Monday, February 12, 2007

Vista Security Model – A Big Joke?

[Update: if you came here from ZDNet or Slashdot - see the post about confusion above!]

Today I saw a new post at Mark Russinovich’s blog which I take as a response to my recent musings about Vista security features, where I pointed out several problems with UAC, like e.g. the attack that allows for a low integrity process to hijack the high integrity level command prompt. Those who read the whole article undoubtedly noticed that my overall opinion of vista security changes was still very positive – after all everybody can do mistakes and the fact UAC is not perfect, doesn’t diminish the fact that it’s a step into the right direction, i.e. implementing least-privilege policy in Windows OS.

However, I now read this post by Mark Russinovich (a Microsoft employee), which says:
"It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries. Microsoft has been communicating this but I want to make sure that the point is clearly heard. Further, as Jim Allchin pointed out in his blog post Security Features vs Convenience, Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use."

And then we read:
"Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption."

Oh, excuse me, is this supposed be a joke? We all remember all those Microsoft’s statements about how serious Microsoft is about security in Vista and how all those new cool security features like UAC or Protected Mode IE will improve the world’s security. And now we hear what? That this flagship security technology (UAC) is in fact… not a security technology!

I understand that implementing UAC, UIPI and Integrity Levels mechanisms on top of the existing Windows OS infrastructure is a hard task and it would be much easier to design the whole new OS from scratch and that Microsoft can’t do this for various of reasons. I understand that all, but that doesn’t mean that once more people at Microsoft realized that too, they should turn everything into a big joke? Or maybe I’m too much of an idealist…

So, I will say this: If Microsoft won’t change their attitude soon, then in a couple of months the security of Vista (from the typical malware’s point of view) will be equal to the security of current XP systems (which means, not too impressive).


Anonymous said...

Y'r right. Maybe some day, some time MS will truly understand the meaning of security.

Anonymous said...

thats how marketing works :)

all you computer scientists should learn a bit economics, would help you get rich ;)

Anonymous said...

Actually Mark didn't say they weren't security technologies. Mark said they weren't intended to be security boundaries. There's a difference. Running as standard user has a security benefit. UAC prompts are merely a convenience to achieve that goal.

I'm not sure what's a "joke" about that.

Anonymous said...

UAC enables users to work as standard users all the time. That's a big step from XP and far from a joke. They could have built Vista without it and the result would be that most users still ran as admins. The best security is nothing if nobody uses it. It is always a trade-off between security and convenience.

chris said...

security is a scary field because once you say "this is secure" you've issued a challenge to every researcher, consultant, prankster, and criminal in the world and they line up to take a shot at you.

it's like being a boxer or a gunfighter, if you say that you're a worthy challenge everyone comes gunning for you.

so it's natural that MS would start backpedaling on security once they realize that they are still not "secure" quite yet.

what they are doing is cowardly, don't get me wrong, but it's completely natural.

Anonymous said...

I just viewed the presentation ? I think Mark explained quite clearly why, in his opinion, UAC cannot be called a security boundary as such as well as why they (actually, them from Mark's point of view at that time) chose this avenue (usability prevented them from locking it down completely amongst others). I feel you are being overly critical here, as it is clearly a major step in the right direction, without breaking all applications & losing their entire user base. Of course the most relevant steps you described yourself earlier, most of those are 'don't run as root'

Kind regards, Ward J.

Anonymous said...

it seems to me that there is not that small group of people that believe vista security is sort of a "joke" (very much depending from what perspective you look at it).

with other words (the other perspective), most of the new security features are not really meant to fight back strong against advance malware and hacks, but more to push back application developers and users and to prepare an "clear" playground for upcoming windows versions where microsoft will then hopefully be able to roll in much better/stronger security features/designs and not breaking to much of applications or making users to confused using the "new system".

one step at a time, would probably be the conclusion here and crossing fingers and hoping that microsoft actually has some "advance" plans like this for the future.

Anonymous said...

Ward J. wrote:
I feel you are being overly critical here, as it is clearly a major step in the right direction, without breaking all applications & losing their entire user base.

