Why do idiots disable UAC & claim it's not a security function?

There are about a dozen programs I first isntall when I reformat/ get a new computer. It can be a pain setting up the computer and installin things when you get that popup 20 times in an hour.

I like the Win7 default setting though.

 

UAC is good for all sorts of reasons and the intentions are good. I don't advocate turning it off but I can understand why some people do. Using UAC makes certain assumptions of the user -

1. they know what triggered the prompt
2. they know enough to understand it
3. they care about what it means

All of these have been proven false in countless UI studies.

1. Most people can start something (like changing a drive label) which can trigger UAC, and they still woulnd't be able to correlate cause and action. When it happens as a result of a background download, there really is no way for the user to know.

2. The UAC prompts and info are useless. They don't even tell you what program caused them, how long ago, how you got there etc in a language a non-technical user can understand.

3. People just want to get on with their tasks, and will click Yes on almost anything if it dismisses the dialog.

In the end, it really is just 'security by irritation'. The hope is people will call someone who knows more about the prompt, or deny it. That's the only practical advice you can give to people - setup their pc, and tell them to say No on any UAC prompt until they are 110% sure. Which really isn't a very pleasant experience.

 

Damn... 20 times in an hour? OK. I'm going to share a little secret with you (Don't tell anyone about it! ). Whenever you need to install/upgrade more than one program, open a cmd line window running with administrative privileges, then right-click the installer you want, and choose Copy as path, then paste it into the cmd line window. Press Enter. Leave the cmd line open, and repeat for the other installers. Hopefully, not all of them will need a reboot.

But, remember: Keep it our secret.

 

That's even more work than hitting UAC lol

edit:
@Defcon,

I think the "hope" is that developers will stop taking admin rights unless they need them.

 

Not if you have a password set.

 

While more intuitive it will be completely useless for security the same way the current Windows 7 default settings UAC is useless for security now. In fact, if you use Windows 7 with UAC set to default, you may as well just disable it. While you are answering those nice little requests for legit applications, malware will just elevate itself by abusing the white list.

 

But protected mode will still work so applications like Chrome and IE will still protect the user from exploits.

That's from Microsoft.

Their first point: UAC is a developer tool. It's so that programmers will stop hogging rights that they don't need.

The problem is that developers don't care about security so they don't make use of it.

 

The best protection from exploits is not to build a sandbox around them (that has been broken multiple times already in case of the IE Protected Mode) but to stop using exploit prone software. Besides, Chrome doesn't care about UAC. In fact I would argue that IE Protected Mode could very well be implemented without UAC as well.

[Edit: Changed "exploitable" to "exploit prone" to better emphasize my original intentions.]

 

Oh? Example?

They could both be implemented without UAC. But UAC and the ACL model are inseparable, whether you could extend the model or not.

Chrome does care about "UAC" in that it has explicitly low integrity and will not function when given admin rights.

 

http://www.dib0.nl/code/231-ies-protected-mode-broken

You wouldn't even need to extend the ACL model.

You are aware that Mandatory Integrity Control has nothing to do with UAC, right? Chrome (and all other applications for that matter) are free to use MIC however they want even with UAC disabled.

 

I was not aware - I thought the two were tied together. When you elevate via UAC programs are given high integrity. When you turn UAC off Chrome runs at medium and high integrity instead of low and medium. This led me to believe that the two were essentially the same system.

The article you linked refers to IE7 and IE8.

Anyways the attack vectors it discusses are
1) Sockets (patched)
2) Going through the broker (a design flaw, which requires exploiting the broker.)

There are a few others that are completely legitimate though such as abusing the clipboard.

The paper actually gives it a lot of credit saying both that future implementations can work on the current model (except by current they mean old, since the paper is from a while ago) and be very secure and that malware can not stay persistent without making use of one of the vectors (a few of which have been patched.)

I disagree that building a sandbox around an application isn't the best way (or at least one of the best ways) to secure it. What would you say is?

 

With UAC disabled the broker process will run at HIGH integrity, while all the child processes wil run at LOW:

One attack vector is enough to compromise the system. But since the next PWN2OWN should come up soon we will see if Protected Mode Internet Explorer manages to survive at least the first 24 hours of the event this years. Last year it didn't survive the first day (IE8 on Windows 7 SP1 x86).

Because if people add sandboxing to their products they have an excuse not to fix the actual bugs as soon as they can. In addition they invest time and money implementing the sandbox that should have went in fixing bugs and actually improving the development process to avoid bugs to begin with.

