tag:blogger.com,1999:blog-24586388.post6414764407112152883..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: Vista Security Model – A Big Joke?Joanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-24586388.post-90555501164958741102008-06-02T00:50:00.000+02:002008-06-02T00:50:00.000+02:00Vista IS a joke...Bad gaming drivers...security pr...Vista IS a joke...<BR/>Bad gaming drivers...<BR/>security problems...<BR/>compatibility problems...<BR/><BR/>They're actualy getting sued for it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-45220035248485441732008-05-16T22:02:00.000+02:002008-05-16T22:02:00.000+02:00I am glad to see the Software Explorer in Vista Wi...I am glad to see the Software Explorer in Vista Windows Defender. <BR/><BR/>I believe the biggest security threat in Windows is how programs can set themselves to start automatically about 20 different ways, and to track them down you have to search the registry in 10 different places. The Software explorer is a step in the right direction.<BR/><BR/>There should be 1 place a program can set itself to start automatically, and that should be the "Startup" folder in "Programs", right where you can easily check and get rid of stuff you don't want. But of course startup is like everything Microsoft has, its spread all over the place and hard to find. Look at the control panel, why aren't all utilities listed in control panel? Instead some are there, some are in programs > Accessories, some are launched through help files, some you have to remember the command for and just start it manually. Not to mention that they change it all around with every new version.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-22792329235536370792008-05-11T07:55:00.000+02:002008-05-11T07:55:00.000+02:00I say the problem with UAC is that it prompts for ...I say the problem with UAC is that it prompts for things it shouldn't, it should know if you double clicked on a file, why ask you? The 2nd thing is it does not tell you things it should, like when a setup is setting programs to run at startup. If I am installing a program I think is legit of course I'm gonna say yes OK to run afetr I double click on it...DUH. What it should be asking me is it OK for this setup program to set 20 programs to run at startup.<BR/><BR/>UAC right now is an illusion of security, something that insesintly asked you "Are you sure you started this program?"Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-31403043602537075352008-05-11T07:47:00.000+02:002008-05-11T07:47:00.000+02:00People that say Mac is secure and Unix is secure a...People that say Mac is secure and Unix is secure are wrong. You can't have a totally secure operating system unless it is a closed system, any system that allows installation of any 3rd party software is inherently insecure. There are many more attacks on Windows because 98% of computers run Windows.<BR/><BR/>That said the UAC in Vista is a joke, information is power and with the UAC you do not get enough information. Look at a commom UAC prompt "An unidentified program wants to access your computer" and the name of the program. You click on "Details" and all you get is the path and executable name. To begin with with so few details why even have the "Details" button, why not show the details all the time? Second of all Windows should know when the user double clicks on a link to start a program, so why ask if I want to run the program, if I didn't I wouldn't have clicked on the icon. The UAC is just an illusion of security.<BR/><BR/>What the UAC should do is tell you things like a program is setting itself to start automatically at startup, but it doesn't do that, once you say it is alright for a setup program to run the setup can do whatever it likes without any UAC prompt.<BR/><BR/>For an example I recently installed Nero 8 on Vista with UAC on. It prompted for the setup to run, during setup Nero set 3 program to auto start with Windows, without the setup telling me or UAC. After unistalling Nero the 3 programs set to suto start were still there, I had to remove them manually through registry.<BR/><BR/>Stuff like that is what causes winrott and malware. All the UAC does is ask when you double click on something are you sure you wanted to, not much else.<BR/><BR/>The UAC I guess could be called a start but barely a start, there has been better security software on the market for years such as ZoneAlarm which monitors additions to startup section of registry and keyloggers. <BR/><BR/>Viruses can be spread with UAC just as easy as without, simply use an installer, the user gets prompted is it OK, they don't know its a virus so they click yes, and the installer installs the virus, sets it to start automatically along with 20 other viruses and malware. UAC is an ilusion and a waste of all of our time.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-60948086938321193402008-03-13T10:09:00.000+01:002008-03-13T10:09:00.000+01:00Fairly enough the way you have pointed on the vist...Fairly enough the way you have pointed on the vista. Hope to see some more on the topic.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-30801629625327311512007-09-16T13:45:00.000+02:002007-09-16T13:45:00.000+02:00Thanks for your nice post!Thanks for your nice post!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-19902068832899398162007-05-10T19:57:00.000+02:002007-05-10T19:57:00.000+02:00Seems like Microsoft's objective with creating Vis...Seems like Microsoft's objective with creating Vista's Integrity Levels, and their associated UAC and Protected Mode IE7, was not to add or enhance security boundaries, but rather to create behavior modifiers.<BR/>The endpoint user is arguably the weakest security piece of a good security model, so an attempt to modify unsecure user behavior is a good step.