Apparent Goatse-level security hole in Windows Vista

[giza]

From this article on ZDNet regarding setup programs under Windows Vista:

"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.

This just hurts my brain. More technical details about Microsoft's reason for this "design choice" are in the article. (A reason I happen to disagree with. I cite the ability to install and run many applications on UNIX and OS/X as a non-root user, for example.)

Additional blog entires (with even more details) that I haven't yet read through:
Running Vista Every Day! - The original blog entry talking about the security hole
PsExec, User Account Control and Security Boundaries - Microsoft's response
Vista Security Model – A Big Joke? - Response from the original blogger

If anyone who has more familiarity with Windows Vista can explain to me why this isn't the gaping security hole it appears, please feel free to do so in the comments.

Comments

Windows doesn't suck, installers do.

[coyoteden.livejournal.com]

Not all installers prompt for elevation. Just ones that try to modify registry or filesystem areas a limited user wouldn't have write access to. This includes the system registry and the entire Program Files directory. If it needs to make any changes to the system that would affect all users, it needs to elevate. That's pretty damn locked down.

If that little Tetris game, for example, installs into the user's profile, no UAC dialog will appear. However, most installers default or force installation for ALL USERS.

There are lots of things that don't need elevated privs: Think flash, ActiveX plugins, and trusted Java apps. Yes, a couple of those ARE good ways to get spyware, but IE/Firefox will warn you first, and said spyware can't touch anything but the user's profile (even for admins!) without triggering a UAC halt.

Vista is the first version of Windows to enforce the principles of least privilege. It's not Vista's fault that every pre-existing installer wants to run as root, even if it's a shitty little Tetris game that doesn't need it. Under Linux/OSX, if an installer wants root, and you give it root, there's just as much risk.

UAC also keeps "limited" accounts from installing anything system-wide: If your account is an administrator, you get OK/Cancel. If your account is limited, you have to enter an admin's credentials. No shiny red candy-like button to push.

Even if you do have to elevate to install an app, once it's running Vista will do everything it can to let the app run without having to elevate. This includes virtualizing file and registry access: Non-critical changes that would affect "all users" get redirected into a virtual filesystem/registry in the user's profile. Attempts to modify system-critical stuff will either fail or trigger UAC.

[simbab.livejournal.com]

I thought NT had the security model from hell, wherein it was so fine grained that it was hard to configure it correctly. Isn't UNIX usually the one criticized for the traditional all-powerful root user?

I probably will not be familiar with Windows Vista for a long time, as it sure as hell isn't going on any of my machines, at least natively, and virtualizing it has been a PITA because a) it requires 512 MB of RAM (most I have in a machine is 1 GB), and b) that machine is x86_64 and QEMU (http://www.qemu.org) doesn't support Vista (ACPI implementation isn't up to snuff) and VirtualBox (http://www.virtualbox.org/) is only stable (as far as I can tell) on x86_64 since...ohhh, last night. Vista is more of a curiosity to me than anything else, so I may get around to it...I may not...

[giza.livejournal.com]

NT's security model was pretty fine grained, but I believe that certain permissions were put into groups. I haven't touched it about 7 years, so I can't say for certain.

> Isn't UNIX usually the one criticized for the traditional all-powerful root user?

Yes and no. Running all daemons as root (which used to be done) is obviously a bad idea, because if someone exploits a single service, the entire system is compromised. What's been done for the a number of years though is to create a separate user for each daemon and run it as that user. Sendmail would be run under the "sendmail" user, apache is run under the "apache" user, etc. If you want to get really extreme about it, each of Qmail's stand alone programs runs as one of *8* different users. The "different user" approach provides some additional security.

Going beyond that, *BSD has had the chroot jails for some years as well. Each daemon is chrooted to a certain directory, and cannot access any files outside of that directory.

You can also have fine-grained permissions with UNIX. There are a few additional security models for that. I think SGI IRIX and/or Solaris has ACLs, and I think it was the NSA's flavor of Linux that let you specific read/write permissions for individual files on a "whitelist" basis. i.e., an application could not read/write from/to a specific file or directory unless it was explicitly given permission to do so. However, my memory may be a bit rusty with that too.

[nidonocu.livejournal.com]

Following on from what arccoyote said, you are likely to see slowly more applications providing single user install over the next few years as Vista's new platform for example, would stop kids from downloading little games to their PC's if their parents have only given them a limited user account and companies still want their software to be used!
The thing I always remind people is that Windows is a 'big ship' and thus changes to a more unix like security model will take Vista as a transition period, 'Windows 7' as the 'last chance to get it fixed, we're totally virtualising you' and then finally total lack of support in Windows 8.
Microsoft do at least have at least a new installer technology called 'ClickOnce' that only supports per user installation as its method, and MSI now also supports it as an option. You are likely to see third party installers adopting it too soon enough so that more developers can use per user rather than per machine installations.