Windows XP turns 20: Microsoft’s rise and fall points to one thing — don’t fix what isn’t broken

As already noted, no it is not. I think it might have been the case with Vista but not since. As the conversation was about disabling UAC that is what I did for my demonstration. Neither thing is a great idea, at least in my opinion.

 

There is but this is the thing that stops people from using the LUA and that is that instead of being prompted Yes/No you are prompted Username/Password.

 

Interesting. From the thread referenced in post #95 of this thread, one of the technical "heavyweights" Wilders member Sully, who hasn't posted in ages, takes the same approach:

Why do idiots disable UAC & claim it's not a security function?

 

I certainly have no problem with someone doing whatever they want to, as long as they understand what they are doing. My only concern is for the individual that gets themselves into trouble because they did not understand the potential consequences of their actions.

 

That's really what it boils down to. Clearly Rasheed knows what he's doing running as full Admin, especially with the security arsenal he's running.

In my case I'm a big believer in running from least privileged accounts, no matter the skill and education level.

 

Well, it has been a while. I remember device drivers being bad as well as some application compatibility issues. I've never thought Apple would have that much influence with MS's huge OS market share at the time, but I could be wrong.

I don't share your thoughts about stable Vista post SP2 let alone SP1 though. Win 7 came in and it was like Vista second edition. Maybe it was because I had AMD hardware at the time, lol.

 

Could be. I have only ran Intel from Vista forward. I will say that Windows ME ran better on AMD though. Things are all very dependent on hardware and drivers.

 

I dunno, I probably made a mistake. I assumed Windows folder content was protected by integrity level... but it is probably not. I did my own experiments yesterday evening. MicEnum (elevated by NSudo) shows Windows folder, Windows\system32 and Windows\inf all have Medium integrity level:

Your @xxJackxx screen shows mix of Firefox's medium and low integrity level processes. There is a chance medium integrity level Firefox process is responsible to write a file and thus it succeded. Folder ACLs says everyone in administrator group have full control over C:\Windows folder content.

I did experiment with UAC set to never notify, but UAC was still on. Elevation set to deny in group policy. SUA could not write to high integrity folder even though traditional ACLs explicitly allowed it.
I must admit that I was probably wrong, because I don't see evidence that setting UAC to never notify disables integrity checks when UAC is set to never notify thus SUA is still quite limited even with UAC set to never notify.

 

BTW, from the link I referenced in post #97, Microsoft does endorse, rather directly, UAC as a security feature:

 

True but as I stated, UAC was off, as that was the discussion, even if it was a misunderstanding by some that Never Notify was not actually off. And it was an admin account, because nobody uses a standard user account with UAC off. At least not for the reasons of reducing annoyance. It would be equal to using XP as a standard user, which is way too much work for most, which circles back to the point of this all.

 

This is what I'm disputing. I don't believe that when you set UAC to ''never notify'' on a protected admin account that you weaken the built-in sandbox of browsers. It also shouldn't weaken UWP apps running with AppContainer IL. It's not like it's easier to break out of the sandbox just because UAC is disabled.

I highly doubt they would call it a successful attack on these hacking contests, when they aren't able to get at least high IL, in other words I believe on these hacking attacks they are able to bypass UAC.

Yes certain things can perhaps not be monitored anymore, but those things are often not relevant anymore on Win 10/11 and most popular attack techniques can easily be monitored. And because of PatchGuard, malware also have less capabilities to hide from security software like rootkits back in the days.

Correct, but at least they will still put up a fight, while UAC is probably already bypassed. If hackers are trying to exploit as many machines from remote as possible, they will most likely write an exploit that's able to bypass built-in OS security like Win Defender, Win SmartScreen and UAC. It's less likely they will try to exploit third party (non AV) security tools, unless it's a targeted attack aimed at only one person.

Yes, I do think it's stupid having to click on hundreds of expected UAC alerts that are triggered by legitimate apps, just because you're worried about exploit attacks. There are way better, smarter and less annoying ways to protect against exploits and malware in general. And it's not even necessary to use a ''chatty'' HIPS in order to achieve this.

 

To me, UAC is mostly useful to tackle exploits, because it doesn't provide any security when you run/install some app yourself, especially since your AV already said that the file is clean. In contrary to behavior blockers who will alert about about apps trying to ''modify browser memory'' or trying to ''record keystrokes.'' I'm willing to put up with such alerts because I think they are useful alerts, see the difference?

An alert about some app needing admin access doesn't really tell me that much. Unless it pops up from out of the blue, which might mean some exploit attack is going on, but if this exploit + payload has managed to bypass ALL of my security tools, I really doubt it won't be able to bypass UAC.

 

Yes, but to me the mystery is why would you guys assume that I was talking about completely turning off UAC while this isn't even possible via the standard Windows GUI? You guys should have known I was talking about the ''never notify'' setting since my main concern is trying to get rid of those annoying UAC alerts LOL.

Basically, when people buy a Windows machine, they all start as protected admin, with UAC set to medium level. The first thing I always do is to set it to ''never notify'' which means legitimate apps and malware are free to elevate to high IL without my approval, but this isn't a problem as long as you block malware from running or block them from performing malicious activities when they somehow do manage to run.

 

Yes exactly, my personal advice to people is, if you're not bothered by UAC alerts when running as protected admin, then by all means leave it enabled. But if you are annoyed with it, turn it off and protect your system with anti-malware tools like for example AV, firewall, anti-exploit and behavior blocking. If you ever encounter some exploit that is able to bypass all of these tools, then it's unlikely it will not be able to bypass UAC.