<BR/>However, Microsoft somewhat mislead us initially by purposefully giving the impression that these were intended to be more like hardened security boundaries than behavior modifiers. <BR/>Mark Russinovich's comments dropped a bomb on a lot of people's perceptions about Microsoft's efforts and commitment toward security. Joanna reacted pretty much the way I did - I was absolutely shocked at what Mark was revealing, and thought this has got to be a joke.<BR/>Don't get me wrong. I understand there is more to it than that. Vista has sandboxing and facilitates less of a need for users to run in administrator mode by default. This is good if users use it properly. Vista is potentially more secure than XP and Joanna recognized Microsoft for their improvements.<BR/>But, as Joanna has pointed out, even these "security improvements" have weaknesses that need to be addressed - from a technical rather than behavior perspective.<BR/>The bottom line is Microsoft obviously didn't have the necessary mindset to properly (or more effectively) secure Vista from being another endpoint problem with Malware, like its previous versions of Windows. What a shame.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-41423831011243127042007-05-10T02:47:00.000+02:002007-05-10T02:47:00.000+02:00I don't believe that Joanna is over-reacting at al...I don't believe that Joanna is over-reacting at all. Joanna is incredibly intelligent and presents her research and comments in a professional and unbiased manner. It's a darn good thing she is putting her efforts toward ethical security research.<BR/>Mark Russinovich's comments, which serve to represent Microsoft's position by his association of employment, were not only a let-down, but a slap in the face from out of the blue. It's as if Microsoft said "look at all these great security features to make Vista safer for you" and then turned around and said "actually we had to poke a bunch of holes in this new security features (for your own convenience - and to train SW developers) and so they don't really represent security boundaries".<BR/>Here is something else Russinovich wrote, "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs". This definitely sounds like Microsoft covering their @$$.<BR/>NOTE: I've had a respect for Mark Russinovich for years, for his work on SysInternals and Winternals. I don't think Mark is a bad guy at all, but his comments were an unexpected shock. I think that much of the security research community were hoping that Microsoft was more committed to improving security, than what these comments reveal.<BR/>Microsoft is faced with a tough decision on how far they can push to improve security, while providing enough backward compatibility and convenience to keep their market share. Joanna points out that they still have wiggle-room in this area. She also points out that eventually Microsoft will have to bite the bullet and break from this past - scratch-build a new OS on a more secure foundation and restrict unsecure practices. Too bad Microsoft wasted all that effort on DRM, instead of using it more wisely on better security improvements.<BR/>Joanna, maybe you are an idealist, but I can relate.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-23618893530926642872007-05-03T13:42:00.000+02:002007-05-03T13:42:00.000+02:00I just viewed the presentation ? I think Mark expl...I just viewed the presentation ? I think Mark explained quite clearly why <A HREF="http://newmmasearching.freehostia.com" REL="nofollow">,</A> in his opinion, UAC cannot be called a security boundary as such as well as why they (actually, them from Mark's point of view at that time) chose this avenue (usability prevented them from locking it down completely amongst others). I feel you are being overly critical here, as it is clearly a major step in the right direction, without breaking all applications & losing their entire user base. Of course the most relevant steps you described yourself earlier, most of those are 'don't run as root'Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-53184569949025946702007-03-29T00:14:00.001+02:002007-03-29T00:14:00.001+02:00How long before someone figures out how to stuff t...How long before someone figures out how to stuff the event queue so that the system thinks that the user clicked on the OK button, but it was really a trojan clicking it for you?<BR/><BR/>I've done hacks like this to automate things that Microsoft was not interested in providing an API for.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-7325480254867554722007-03-26T21:34:00.000+02:002007-03-26T21:34:00.000+02:00At most from what I can tell some of the Security ...At most from what I can tell some of the Security that MS has for Vista will not work right till Longhorn comes online in 2 years.But that will be too late for some. And i just don't understand why wait so long for to get those security features running when they are need now?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-25530460698391153752007-03-21T06:16:00.000+01:002007-03-21T06:16:00.000+01:00So called "open" designs have nothing to do with i...So called "open" designs have nothing to do with it. It boils down to marketshare, if they cut the current crop of windows apps off at the knees then, honestly, what would keep most people from just switching to a Mac (no, linux isn't ready for the normal every day moron)?<BR/><BR/>Believe me, I don't own a mac, but dear god after running Vista RTM since November, I've about had it. And yes, I am a developer for the MS platform.<BR/><BR/>The UAC is an annoying piece of garbage. They could have virtualized the space that any app ran in or plugged the IE leaks...<BR/><BR/>And ANY person who uses pretty language such as "not a security boundary" to tell you why a system compromise is not technically a system compromise is selling something. If they can get in, then it's a friggin security problem. <BR/><BR/>I went through the reporting about security issues with Remote Desktop and Intellipoint, even though I could remotely execute code on a 2003 server, they didn't consider it a "security" issue. stupid stupid stupid.