I don't think the author's criticism is out of line at all. This deficiency in Vista's security model means that the plague of Trojan horses will be a problem for some time to come. Any app that is shipped as an installer will be able to get past the new security with nothing more than a smile.

Of all the applications that should be broken on Vista, they've maintained a kind of backward compatiblity in this regard. I'm glad M$ has endeavored not to lose that user base.

Anonymous said...

I must say that ultimately it comes down to the fact that Microshaft is doing exactly what they've always done. Make things easy for a quick buck.

If people aren't willing to learn about their operating system's features and capability, then of course they'll be dumb founded when they get a popup stating "You can't install this program, you need elevated priviledges." Hell, most users can't read to begin with. Hence Microshaft decides to dumb things down for them at the expense of security.

We'll see how long people continue to work with Microshaft products, as France and several other countries are already following suite and dumping all Microshaft products and going open source.

It's exactly as Mrs. Rutowska stated, Microsoft likes to take the easy way out. Instead of finding a proper solution they patch things and end up having to dig themselves out. Why not just do it right the first time...?!?

Anonymous said...

Two comments:

#1. UAC has two main functions: A) assist with making non-standard applications run as non-administrator (through file/registry virtualizations) and B) assist administrators from accidental damage because they're operating the system as an administrator (and not as a normal user like everyone else). It is a proven fact that malware is most contained and prevented when it cannot execute in administrative contexts. Admins should still only be logging in for administrative work, period. This design consideration of UAC does not affect the responsible admin who uses her normal user account 99.9% of the time. And the virtualization to make apps functional for non-admins is really a crutch Microsoft is providing to the developer community. If the developers were to just write conforming apps, users would have been non-admins years ago. This is directly related to why the OS religious wars are ridiculous: it is the application developers' fault that users have operated Windows systems as administrators, inundating the web with malware. If the OS of choice were ANY OTHER FLAVOR (*nix, MAC, etc.) then the religious wars would be against that OS. I recognize this fact now, though I did not years ago (when I myself contributed to the falsehood of OS religious wars). Fix the developers = Fix the endpoint security faults. This is all Microsoft is trying to accomplish with UAC.

#2. Malware can NEVER be fully prevented until we have default-deny malware solutions implemented. All processes and threads should prevent all code from executing except that which is identified as trustworthy. As it is, we are currently in reverse: anti-malware allows all code to execute except that which it deems untrustworthy. Until we have the positive-trust actions implemented in anti-malware, the malware problem will continue. PERIOD. The problem is that those individuals who are smart enough to realize that default-deny anti-malware is the only real solution to malware also realize that anti-(virus/spam/threat du jour) vendors make their money by selling customers a product that needs constant updates available only through subscriptions. A default-deny anti-malware solution won't require updates or subscriptions-- so the economics will probably push all customers into a destitute state where vendors cannot keep up with malware signatures before the vendors finally implement a default-deny solution.

Being a former anti-Microsoft bigot, I fully applaud Microsoft for the introduction of sophisticated security controls such as mandatory integrity levels. And I publicly thank them for UAC which provides us all with extra time while we wait for developers to learn how to code to standards. At the very least, the fact that UAC gets publicity means that developers are more likely to know that their apps weren't written with non-admin users in mind.


Anonymous said...

this is the equivilent of saying "we will screen everyone boarding all planes, with the exception of men wearing blue hats". Theres no point building the great wall of china if it's filled with unlocked doors.

Anonymous said...

Apparently, the MSI model also still supports binary custom commands integrated as records in the database. Does this mean that these also run ring 0? Because if they do, then heck, you don't even need to install anything - just trigger one of those naughty, naughty children and the game is over.

Anybody know offhand when Vista's version of installer processes custom-command records, and how?

Anonymous said...

A key point, I think, that Ms. Rutkowska made, perhaps unintentionally, is that Microsoft cannot be expected (for reasons of compatibility, I suppose) to design a completely new operating system. This speaks to the root of all their problems - even Vista is just a new shell built on top of old technologies. It's a bit like an upside down pyramid; eventually it will collapse entirely as the underlying structure proves incapable of sustaining all the new construction piling up on top of it.