A few days ago there was a nice blog post over at ZDNet:
http://www.zdnet.com/blog/security/offensive-security-research-community-helping-bad-guys/10228

Statements like these pretty much speak for themselves:

The whole article is actually a testament to the disastrous state Adobe products are currently in security wise. And by the way, all those nice little zero days floating around for Adobe products don't care about Adobe's sandbox at all .

 

@ Hungry Man,

As Fabian Wosar pointed out, UAC and MIC have nothing to do with the other. UAC simply makes use of the MIC. Yes, UAC forces IE to run in Protected Mode, but that's just the way it was designed, as you probably know.

This is not an official information, nor do I know of any explanation, but I'd imagine the reasoning to be if UAC is tied to Protected Mode, then it would make user stick to it, and therefore would force software developers to actually care about not requirement administrative privileges for everything...

I suppose this reasoning makes some sense. lol

Also, if you're running as a standard user (= MEDIUM integrity level), whether or not you disable UAC, Google Chrome won't ever be affected. The broker process will run as medium and the child processes will run in low integrity level mode.

The ONLY difference is that, when disabling UAC, if you're running as an administrator, then you're effectively removing the token that strips the administrator's privileges, and therefore you only run with the administrator's token. In this case, YES, Google Chrome's broken process will be running with a HIGH integrity level, but the child processes will be running with a LOW integrity level.

BUT... this isn't just about the browser itself!!

DON'T forget the plugins!!!! Adobe Flash Player runs within a low integrity level chrome.exe process. BUT, to the best of my knowledge NO OTHER plugin makes use of the sandbox, and therefore they will be running in a HIGH integrity level chrome.exe process, and if these plugins get abused, such as security software plugins/other software vendors plugins, whose security software vendors/other software vendors fail to support mitigation techniques such as ASLR, etc., then you're asking from real trouble, because now whatever crap tries to exploits those plugins running with a HIGH integrity level, also runs with a HIGH integrity level.

I'm pretty sure you folks are educated people, and therefore can think of the rest, right?

So, yes... run the bloody UAC because it does make a difference... even if with default settings. I'm against that... but better that way than completely turned off.

@Fabian Wosar

While I agree with you 100% that bugs should always be fixed, having a sandbox and mitigation techniques will make it a lot harder for hackers to want to exploit those. It will require time, effort, money and knowledge (=skilled programmers).

If it was that easy to bypass these, then I'm pretty sure we'd see it happening every single day, no?

Do you have any data (=facts), that show IE Protected Mode and Google Chrome's sandbox are being bypassed in real-world scenarios? I'm humbly asking for such data, because I'd be interested in knowing what failed.

Also, while it's important to patch vulnerabilities, as a software developer, I'm pretty sure you're aware NO ONE will EVER FIND every single security vulnerability existing in software. Or, will you? No, you won't. But, hackers may be in possession of a known vulnerability - known to them.

Therefore, it's important to have something that will help fight against any unknown vulnerability, and also give time to software developers to fix their known ones.

So, this statement of yours The best protection from exploits is not to build a sandbox around them (that has been broken multiple times already in case of the IE Protected Mode) but to stop using exploitable software. is 100% flawed.

You know why? It's impossible to use non-exploitable software, because they all contain security vulnerabilities. Even security software contain them. Quite ironic, wouldn't you say so?

Also, in the short term, it's a lot easier to fix any issue with a sandbox, because it's way less code, when compared to thousands and thousands of lines of code.

-edit-

Also, if you run as a standard user account, with UAC disabled, then you got no bloody way to elevate (let's forget third-party apps, OK ). This would make everyone once again run as full administrators, right? lol Why am I thinking of Windows XP, now? hah

 

Actually, they do. Every time they have a bulletin
https://www.adobe.com/support/security/bulletins/apsb11-03.html

That isn't to say their sandbox is perfect. I believe it's already been circumvented in some way or another.

As with any solution it's not perfect. But access control is important.

there's always

They actually have the right idea - patching isn't the answer. Patch management is important but perfect code doesn't exist - it probably never will. Therefor, as Adobe put it, there needs to be a "defensive approach" to security. It's all about

It's interesting that you read that article as a testament to Adobe's poor security when it's basically Adobe calling everyone else out for driving down the cost of exploits.

Driving up the costs of exploits has basically been the basis of linux security such as AppArmor and SELinux for a while. Not protecting against all exploits but assuming exploits and protecting regardless, forcing the attacker to either work on that playing field or come up with another separate exploit.

I believe they exploited the sockets issue last time. I don't remember. It will be fun to see.

