-
Website
http://danielmiessler.com/ -
Original page
http://danielmiessler.com/blog/vista-security-a-joke-executables-install-as-administrator-because-its-more-convenient -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
You can, of course, install to /home/matt/bin if you want, but that requires extra parameters to make install, right?
And with OS X, you drag/drop (ah, bless the simplicity) to /Applications/. The 'niceness' of OS X is that you can drag/drop to /Users/Matt/Applications - or anywhere really - and run from there. Apps store their settings in /Users/Matt/Library *or*, for system wide settings, /Library.
No doubt OS X is *miles* ahead of Windows in this regard. I don't think there is anyway Windows will be able to force users, or perhaps more importantly, app developers, over to a OS X/*nix style of application deployment.
Score one more for me!! I guess I have some mystical powers or something. JK...
Matt - With *Nix there is no reason to install something to your local bin. You can however, but that does not really make it more secure. The big difference is that when you install an application to the standard locations in *Nix you have to be root, but most do not need root to run. Most applications will warn you if you try to use them with root. This is so that normal users will know not to do that.
I think you are mistaken execute permissions (who can run the program) with operations permissions (the permissions level the program runs with when it is ran). It is possible to compile a program to run as root but by default most will run with the permissions of the executor.
"You are obviously an idiot."
Do you wish to elaborate?
Perhaps, but a reason why you think so would be very much appreciated...
Speed Limit
http://speedlimit.home.att.net
It is not true that Vista asks installers to run as Administrator or not at all. Indeed, there is no clear distinction of what an "installer is". The only "standard" is MSI, but there are many other installers than that. Consider Nullsoft's Simple Install System.
So, Vista has no way of identifying what are installers in the first place. It may be able to identify *some* installers. But clearly it cannot require all installers to identify as administrator, because it cannot identify them. I can write a program to create C:\Program Files\MyApp and some registry keys -- how does Vista know it's an installer? It doesn't.
Indeed, I have run installers on Vista that do not require administrator privileges. Especially the smaller open-source types of applications that make less sweeping changes on the system tend not to require administrator privileges.
So, that leaves us with the question of "Which programs does Vista identify as requiring administrator privileges?" Obviously it's analyzing SOME types of programs and putting the "Admin required" logo on them. My guess is that Vista is looking inside the executables and determining what sorts of actions the installer wants to execute. It determines if administrator privileges are needed for that action, and if so, disallows execution of it without elevation to administrator.
What I'm saying is that (1) there exist a class of programs that will fail if not installed as administrator (2) Vista is probably identifying a subset of this set (eg, it can understand some installers such as MSI but not others) (3) Vista is saving you trouble because it *knows* in advance via security protocols that the installer will fail, and thus there is no reason to allow you to install it.
*Pant*. Ok, that was long, but hopefully it clears things up :-)
Vista prevents you from running an installer as not-Admin in the case where the installer will *fail* without it. Those are the installers that visually get the "shield" icon.
OK, I just did some testing to verify my above hypothesis, and I believe it to be correct.
The installer for Quicktime for Windows *does not* have a shield icon when you download it. Many other installers will display a shield while visually sitting on your desktop. Vista has identified these programs in advance as needing administrator privileges to run.
However, if you run Quicktime, Vista realizes during the installation process that Quicktime requires administrator privileges. Thus, it pops up a permissions elevation window. If you deny Administrator access, it means that the object Quicktime is trying to access (say, putting a DLL into the Windows directory) will fail without this permission.
It makes no sense to attempt to allow the installer to continue, because Vista knows the installer will simply fail.
Finally, there is another set of installers that need administrator privileges, but which Vista cannot identify. If you run these installers, they will just fail with a security error. If you re-run them, explicitly requiring the administrator account (say, through the right-click menu on the file) they will succeed.
So, there appear to be three classes of installers:
(1) Programs that Vista can identify in advance require administrator privileges. The install would simply fail without it; it knows this, so there is no reason to let you run the program. It would be like Windows Explorer pretending to let you access a directory it knows you don't have rights to -- it would be a runtime exception and something would crash. It not letting you do anything BUT run it as administrator is just a gracious way of crashing.
(2) Programs Vista can't identify in advance as requiring administrator privileges, but which Vista can identify while they are running. Vista asks you at the time it attempts to use those privileges, and presents the elevation dialog.
(3) Programs that Vista cannot identify at all. These programs just crash (although the application itself might catch the error and say something like "Failed to install. Rolling back" or something). You have to run them as administrator manually.
Which category an application falls into, whether 1,2, or 3 probably depends on which APIs the program uses to perform its actions.
Conclusion: Vista only requires programs to elevate using UAC if it actually is necessary, ie, the program would otherwise fail.
"Still, even though that might look like a secure configuration, this is all just an illusion of security! The whole security of the system can be compromised if attacker finds and exploits e.g. a bug in kernel driver."
Oh really? You mean an OS is insecure if the attacker can exploit the kernel? You don't say?
OBVIOUSLY. It's still real security. The fact that human mistakes can always occur doesn't stop it from being real security.
You can say "what if an attacker can exploit the kernel?" about any OS ever made; and it will remain true for any OS ever made. It's a completely pointless FUD statement.
Mistakes happen. That doesn't make security an "illusion".
He's an idiot.
Not so fast, there. I don't think the researcher is claiming it's a bad thing for admin privileges to be granted during an application's installation.