Perhaps because they serve a less diverse and expansive user base, Apple Computer was willing and able five or six years ago to do what Microsoft cannot - switch from their old, rickety operating system, with it's myriad vulnerabilities, to a new system (OS X), build on a sound, proven and substantially more secure foundation - UNIX. Since then the trojans and viruses which used to plague the Mac OS have dried up altogether.

LINUX, the open source alternative to Windows that is growing steadily in popularity, is likewise modeled on UNIX.

It's not unreasonable to conclude, therefore, that Windows in any form is living on borrowed time. Much of its current popularity is a result of little more than inertia. It's hard to see how even the billions Microsoft has committed to marketing Vista can make up for the core weakness of the underlying system.

Vista may be an improvement over Windows XP in many respects, but the differences, like beauty, are only skin deep.

Anonymous said...

I think that Mark Russinovich has a point.

A major problem on Windows XP today is that most programs simply break down when a user tries to run as a normal user instead of an admin.

This actually forces XP users to run as Admins! which is undesired.

On Vista the UAC will finally force developers to write their code to run flawlessly as non-admin.

Maybe that is its original purpose. The re-education of software developers around the world.

On the other hand, you have a good point as well.

I am willing to bet that MS will be forced to address this issue even if currently it is not willing to admit it.

Paolo said...

Why are you all surprised? MS isn't a software maker, but a business model. They make their living and of hundred thousands of smaller and less small software houses out of the problems they cause to the users. You buy win -> you get a virus -> you buy antivirus -> your comp get jammed down -> you buy a faster PC -> you bu y vista.
Windows will never be secure and immune otherwise MS will go default!

Anonymous said...

Regarding the mentioned education of the application-developers, isn't that a nice challenge for that famous Microsoft Marketing Department?
I don't think you should put all the blame with those developers.


Anonymous said...

Dara, re Vista Windows Installer...
MSI custom actions are subject to the tighter security in Vista. They can't write to protected areas until an elevation prompt is passed. If you are a standard user, then when you get to the part of the install where stuff actually starts to happen, you will need to enter an admin username and password. Any writes to protected areas prior to that will use the current user's context, which will fail for a standard user.

Installs are never just automatically elevated and given more privileges. You will be prompted for elevation, either before it is run (for setup.exe's or for MSI's in EXE wrapper) or after the UI sequence for a regular MSI.

If on the off chance a setup.exe is not detected as such by Vista, then it is assumed to be an application, which will be subject to File and Registry virtualization when attempting to write to protected locations. Writes are redirected to a per-user location which will take precedence over the protected data for that user.

Unknown said...

I'm just going to toss this out, about those lame, poorly trained developers who are writing all that awful code which has to run at admin levels:

They're doing it with software which does the same. Microsoft Visual Studio, the main tool used for creating software these days, basically requires you to be logged in as admin under Vista.

Economics say I'm going to spend most of my time as admin, logged in developing software. If I'm lucky, I'll get a day or so to test at the end. At that point, I'll switch to a normal login (where I'd prefer to have spent all my time), realize that things are completely broken for normal users tells me we're shipping anyway.

Maybe that's part of the joke?

Anonymous said...

"I understand that implementing UAC, UIPI and Integrity Levels mechanisms on top of the existing Windows OS infrastructure is a hard task and it would be much easier to design the whole new OS from scratch and that Microsoft can’t do this for various of reasons".

I've wondered for years why MS doesn't rewrite the OS. You can only be backwards compatible for so long before you're just backwards completely. The Vista security model is really nothing more than an elaborate patch, on a patch as far back as you can see. The users pays for it by annoyances and aggravation by simply trying to use the OS.

The terms Security Technologies or Security Boundaries is splitting hairs. The way the UAC is implemented is just cheaper than doing it correctly. Simple.

Anonymous said...

If you really cared about Vista like you claim through out your posts you would not have made this public, now hackers know where their is a weakness. Instead you should have contacted Microsoft about it.

Anonymous said...