<BR/><BR/>oops. I just ranted. deal.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-80071859872872452892007-02-20T11:05:00.000+01:002007-02-20T11:05:00.000+01:00Hmm interesting reading for the morning.Some comme...Hmm interesting reading for the morning.<BR/><BR/>Some comments were realy good.<BR/><BR/>Speaking from a Linux user perspective, I have the ability to virtualize almost all the user environment (chroot, and other things). So Vista now implements configuration hierarchy that should be present from the first time windows registry was introduced. And at the same time pokes huge holes because of user convenience.<BR/><BR/>The above is the general security problem with MS. If they design a secure system (which is not that hard), they'll cut off many applications from ease of use (or from use at all). Thus they HAVE to listen to their user base or they'll lose market share. Of course they are doing their best to get users and ISVs used to the new security model setp by step. However it'll take a few more versions of Windows to get there. At that time competing OSs will be years ahead because oftheir open design.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-15148045786104554192007-02-15T17:43:00.000+01:002007-02-15T17:43:00.000+01:00I think my next computer is going to be a Mac. I'm...I think my next computer is going to be a Mac. I'm tired of all MS's bull about how they are going to make things secure.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-50017668244358434242007-02-15T10:33:00.000+01:002007-02-15T10:33:00.000+01:00"Because Windows Vista doesn’t define an operating..."Because Windows Vista doesn’t define an operating system, potential problems, regardless of severity or scope, are not bugs.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-24106158438168934432007-02-15T06:05:00.000+01:002007-02-15T06:05:00.000+01:00Joanna's points are valid about Wiindows Vista. Do...Joanna's points are valid about Wiindows Vista. Do not be so quick to dismiss her concerns.<BR/><BR/>Joanna is quite correct when she states that in truly addressing security Microsoft would have to redesign the entire OS. It is only a matter of time before this model is exploited. <BR/><BR/>Microsoft only started taking security more seriously after being repeatedly hammered by security issues. (I have already had users want to turn off the prompts provided by Vista when executing a setup program.) This shows that Microsoft has been slow in taking security seriously. <BR/><BR/>Some have mentioned that the problems have been the program developers themselves, while this is true we must not forget that Microsoft is also program developer and that some of their most popular programs (IE and Office) have been common targets. <BR/><BR/>The simple point of the matter being that Microsoft has encouraged sloppy programming practices, even among their own employees. My employer's operations program requires that I make security modifications to the Windows Registry and Folder where the program files are stored. If I do not make these changes then I have to permit users to run the application as a local administrator. <BR/><BR/>Vista has not been on the market long enough to have any significant impact. However, many businesses that I work with have opted not to upgrade because of compatibility issues with Vista. IE 7 was enough of a change that many businesses have opted to not use IE 7 (interestingly enough these businesses are exclusively MS houses).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-3333919424067299412007-02-15T04:33:00.000+01:002007-02-15T04:33:00.000+01:00anonymous said:If on the off chance a setup.exe is...anonymous said:<BR/><I>If on the off chance a setup.exe is not detected as such by Vista, then it is assumed to be an application, which will be subject to File and Registry virtualization when attempting to write to protected locations. Writes are redirected to a per-user location which will take precedence over the protected data for that user.</I><BR/><BR/>That's exactly what I expect it to do. But what if I actually WANT to run setup.exe and have it use the file and registry virtualization!? Vista says I cannot have that choice. I have to run setup.exe as an admin, and thus CANNOT use the user's virtualized sandbox. Bad idea!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-91988914046042950212007-02-15T02:24:00.000+01:002007-02-15T02:24:00.000+01:00atotalslacker, made an intelligent comment about U...atotalslacker, made an intelligent comment about UAC. As a Vista user and beta tester I perseived UAC as a warning mechanism. A some how disturbing the first times it show up but once you understand why it exists, the trade of always is in favor of the user.<BR/>But Joanna has a good point, 2 of them to be more precise. First, it is real that if you allow a application to run through the UAC it WILL have high previleges, and second, the answer for Microsoft was a very bad answer, that would piss me off too.<BR/>totalslacker kind of answer would be much better.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-55934555137197755512007-02-14T21:19:00.000+01:002007-02-14T21:19:00.000+01:00You are all missing the point of UAC. It is not g...You are all missing the point of UAC. It is not going to tell you if the software that is trying to install is safe and free of trojans. It's going to stop the software from installing until the user allows the install. If the user is truly concerned about security that user will only install software that they trust.<BR/><BR/>Most normal users actually know enough to not install software from an untrusted source because they have been hearing it said for several years now. The problem is that most normal users don't know they could be installing software by oening an email attachment that looks like an image file. UAC gives a warning that can prevent that from happening.