Vista’s Security Hobbled By Microsoft’s Own Insecure Past

By Daniel Miessler on February 15th, 2007: Tagged as Microsoft | Security | Vista

Yesterday I wrote about Joanna Rutkowska’s work that highlighted a serious security flaw in Windows Vista. Her finding was that in Vista, many applications require that they be installed with administrator privileges, and that during the install process users are given two options: 1) install with elevated privileges, or 2) don’t install the application at all.

Vista_Icon

Yesterday’s post was sloppy, however. It came to the conclusion that Microsoft made a security design error in implementing this system. The truth of the matter is that there is a serious security problem with respect to Vista, but that problem is not due to a recent decision by Microsoft.

The real problem is that thousands upon thousands of 9x and XP applications were written according to the old security model, i.e. the one in which installers were able to spray their parts all over the system with no issues because they ran as administrator. This won’t work in Vista because they’ve gone to a restricted user model, so they have only one choice — allow the applications to install with elevated rights.

Microsoft had no other choice, really. The alternative is telling people that their old programs are insecurely written and can’t be used. That wouldn’t go over well. Unfortunately, allowing the applications to go in as administrator creates a major problem for Microsoft: it trains the users to say yes when an application asks to be installed with elevated privileges.

This is what’s going to do the real damage. It’s the fact that people are going to get so used to allowing legitimate applications to install with elevated rights that when a piece of malware asks to do the same they’ll happily oblige.

Not good.

But it’s not a Vista problem, really. It’s going to hurt Vista, but the real problem is that of legacy support. It’s ironic, really. All this work to make Vista more secure and it’s going to be largely undermined by how lax they were in the past.:

Viewing 6 Comments

Riley 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

If Vista was not today available, would anyone care? When Vista's release was delayed, did anyone care?

Vista solves no compelling user needs that can't be, indeed are being, solved by other third-party products. On the other hand, Vista creates many new user problems, including shifting control of the computer from the user to Redmond.

One way to consider the problem is to imagine that Microsoft was a Japanese or German company. If it was, do you think that business would allow it to assume such profound control over a given company's data and desktops? No, there'd be an outcry for protective legislation.

But Microsoft has enormous lobbying power and so today continues to get away with operating as an entirely self-serving monopoly that only grudgingly responds to customer needs.

reply edit reblog flag

Rick 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Simple solution... do not run it.
While it sounds like a pleasant fantasy, why can we simply not move away. Sure there are things that we can not, but where we can... why don't we. People do not because they are afraid to learn new things or be outside of their comfort zone, so M$ power will remain for another few years until enough of the younger generations move up and start to show the highlights and safeties of the alternatives. Then Mac's market share will have a chance to flourish.

reply edit reblog flag

http://rick.thedunnams.com

Tim 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Perhaps I'll play the devil's advocate here. Did anyone read the pingback article on Daniel's last Vista security post?

I think the author of that pingback post had a point. How often do you install a piece of software in linux without elevated privileges? What about Macs?

Granted, usually with linux you're more aware of what you're doing (it's not as simple as pressing a button), but the point still stands. Almost *any* application you install on *any* OS will need elevated privileges.

reply edit reblog flag

http://slashback.org

maht 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

What use a sandbox and virtualized drives?
It wouldn't be that difficult to intercept system calls and avoid the situation.
Windows just sucks, whichever way you slice it.

reply edit reblog flag

http://www.maht0x0r.net

Richard King 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Can't speak for Linux, but I install apps on OS X as a non-privileged user all the time. Very few OS X apps actually even have installs, typically you drag the application to where you want to install it and you're done.

Each user has their own ~/Applications folder which, by default, they can do whatever they like in. I think, by default the root Applications folder is only writable with admin privileges, but it in no way precludes you from 'installing' and running stuff in any directory you do have write permissions for.

reply edit reblog flag

http://wiredupandfiredup.com

Alan 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

A better solution would be to allow those programs to be installed in virtual machines (or something like a chroot jail). That would probably still prevent some apps from working unless Microsoft also provided a way to authorize these isolated processes to communicate with one another.

But Vista was late as it is, and this would have made it later. And would have brought a lot of flack for the extra complexity (and probably the user experience).

reply edit reblog flag