Most posters seem to be missing the point, so let me spell it out for you:
1) If you are running a program named setup.exe, Vista assumes you are running an installer.
2) It then asks the user to approve immediate 'root' access for this process, NO REAL RESTRICTIONS.

Yes, that's a completely broken security model.

Anonymous said...

From want I read, MS is reverting back to the standards of 95 and 98. For those who in IT positions then, remeber that both OS's allowed any and everything to run wild throughout the system, changing the OS kernels, dlls', keys and spoofing user accounts. I glad she brought this out because it makes the "good guys/gals" know as much as a hacker was going to know any time soon. Remember ya'll, it about the dollar or power or both. But you grown commenters knew that, did you?

Unknown said...

You are all missing the point of UAC. It is not going to tell you if the software that is trying to install is safe and free of trojans. It's going to stop the software from installing until the user allows the install. If the user is truly concerned about security that user will only install software that they trust.

Most normal users actually know enough to not install software from an untrusted source because they have been hearing it said for several years now. The problem is that most normal users don't know they could be installing software by oening an email attachment that looks like an image file. UAC gives a warning that can prevent that from happening.

The other big problem is that you have companies like Sony, that should be able to be trusted, installing driver-mode software that phones home without user knowledge - - and that software opens a hole for hackers. Now as for the convienience trade-off: If Microsoft denied the install of this Sony software and it broke the actual XCP media player functionality, there would have been thousands of users screaming at Microsoft when it was Sony that wrote the bad code.

So what does Microsoft do? Okay, we're going to tell you that Sony is actually going to install software, just so you know. We can't tell you whether you should trust Sony to install this software, or if it is safe because they could sue us for saying something bad about them even if it was true. We did, however, make it possible for these settings to be modified, so you could contact one of our partners and they could help you modify these settings to decide who to trust and who not to trust...

Anonymous said...

atotalslacker, made an intelligent comment about UAC. As a Vista user and beta tester I perseived UAC as a warning mechanism. A some how disturbing the first times it show up but once you understand why it exists, the trade of always is in favor of the user.
But Joanna has a good point, 2 of them to be more precise. First, it is real that if you allow a application to run through the UAC it WILL have high previleges, and second, the answer for Microsoft was a very bad answer, that would piss me off too.
totalslacker kind of answer would be much better.

Anonymous said...

anonymous said:
If on the off chance a setup.exe is not detected as such by Vista, then it is assumed to be an application, which will be subject to File and Registry virtualization when attempting to write to protected locations. Writes are redirected to a per-user location which will take precedence over the protected data for that user.

That's exactly what I expect it to do. But what if I actually WANT to run setup.exe and have it use the file and registry virtualization!? Vista says I cannot have that choice. I have to run setup.exe as an admin, and thus CANNOT use the user's virtualized sandbox. Bad idea!

Anonymous said...

Joanna's points are valid about Wiindows Vista. Do not be so quick to dismiss her concerns.

Joanna is quite correct when she states that in truly addressing security Microsoft would have to redesign the entire OS. It is only a matter of time before this model is exploited.

Microsoft only started taking security more seriously after being repeatedly hammered by security issues. (I have already had users want to turn off the prompts provided by Vista when executing a setup program.) This shows that Microsoft has been slow in taking security seriously.

Some have mentioned that the problems have been the program developers themselves, while this is true we must not forget that Microsoft is also program developer and that some of their most popular programs (IE and Office) have been common targets.

The simple point of the matter being that Microsoft has encouraged sloppy programming practices, even among their own employees. My employer's operations program requires that I make security modifications to the Windows Registry and Folder where the program files are stored. If I do not make these changes then I have to permit users to run the application as a local administrator.

Vista has not been on the market long enough to have any significant impact. However, many businesses that I work with have opted not to upgrade because of compatibility issues with Vista. IE 7 was enough of a change that many businesses have opted to not use IE 7 (interestingly enough these businesses are exclusively MS houses).

Anonymous said...

"Because Windows Vista doesn’t define an operating system, potential problems, regardless of severity or scope, are not bugs.

Anonymous said...

I think my next computer is going to be a Mac. I'm tired of all MS's bull about how they are going to make things secure.

