicious software (that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y, no doubt, installed by elevating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installer for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware) isn't going to differentiate between breaches to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows security model, and attacks against UAC. What Mark says is factually correct, but isn't in sync with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 types of non-technical statements coming out of Microsoft.
It's compelling, from a sales perspective, for Microsoft to make lofty and vague statements about Vista's enhanced security, while convenient for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to have technical fact to fall back on-- technical fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average user won't ever know is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.
I like that you've posted about this, and I hope that ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs do, too. Comments in Mark's blog are also right on th emark. Mark's words may come back to haunt him, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 press picks this up and runs with it. "Microsoft Technical Fellow Says Bugs In New Vista Security System Not Really Security Bugs"... Heh heh...
It took a long time for Microsoft to acknowledge Shatter Attacks as a vulnerability, when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were first discovered and researched. They only started worrying about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in XP when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y insisted a lot more on non-interactive services, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fix didn't come until UIPI and Session 0 services.
Hopefully it won't take a couple of years for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se implementation bugs to be fixed. Mark was very clever in wording his statement to be accurate; it's true that ILs are *not* security boundaries, so in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's nothing guaranteeing this kind of safety.
I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument from that side is always going to be "Well, it makes things *more* secure, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's still work to be done, it wasn't designed as a perfect solution". But I go with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 school of thought that says if you're implementing a security feature, do it completely, not half-assed.
I'm sure developers inside Microsoft aren't to happy about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tradeoffs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had to make, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y probably know about WM_COMMAND, but eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r didn't have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to properly test all messages or a large company's product needed this to work; it's always something like that.
I think you should've followed responsible disclosure and notified Microsoft privately about this bug though.
Best regards,
Alex Ionescu
"I think you should've followed responsible disclosure and notified Microsoft privately about this bug though."
Microsoft already know about this bug and aren't going to do anything to fix it.
In fact Microsoft have declared that bugs whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by accident or by design with UAC are not security bugs as UAC does not actually provide any extra security.
It's only purpose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore is to annoy users, and give a false sense of increased security. But it apparently does nothing else and was never designed to.
So not only was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re no need to "responsibly disclose" this supposed non-bug, but it's not even security related according to Microsoft.
-Steve
As a former IBM server developer, I think you are right on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money. If it were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case that Vista were only ever going to be a consumer OS, it would be bad enough, but we all know that it will play a part in holding/managing sensitive business informtion. The only excuse MS can truthfully offer is that someone didn't know any better.
Joanna, have you tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows Application Compatibility Toolkit 5.0 (http://www.microsoft.com/downloads/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971&displaylang=en) ?
It provides shims that can be used to override cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 elevation marking of a given application. You could simply apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “RunAsInvoker” shim/layer to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installer.
A lot easier than going through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manifests or fiddling with your individual permissions raising or lowering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m with each app.
Re: Drew:
"Wouldn't it just be easier to rebuild cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground up"
They could rebuild cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 _implementation_ from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground up, but that won't help, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can't rebuild cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APIs, security mechanisms, etc. from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground up, as this would break compatibility with existing Windows software. That way, Microsoft wouldn't make a new version of Windows, but in fact a new Windows competitor. Their main competitive advantage -- largest number of apps, developers, and users familiar with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 workings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system -- would be out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365, err, window. They'd suddenly have to create an OS that is superior to Linux and Mac OS X.
A compromise (tradeoffs) "between security and convenience"...
...or "between usability and security"..
A compromise is a function - what are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 measures, what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matrix, where are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 limits (borders), who setup cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, according to which more-far (strategic) criterions ?
You are not fighting with bugs but with decision making process;
If it is mobile, non limited, or limited by current environment only - You are hunting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ghosts.
UAC and integrity levels are step 1, as Mark says "to get us to a world where everyone runs as standard user by default and all software is written with that assumption". Step 2 will be to cash in on this and provide real security boundaries once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 climate allows it. It all makes sense, it's just unfortunate that Microsoft marketing has to be so disingenuous about UAC. What can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do though? People want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security now and aren't going to swallow some 2-step process.
Maybe, I am inappropriately channeling my UNIX roots, but this smells a lot like setuid to me. Remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 buffer overflow in finger(1)? This reads like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same sort of security challenge. Now every privileged process, thread or application has to validate input and be secure against buffer overflow, file handle races, symlink races all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 myriad ways to escalate privilege that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UNIX community took about 20 years to mostly weed out. The problem is only compunded by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that Microsoft has once again ignored all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 published studies on user behavior. HINT: They almost always say yes.
I think what we see here is a failure to parse. What Russinovich said was this:
- Weaknesses in UAC will not be fixed via Microsoft Security Bulletins or necessarily fixed at all.
- Weaknesses in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual security perimeter will continue to be fixed via Microsoft Security Bulletins.
- The actual purpose of UAC warnings is not to immediately augment security; ultimately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APIs which present cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security perimeter must be safe.
- The actual purpose of UAC warnings is to make it annoying to use Admin privileges; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intentionality is that this will force software vendors into fixing any software cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requires running under Admin.
Mark however seems to have missed something that Joanna is inhernetly getting at with her recent vulnerability finds: msiexec is a special security perimeter that is used by Admins in a normal use case. However cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case with msiexec is complicated. An MSI can contain code in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of Custom Actions which would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretically allow arbitrary back doors into msiexec privilege. Is this a vulnerability or feature?
It's actually quite simple for software manufacturers to add a manifest to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir setup programs so that Vista doesn't automatically require cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to run elevated.
The annoying thing is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no way to have a setup program run elevated or not elevated according to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user's choice; which would be useful in tightly-managed corporate environments. Setup could install into C:\Program Files if it was being run elevated and into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user's private directory if it wasn't.
If an user is able to install a program without Administrator privileges this means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user is able to install any sort of malware and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrator is not able to control cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 users i.e. all users are freely to install everything, any soft of installers and this is worst. For this reason, Microsoft hash chosen to allow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software installation with Administrator privileges only, and this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better because to install a program installer an user needs an administrative privilege i.e. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrator consent. And installing a program with administrative privilege is also more safer because that program will be put in C:\Program Files and can't be modified by anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r running program or malware
scalo: a user should still be required to enter credentials for 'installer' account.
Post a Comment