<BR/><BR/>The other big problem is that you have companies like Sony, that should be able to be trusted, installing driver-mode software that phones home without user knowledge - http://cp.sonybmg.com/xcp/english/updates.html - and that software opens a hole for hackers. Now as for the convienience trade-off: If Microsoft denied the install of this Sony software and it broke the actual XCP media player functionality, there would have been thousands of users screaming at Microsoft when it was Sony that wrote the bad code.<BR/><BR/>So what does Microsoft do? Okay, we're going to tell you that Sony is actually going to install software, just so you know. We can't tell you whether you should trust Sony to install this software, or if it is safe because they could sue us for saying something bad about them even if it was true. We did, however, make it possible for these settings to be modified, so you could contact one of our partners and they could help you modify these settings to decide who to trust and who not to trust...Unknownhttps://www.blogger.com/profile/15958472306641356705noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-83273936327741294642007-02-14T20:10:00.000+01:002007-02-14T20:10:00.000+01:00From want I read, MS is reverting back to the stan...From want I read, MS is reverting back to the standards of 95 and 98. For those who in IT positions then, remeber that both OS's allowed any and everything to run wild throughout the system, changing the OS kernels, dlls', keys and spoofing user accounts. I glad she brought this out because it makes the "good guys/gals" know as much as a hacker was going to know any time soon. Remember ya'll, it about the dollar or power or both. But you grown commenters knew that, did you?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-352818602824682842007-02-14T18:36:00.000+01:002007-02-14T18:36:00.000+01:00Most posters seem to be missing the point, so let ...Most posters seem to be missing the point, so let me spell it out for you:<BR/>1) If you are running a program named setup.exe, Vista assumes you are running an installer.<BR/>2) It then asks the user to approve immediate 'root' access for this process, NO REAL RESTRICTIONS.<BR/><BR/>Yes, that's a completely broken security model.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-43769754691390153522007-02-14T17:05:00.000+01:002007-02-14T17:05:00.000+01:00If you really cared about Vista like you claim thr...If you really cared about Vista like you claim through out your posts you would not have made this public, now hackers know where their is a weakness. Instead you should have contacted Microsoft about it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-46195524207135872502007-02-14T15:59:00.000+01:002007-02-14T15:59:00.000+01:00"I understand that implementing UAC, UIPI and Inte..."I understand that implementing UAC, UIPI and Integrity Levels mechanisms on top of the existing Windows OS infrastructure is a hard task and it would be much easier to design the whole new OS from scratch and that Microsoft can’t do this for various of reasons".<BR/><BR/>I've wondered for years why MS doesn't rewrite the OS. You can only be backwards compatible for so long before you're just backwards completely. The Vista security model is really nothing more than an elaborate patch, on a patch as far back as you can see. The users pays for it by annoyances and aggravation by simply trying to use the OS.<BR/><BR/>The terms Security Technologies or Security Boundaries is splitting hairs. The way the UAC is implemented is just cheaper than doing it correctly. Simple.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-66437401235716249732007-02-14T15:53:00.000+01:002007-02-14T15:53:00.000+01:00I'm just going to toss this out, about those lame,...I'm just going to toss this out, about those lame, poorly trained developers who are writing all that awful code which has to run at admin levels:<BR/><BR/>They're doing it with software which does the same. Microsoft Visual Studio, the main tool used for creating software these days, basically requires you to be logged in as admin under Vista.<BR/><BR/>Economics say I'm going to spend most of my time as admin, logged in developing software. If I'm lucky, I'll get a day or so to test at the end. At that point, I'll switch to a normal login (where I'd prefer to have spent all my time), realize that things are completely broken for normal users and...marketing tells me we're shipping anyway.<BR/><BR/>Maybe that's part of the joke?Unknownhttps://www.blogger.com/profile/14624397579318321013noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-71613487246381558302007-02-14T14:51:00.000+01:002007-02-14T14:51:00.000+01:00Dara, re Vista Windows Installer...MSI custom acti...Dara, re Vista Windows Installer...<BR/>MSI custom actions are subject to the tighter security in Vista. They can't write to protected areas until an elevation prompt is passed. If you are a standard user, then when you get to the part of the install where stuff actually starts to happen, you will need to enter an admin username and password. Any writes to protected areas prior to that will use the current user's context, which will fail for a standard user.<BR/><BR/>Installs are never just automatically elevated and given more privileges. You will be prompted for elevation, either before it is run (for setup.exe's or for MSI's in EXE wrapper) or after the UI sequence for a regular MSI.<BR/><BR/>If on the off chance a setup.exe is not detected as such by Vista, then it is assumed to be an application, which will be subject to File and Registry virtualization when attempting to write to protected locations. Writes are redirected to a per-user location which will take precedence over the protected data for that user.Anonymousnoreply@blogger.com