Microsoft takes a blogosphere beating over Vista UAC

For months before the operating system was even released, Microsoft spent a lot of time trying to refute accusations from vendors like Symantec Corp. and McAfee Inc. that its PatchGuard kernel protection feature would lock out third-party security products.

Now Microsoft is taking a beating in the blogosphere from none other than Joanna Rutkowska, the Polish security researcher who made headlines at last summer's Black Hat conference for demonstrating a way to trick Vista's anti-malware sensors.

This time, Rutkowska says she has discovered a "very severe hole" in the design of Vista's User Account Controls (UAC) feature.

"Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges," she wrote in her Invisible Things blog. "So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all."

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: Solaris flaw a reminder of why Telnet is toast Vista voice trick: More amusement than concern Storm Trojan: Worse than it should have been

That means someone who downloads a freeware Tetris game will have to run its installer as administrator, giving it not only full access to the user's file system and registry, but also allowing it to load kernel drivers, she said, asking, "Why [should a] Tetris installer be allowed to load kernel drivers?"

Rutkowska was flabbergasted when Microsoft's Mark Russinovich responded to UAC concerns with a very detailed blog breakdown of how the feature works. What left her particularly dismayed was Russinovich's comment that "potential avenues of attack, regardless of ease or scope, are not security bugs."

"I was pissed off … because [Russinovich] declared that all implementation bugs in UAC are not to be considered as security bugs," she said in a follow-up blog posting.

Russinovich also admitted in his posting that Vista makes tradeoffs between security and convenience, and "both UAC and Protected Mode IE have design choices that required paths to be opened in the IL (integrity level) wall for application compatibility and ease of use."

Several security bloggers agree with Rutkowska that while UAC may have started as a good idea, it has become fairly useless.

Havard Pedersen, a Web developer based in Norway, has dedicated an entire blog to reasons why Vista won't be installed on any of his computers. One reason, he wrote, is that security measures like UAC actually create more risk.

"Have you seen 'normal' users surf on dubious sites?" he asked in his blog entry. "They click through all warnings without reading them. What does this mean for Vista? It means that thanks to the UAC security warnings … people will learn, even more than earlier, to click away warnings without reading them!"

Most novice users will quickly learn that they need to click "continue" on all warnings in order to get things to work, so that's what they'll do, he said, adding, "I predict all of my friends who try out Vista [will] come to me, begging for a way to turn it off."

Symantec's Ollie Whitehouse agreed in the Symantec Security Response blog.

He said some people at Microsoft talk about UAC and trust while others talk about the users making a decision before it's too late. It becomes a chicken and egg situation when the user is making a decision based on a false sense of trust, he said.

"Do I think some UAC is better than no UAC? Yes. Do I think UAC that presents information that can not be relied upon is good for user confidence? No," Whitehouse said.

Serdar Yegulalp, former senior technology editor of Winmag.com, offered a more balanced perspective in his blog. On the face of it, he said, the kind of argument made by folks like Pedersen is hard to argue with. But, he wrote, "I leave UAC on, because I'd rather have the momentary inconvenience of the UAC prompt than the possibly far greater inconvenience of a piece of malware or some other mess-up."

In the final analysis, he said, users who ignore security prompts the first time around usually learn a lesson sooner or later.

"Is it possible to become inappropriately acclimated to UAC warnings? Sure," he said. "It's also possible to drive through stop signs and red traffic lights, and anyone who's done that more than a few times knows that it tends to be a self-correcting issue."