Anonymous said...

Hmm interesting reading for the morning.

Some comments were realy good.

Speaking from a Linux user perspective, I have the ability to virtualize almost all the user environment (chroot, and other things). So Vista now implements configuration hierarchy that should be present from the first time windows registry was introduced. And at the same time pokes huge holes because of user convenience.

The above is the general security problem with MS. If they design a secure system (which is not that hard), they'll cut off many applications from ease of use (or from use at all). Thus they HAVE to listen to their user base or they'll lose market share. Of course they are doing their best to get users and ISVs used to the new security model setp by step. However it'll take a few more versions of Windows to get there. At that time competing OSs will be years ahead because oftheir open design.

Anonymous said...

So called "open" designs have nothing to do with it. It boils down to marketshare, if they cut the current crop of windows apps off at the knees then, honestly, what would keep most people from just switching to a Mac (no, linux isn't ready for the normal every day moron)?

Believe me, I don't own a mac, but dear god after running Vista RTM since November, I've about had it. And yes, I am a developer for the MS platform.

The UAC is an annoying piece of garbage. They could have virtualized the space that any app ran in or plugged the IE leaks...

And ANY person who uses pretty language such as "not a security boundary" to tell you why a system compromise is not technically a system compromise is selling something. If they can get in, then it's a friggin security problem.

I went through the reporting about security issues with Remote Desktop and Intellipoint, even though I could remotely execute code on a 2003 server, they didn't consider it a "security" issue. stupid stupid stupid.

oops. I just ranted. deal.

Anonymous said...

At most from what I can tell some of the Security that MS has for Vista will not work right till Longhorn comes online in 2 years.But that will be too late for some. And i just don't understand why wait so long for to get those security features running when they are need now?

Anonymous said...

How long before someone figures out how to stuff the event queue so that the system thinks that the user clicked on the OK button, but it was really a trojan clicking it for you?

I've done hacks like this to automate things that Microsoft was not interested in providing an API for.

Anonymous said...

I just viewed the presentation ? I think Mark explained quite clearly why , in his opinion, UAC cannot be called a security boundary as such as well as why they (actually, them from Mark's point of view at that time) chose this avenue (usability prevented them from locking it down completely amongst others). I feel you are being overly critical here, as it is clearly a major step in the right direction, without breaking all applications & losing their entire user base. Of course the most relevant steps you described yourself earlier, most of those are 'don't run as root'

Anonymous said...

I don't believe that Joanna is over-reacting at all. Joanna is incredibly intelligent and presents her research and comments in a professional and unbiased manner. It's a darn good thing she is putting her efforts toward ethical security research.
Mark Russinovich's comments, which serve to represent Microsoft's position by his association of employment, were not only a let-down, but a slap in the face from out of the blue. It's as if Microsoft said "look at all these great security features to make Vista safer for you" and then turned around and said "actually we had to poke a bunch of holes in this new security features (for your own convenience - and to train SW developers) and so they don't really represent security boundaries".
Here is something else Russinovich wrote, "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs". This definitely sounds like Microsoft covering their @$$.
NOTE: I've had a respect for Mark Russinovich for years, for his work on SysInternals and Winternals. I don't think Mark is a bad guy at all, but his comments were an unexpected shock. I think that much of the security research community were hoping that Microsoft was more committed to improving security, than what these comments reveal.
Microsoft is faced with a tough decision on how far they can push to improve security, while providing enough backward compatibility and convenience to keep their market share. Joanna points out that they still have wiggle-room in this area. She also points out that eventually Microsoft will have to bite the bullet and break from this past - scratch-build a new OS on a more secure foundation and restrict unsecure practices. Too bad Microsoft wasted all that effort on DRM, instead of using it more wisely on better security improvements.
Joanna, maybe you are an idealist, but I can relate.

Anonymous said...

