If Microsoft had any hope that Windows Vista would get a honeymoon,
it is surely feeling disappointed by now.
For months before the operating system was even released,
Microsoft spent a lot of time trying to refute accusations from
vendors like Symantec Corp. and McAfee Inc. that its
PatchGuard kernel protection feature would lock
out third-party security products.
Now Microsoft is taking a beating in the blogosphere from none
other than Joanna Rutkowska, the Polish security researcher who
made headlines at last summer's Black Hat conference for
demonstrating a way to trick Vista's
anti-malware sensors.
This time, Rutkowska says she has discovered a "very severe
hole" in the design of Vista's User Account Controls (UAC)
feature.
"Vista automatically assumes that all setup programs
(application installers) should be run with administrator
privileges," she wrote in her
Invisible Things blog. "So, when you try to
run such a program, you get a UAC prompt and you have only two
choices: either to agree to run this application as
administrator or to disallow running it at all."
That means someone who downloads a freeware Tetris game will
have to run its installer as administrator, giving it not only full
access to the user's file system and registry, but also allowing it
to load kernel drivers, she said, asking, "Why [should a] Tetris
installer be allowed to load kernel drivers?"
Rutkowska was flabbergasted when Microsoft's Mark Russinovich
responded to UAC concerns with a very detailed
blog breakdown of how the feature works.
What left her particularly dismayed was Russinovich's comment
that "potential avenues of attack, regardless of ease or scope,
are not security bugs."
"I was pissed off … because [Russinovich] declared that all
implementation bugs in UAC are not to be considered as security
bugs," she said in a follow-up
blog posting.
Russinovich also admitted in his posting that Vista makes
tradeoffs between security and convenience, and "both UAC and
Protected Mode IE have design choices that required paths to be
opened in the IL (integrity level) wall for application
compatibility and ease of use."
Several security bloggers agree with Rutkowska that while UAC
may have started as a good idea, it has become fairly useless.
Havard Pedersen, a Web developer based in Norway, has dedicated
an entire blog to reasons why Vista won't be
installed on any of his computers. One reason, he wrote, is
that security measures like UAC actually create more risk.
"Have you seen 'normal' users surf on dubious sites?" he asked
in his blog entry. "They click through all warnings without reading
them. What does this mean for Vista? It means that thanks to the
UAC security warnings … people will learn, even more than earlier,
to click away warnings without reading them!"
Most novice users will quickly learn that they need to click
"continue" on all warnings in order to get things to work, so
that's what they'll do, he said, adding, "I predict all of my
friends who try out Vista [will] come to me, begging for a way to
turn it off."
Symantec's Ollie Whitehouse agreed in the
Symantec Security Response blog.
He said some people at Microsoft talk about UAC and trust while
others talk about the users making a decision before it's too late.
It becomes a chicken and egg situation when the user is making a
decision based on a false sense of trust, he said.
"Do I think some UAC is better than no UAC? Yes. Do I think UAC
that presents information that can not be relied upon is good for
user confidence? No," Whitehouse said.
Serdar Yegulalp, former senior technology editor of Winmag.com,
offered a more balanced perspective in his
blog. On the face of it, he said, the kind
of argument made by folks like Pedersen is hard to argue with.
But, he wrote, "I leave UAC on, because I'd rather have the
momentary inconvenience of the UAC prompt than the possibly far
greater inconvenience of a piece of malware or some other
mess-up."
In the final analysis, he said, users who ignore security
prompts the first time around usually learn a lesson sooner or
later.
"Is it possible to become inappropriately acclimated to UAC
warnings? Sure," he said. "It's also possible to drive through stop
signs and red traffic lights, and anyone who's done that more than
a few times knows that it tends to be a self-correcting issue."