Holy wow, UAC is everywhere all of the sudden.
Ok point by point.
In Joanna’s first post she points out two things, implementation issues in UAC that make it circumventable, and installer’s running as admin. On the first point - it seems that people still get confused that UAC is a security boundary meant to stop bad software from getting on the system. It’s not, it’s designed to help the entire user base get down to standard user. Running as standard user is where the security benefit is, (again though, it’s not intended to be a boundary) not the prompts. The UAC prompts are a convenience feature to make running as standard user easier.
To Joann’s second point about installers. Yes installers run at the highest integrity level. If they didn’t, installers everywhere would break. This is something that will only change over time as people adjust to standard user restrictions on the road to eventual application identity. Further, this is the same situation with other OS's
Joanna bemoans the fact that a hack she used to do involving the manifest and tweaking of user rights no longer works under Vista. I’m always amused at the solutions incredibly smart security researchers come up with involving manual steps, when there is a perfectly good tool right
here to restrict installers. Just apply the “Runasinvoker” shim to the installer and whammo, it runs under the user rights of the parent process (explorer.exe) as standard user.
Mark is a senior technical fellow, discovered the Sony rootkit, is widely considered an expert on rootkits and security design, and basically an all around
EF Hutton kind of guy. When he speaks, people stop chattering and listen. Mark’s analysis wasn’t meant to be flippant or dismissive of the issues. If anything, Mark’s post discloses the fundamental challenges in implementing UAC and shows the security tradeoffs that had to be made. It’s easy to take a purist position on something like this, but with a user base of hundreds of millions, we operate in trade offs. We think we struck a good balance with UAC. Jeff Jones’ post supports that.
Slashdot called it a severe hole, except that all installers have required admin access on Windows. This goes back to the old adage, “If I can convince you to run my executable on your computer, it’s not your computer anymore” Standard user is a path apps and users will slowly go down, it’s not a security boundary in and of itself. It reduces risk, it doesn’t eliminate it. If you are worried about tons of nasty installers getting on your system and you running them, you can at least restrict them using the above shim.
Joanna posted again noting she felt Mark was being dismissive by stating circumvention of a defense in depth feature wasn’t a security vulnerability. I know Mark, and I can assure everyone he was in no way being dismissive. In fact he is going to give a talk on this very topic at EUSec next month. Mark believes in transparency. His point was that UAC is not a security boundary, and to the extent it can be circumvented due to design, people should think about it differently than just the knee jerk reaction that it’s a fundamental flaw. Joanna’s wicked smart, I’m not sure I get why she seems to be taking Mark’s post so seriously as to call into question ALL the design work that went into Vista. That's just throwing the baby out with the bathwater over one person's description of the design decisions around a single feature.
And last but not least Ryan’s post summing it all up, including corrections. Again, I think weirdly a bunch of emotions are being called in here that don’t belong. I owed Ryan an email response during RSA but got way to crazy busy to write it. But I want to make clear, I’m happy to pony up the funds to buy everyone a beer. <g> I can’t imagine that a face to face conversation on this would be all that charged. Joanna and Mark have far more common ground than not.
So there, let’s all just calm down.