Seems like Microsoft's objective with creating Vista's Integrity Levels, and their associated UAC and Protected Mode IE7, was not to add or enhance security boundaries, but rather to create behavior modifiers.
The endpoint user is arguably the weakest security piece of a good security model, so an attempt to modify unsecure user behavior is a good step.
However, Microsoft somewhat mislead us initially by purposefully giving the impression that these were intended to be more like hardened security boundaries than behavior modifiers.
Mark Russinovich's comments dropped a bomb on a lot of people's perceptions about Microsoft's efforts and commitment toward security. Joanna reacted pretty much the way I did - I was absolutely shocked at what Mark was revealing, and thought this has got to be a joke.
Don't get me wrong. I understand there is more to it than that. Vista has sandboxing and facilitates less of a need for users to run in administrator mode by default. This is good if users use it properly. Vista is potentially more secure than XP and Joanna recognized Microsoft for their improvements.
But, as Joanna has pointed out, even these "security improvements" have weaknesses that need to be addressed - from a technical rather than behavior perspective.
The bottom line is Microsoft obviously didn't have the necessary mindset to properly (or more effectively) secure Vista from being another endpoint problem with Malware, like its previous versions of Windows. What a shame.

Anonymous said...

Thanks for your nice post!

Anonymous said...

Fairly enough the way you have pointed on the vista. Hope to see some more on the topic.

Anonymous said...

People that say Mac is secure and Unix is secure are wrong. You can't have a totally secure operating system unless it is a closed system, any system that allows installation of any 3rd party software is inherently insecure. There are many more attacks on Windows because 98% of computers run Windows.

That said the UAC in Vista is a joke, information is power and with the UAC you do not get enough information. Look at a commom UAC prompt "An unidentified program wants to access your computer" and the name of the program. You click on "Details" and all you get is the path and executable name. To begin with with so few details why even have the "Details" button, why not show the details all the time? Second of all Windows should know when the user double clicks on a link to start a program, so why ask if I want to run the program, if I didn't I wouldn't have clicked on the icon. The UAC is just an illusion of security.

What the UAC should do is tell you things like a program is setting itself to start automatically at startup, but it doesn't do that, once you say it is alright for a setup program to run the setup can do whatever it likes without any UAC prompt.

For an example I recently installed Nero 8 on Vista with UAC on. It prompted for the setup to run, during setup Nero set 3 program to auto start with Windows, without the setup telling me or UAC. After unistalling Nero the 3 programs set to suto start were still there, I had to remove them manually through registry.

Stuff like that is what causes winrott and malware. All the UAC does is ask when you double click on something are you sure you wanted to, not much else.

The UAC I guess could be called a start but barely a start, there has been better security software on the market for years such as ZoneAlarm which monitors additions to startup section of registry and keyloggers.

Viruses can be spread with UAC just as easy as without, simply use an installer, the user gets prompted is it OK, they don't know its a virus so they click yes, and the installer installs the virus, sets it to start automatically along with 20 other viruses and malware. UAC is an ilusion and a waste of all of our time.

Anonymous said...

I say the problem with UAC is that it prompts for things it shouldn't, it should know if you double clicked on a file, why ask you? The 2nd thing is it does not tell you things it should, like when a setup is setting programs to run at startup. If I am installing a program I think is legit of course I'm gonna say yes OK to run afetr I double click on it...DUH. What it should be asking me is it OK for this setup program to set 20 programs to run at startup.

UAC right now is an illusion of security, something that insesintly asked you "Are you sure you started this program?"

Anonymous said...

I am glad to see the Software Explorer in Vista Windows Defender.

I believe the biggest security threat in Windows is how programs can set themselves to start automatically about 20 different ways, and to track them down you have to search the registry in 10 different places. The Software explorer is a step in the right direction.

There should be 1 place a program can set itself to start automatically, and that should be the "Startup" folder in "Programs", right where you can easily check and get rid of stuff you don't want. But of course startup is like everything Microsoft has, its spread all over the place and hard to find. Look at the control panel, why aren't all utilities listed in control panel? Instead some are there, some are in programs > Accessories, some are launched through help files, some you have to remember the command for and just start it manually. Not to mention that they change it all around with every new version.

Anonymous said...

Vista IS a joke...
Bad gaming drivers...
security problems...
compatibility problems...

They're actualy getting sued for it.