 

Yes correct, browser exploits are quite rare both on Windows and macOS, and they are nowadays often used in targeted attacks, unlike in the past when they used so called ''exploit kits'' that tried to infect as many machines as possible. But you never know when you might encounter a browser exploit, just look at what happened with macOS recently. Safari got exploited and hackers were able to run a backdoor on the machine.

I don't know if this backdoor needed persistence or if it was running with high IL, but in the time it was running it was able to steal data. So it seems it was at least able to bypass built-in macOS protection like XProtect and Gatekeeper and of course Safari's sandbox. And just like on Windows, the built-in firewall isn't even monitoring outbound connections out of the box, so this also wouldn't have helped.

 

I just showed you in post 84: https://www.wilderssecurity.com/thr...x-what-isnt-broken.441518/page-4#post-3051683

 

I don't share your experiences nowadays. Things changed since I tried SUA in Windows XP ~2009. Changes include both Windows elevation mechanisms* and more importantly third-party program ecosystem. When program doesn't ask for elevation in admin account then most likely it won't ask to elevate on SUA.
Maybe your forced to use some corporate crap logging things in background, but on personal laptops and set of programs that average user uses SUA is possible.

*Which I actually don't need to use - I set policy to deny and relogin once per a few weeks.

 

Well, at least better than the old times when you had to switch accounts

Thanks! Trying it out now. For convenience I made my own account standard and created another account that I made admin. Seems fine so far. Only Firefox's built-in updater doesn't work and I don't get any prompt.

 

Yes, but this is to be expected. If UAC is set to ''never notify'', any process can auto-elevate from low or medium IL to high IL, what else is new? But AFAIK that doesn't mean that application sandboxing is broken, because that would be just plain silly.

Let's take Sandboxie as example, AFAIK it couldn't care less about UAC alerts being enabled or not, because it's Sandboxie that is responsible for running apps as restricted. I believe built-in browser sandboxes work the same.

If hackers are able to exploit certain flaws in browsers like Chrome and Firefox, only then they will be able to get high or system IL, that's what we call a browser sandbox escape. Without the sandbox escape, they will only get medium IL. This has got nothing to do with UAC alerts being enabled or not.

Of course, once these hackers have exploited the browser and escaped the sandbox, they still need to run malware on the system. If this malware needs high IL and they aren't able to bypass UAC, then UAC has indeed got some value.

But you can also simply use third party tools to block this malware from running, think of HMPA, MBAE and OSArmor, without having to click on hundreds of UAC alerts a year that all are triggered by legitimate apps. It's a matter of the right balance between security and usability and this differs per person.

 

It is. It was restricted by being low integrity..

Sandboxie has it's own sandbox with kernel mode driver. Chromium (and afaik Firefox sandbox as well) do not and are built only on built-in Windows mechanisms:

https://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html

https://chromium.googlesource.com/c...esign/sandbox.md#Sandbox-windows-architecture

 

Perhaps I'm misunderstanding, but how is this different to some app that runs with medium IL, requesting to launch child process with high IL? Or are you saying that apps running with low IL should normally not be able to launch child processes with medium or high IL?

Yes but the concept stays the same, Sandboxie also uses its driver for virtualization.

But anyway, so what are you saying, that if UAC is disabled (never notify) hackers don't even have to bypass the browser sandbox anymore? Sounds a bit silly to me, and in all articles that I have read about browser exploits, I have never read about UAC playing a factor. Seems like you are overthinking things, but I might be wrong.

I mean, there is a difference between between exploits and malware. So the exploit itself has to bypass the browser's broker process with the goal to run malware outside the sandbox with medium or high IL level from what I understood.

So yes, UAC plays a role by blocking malware from getting high IL, but it doesn't play a role in hardening the browser's sandbox against exploits, it seems that would you are implying. If other people got more info about this subject, feel free to jump in.

 

Afaik a process running with low IL should only be able to launch child process with low IL.

No, it isn't. There are 2 types of sandboxing concepts. Sandboxes like sandboxie create another sandbox 'layer', you can do anything you want inside the sandbox, but it stays in the sandbox and doesn't affect the real system. If you clear the sandbox, everything changed is gone. A bit like a VM but application based.
The other concept, that browsers use, is kind of like the opposite. Instead of being able to do anything inside another layer, there is no another layer and the point is not being able to do anything by restricting and limiting everything, so it can't affect the system.
If a browser process can get high IL, it can do what it wants. It is not still 'inside the sandbox', there is no inside the sandbox. There is restricted and unrestricted, and since it has high IL, it is not restricted anymore.

 

I think you are right. With UAC at "Never Notify", the browser should run with the Standard user token, but of course if something malicious exploits it and attempts to run it with an Administrative user token, it will happen silently without the user's knowledge. How exactly this could happen, I don't know, but from the link I provided earlier:

Underlining by me.

Underlining by me.

https://docs.microsoft.com/en-us/wi...ccount-control/how-user-account-control-works

I honestly can't see anything wrong with you running at Admin with UAC set to "Never notify". You have the security tools and expertise to stay safe from malware.

 

Yes but what happens when UAC is enabled, does the UAC alert pops up? And if you click on yes, does it still open a child process with high IL? This would mean that your whole theory doesn't fly. Also, I believe that if a process runs with low IL, it doesn't automatically mean it's running sandboxed.

No you're missing the point. What I mean with ''the same concept'' is that both Sandboxie and Chrome basically have a broker process which actually restricts child processes. And they both make use of Mandatory Integrity Control, although they have implemented the sandbox itself in a different way. This is what hackers are trying to exploit, they will try to bypass the sandbox and get remote code execution with the goal to run malware with medium or high IL.

 

If I don't go mistaken, also in an account Standard, Firefox, has an Integrity Level to the medium value.