The issue here is that once an installer is granted permission to run and install its stuff, it gets those rights indefinitely during the install. That means it can install an application that will *always* run as an administrator, with all the privileges that includes.
This means that your spyware-laden applet can still gain admin privileges as long as your users can be tricked into granting permission to the installer. The installer just installs it stuff as normal, and because it's got admin rights during the install, it says "it's okay, the user trusts me, and I trust this little binary I'm installing -- it can run as administrator if it wants, too. Ask the user again if you don't believe me!"
In Unix land this is called "setuid root" -- any user with sufficient permission to execute the binary can do so, and any execution of the binary permits it to run as the owning user (if the owner is root and the file is setuid, that means the binary gets to run as root, no matter who runs it).
Sounds like this is exactly what Vista is permitting -- install a binary as an admin, with admin rights, so every time it runs, it gets to be an admin. Yay.
most apps install, by default, files, or registry entries to places that a standard user (non-admin, non-power user) does not have access to. On windows 9x / 2000 / xp this is not an issue as all users by default (at least on a standalone or workgroup pc) have administrative rights and can do what they want. Generally, most applications, if written correctly, do not need to put files / registry entries in to system-wide locations, but they just do because they have been able to for so long, and it's easier.
e.g., quicktime will install system wide video codecs, that annoying system tray icon, change system-wide file associations, etc.
however, as an example of apps that do install correctly, it is possible to install microsoft office without elevated user rights, and by default it will only get installed for that user, and not for others - kind of how you would expect. Especially as it's a microsoft app.
so, the crux of the situation is that currently a lot of apps and their installers are written to install for the system, and to do so these apps request admin rights.
the only option to tighten security for vista was to adopt the linux approach and give users non-administrative rights by default, and install apps that affect the system as an elevated user. As vista's lifecycle progresses, we shall see more apps written correctly to run in limited user context, and not require admin rights to install.. but for the time being we have badly written apps and installers.
First, let me tell you, if you follow Windows security issues at all, you should know the name Rutkowska. Obviously you don't, which does not serve any favors (hint: Google for "Blue pill" to learn something).
Second, you don't seem to understand the issue at all... "Vista only requires programs to elevate using UAC if it actually is necessary, ie, the program would otherwise fail."
And THAT is exactly the problem! Here's the attack vector: JoeFriend surfs around on your machine and finds this great program on the net that he'd like to try. So he downloads it, clicks through UAC, fine and dandy. But the program contains who knows what sort of crap malware (let's say it even installs itself in the kernel). So you thought JoeFriend can't create any trouble? Whoops!
So it appears I was largely wrong about this. Not about it being an issue (it is), but about my judgment of the design and the severity of the implications. After reading extensively about the issue I came across a comment here on the site that captured it really well:
That's really it. Microsoft is simply dealing with its insecure past, i.e. a world in which installers had full admin rights to do anything they wanted on the system. As such, most software is still written in this fashion, and since that's the case, and Vista users are non-privileged, -- old, dirty-style programs have to be installed with elevated rights if you want to use them.
In short, it's still a security problem, but the problem comes from Microsoft's difficult to handle legacy past, not a recent, poor security decision by Microsoft.
Anyway, I was sloppy, and I apologize for that. I should have nailed down the problem more accurately before posting.
Ok... what about this:
I have a simple program (let's say app.exe) and I can install it just fine on XP as a limited user.
However, as a "standard" user on vista I cannot install without the admin password.
What's up with that?
People that say Mac is secure and Unix is secure are wrong. You can't have a totally secure operating system unless it is a closed system, any system that allows installation of any 3rd party software is inherently insecure. There are many more attacks on Windows because 98% of computers run Windows.
That said the UAC in Vista is a joke, all the UAC does is verify that you want to run a program when you double click on it...if I didn't I wouldn't have clicked on the icon. The UAC is just an illusion of security.
What the UAC should do is tell you things like a program is setting itself to start automatically at startup, but it doesn't do that, once you say it is alright for a setup program to run the setup can do whatever it likes without any UAC prompt.
For an example I recently installed Nero 8 on Vista with UAC on. It prompted for the setup to run, during setup Nero set 3 program to auto start with Windows, without the setup telling me or UAC. After unistalling Nero the 3 programs set to suto start were still there, I had to remove them manually through registry.
Stuff like that is what causes winrott and malware. All the UAC does is ask when you double click on something are you sure you wanted to, not much else.
The UAC I guess could be called a start but barely a start, there has been better security software on the market for years such as ZoneAlarm which monitors additions to startup section of registry and keyloggers.
Viruses can be spread with UAC just as easy as without, simply use an installer, the user gets prompted is it OK, they don't know its a virus so they click yes, and the installer installs the virus, sets it to start automatically along with 20 other viruses and malware. UAC is an ilusion and a waste of all of our time.
All that being said Windows is in no jeopardy of losing its dominance because of security, anybody that is serious about security has real security software installed. Security and false security like the UAC and the incompatibility issues something like the useless UAC causes along with a lot of other reasons is losing causing them to slowly lose market share. But it would take many, many years of bad design for MS to lose their dominance.
I hear a lot of people talking about lazy programmers and how the security problems are because of them. Microsoft enjoys dominance because of these so called "lazy" programmers. All PC buyers should think back to the first time they had to choose between a MAC and a PC and remember that they chose the PC because of all the software that was available for it. Quit blaming lack of security on programmers, give us real security and real information.