 

Okay, this is starting to get out of hand. While I would love to spend more time discussing with you I simply don't have the time. While we got a bit side tracked with browsers and sandboxing, my original point stands:

A multi-level UAC will have the same flaws as the Windows 7 one. All settings except the maximum will have severe security flaws that will render the added security bonus provided by UAC almost moot. Just look at ZeroAccess if you want a real life example. It will elevate itself just fine on Windows 7 without any UAC prompt when running UAC at default settings.

The lesson is: Either put it to maximum or don't bother using it at all.

 

And knowing that UAC is not directly tied to integrity I agree with you.

 

You're agreeing with what? Advising people running UAC with default settings to simply disable is a even far more stupid advise*, than those advising that default settings are OK.

* Such advise coming from a security software developer is really... lame? I just can't find a better word to describe it.

I explained that if people disable UAC, then using a standard user account is impossible - Again, let's forget third-party software, specially considering not everyone understand English. - and that will result in what? The user using a an administrator account with full administrator privileges.

How the heck is that better than running a stripped down administrator account, even if running UAC at default settings?

IE Protected Mode still applies. Virtualization still applies. Reduced permissions still apply.

@Fabian Wosar

Giving the example of ZeroAccess proves UAC is useless, even at default settings?

To be honest, I don't recall most of what ZeroAccess does, but according to Symantec, it spreads by:

Source: -http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2

Are you affirming that it bypasses IE Protected Mode*, with UAC settings at default? You should make that very clear. Is that what you're saying?

If I'm not mistaken, ZeroAccess was also problematic to antimalware applications, rendering them useless? What does that say?

Overtime, some users, also at this forum, found issues with HIPS, including the one that's part of Online Armor. Does this mean it's useless? Come on...

-edit-

* I'm asking about IE Protected Mode, because by disabling UAC, Protected Mode ceases to exist - is gone. Therefore, if you suggest to disable UAC (with its default settings Protected Mode still applies!), then you're saying that Protected Mode is useless. Do you have any evidence that ZeroAccess is able to bypass Protected Mode?

 

I agree that it's essentially just as bad. I also don't care for UAC at all - what I like is the integrity system.

 

No, it isn't just as bad. If you disable UAC, regardless of its settings, then you're* disabling Internet Explorer Protected Mode and virtualization. Yes, Internet Explorer also runs with RunAsInvoker flag. By disabling UAC, you disable virtualization, and by disabling virtualization you also disable the added security UAC virtualization provides.

Even though UAC Virtualization is not meant as security, x86 processes (as I've already explained) can benefit from it, because any changes to Program Files/Windows and important registry keys will be redirected, therefore malware can't harm the real file system and registry.

* When I say you... I mean any user.

So, how is it the same? Can you explain? Do you also have evidence that ZeroAccess can bypass Protected Mode? Because, Protected Mode is as strong with UAC maximum settings as it is with default settings.

I don't think you understand that well what you're agreeing to. (No hard feelings.)

 

Yeah, that applies to IE users, which I am not.

I agree that IE and virtualization are nice.

ZeroAcceess doesn't bypass Protected Mode - it bypasses the default UAC level.

 

OK. lol But, we aren't discussing you.

We're getting somewhere, now. It doesn't bypass Protected Mode, hence UAC even at default settings is useful. Not as useful as maximum settings (if in an administrator account), I agree. But, this totally unrelated to Protected Mode.

To bypass UAC at default settings, then it means the user had to introduce it in the system, somehow? Correct? It isn't fair to say it bypasses UAC when UAC is not even considered a security mechanism. So, how is it fair to say that malware can bypass UAC when UAC is not meant to fight malware?

On the other hand, antimalware applications are meant to fight malware... and are bypassed every single day... And, what's the most common reason for them to be bypassed, you ask. That's right - they can't detect them.

Microsoft's answer to fight malware was/is Microsoft Security Essentials - from a signature point of view.

We also have Protected Mode (UAC is simply a mean to use MIC to apply Protected MOde), mitigation techniques....

 

Yeah, I know. I just wasn't thinking of it from an IE users perspective. Isn't the virtualization a compatibility feature anyways? Does it really provide any protection?

Either way - it's not really a big deal. It's something though so UAC on any level is better than being entirely off.

He wasn't suggesting that ZA bypassed protected mode - just that if you're going to use UAC put it at max otherwise it's as good as useless.

The only problem being that you lose IE protected mode and virtualization.

ZA does bypass UAC, UAC's purpose whether security or not, is to alert or prevent applications from elevating to admin. ZA does elevates to admin without a UAC prompt.

Or if you think UAC's purpose is different, I guess it doesn't.

 

Wow, this thread is still going strong! I am glad that I made this thread and now everyone is thinking and contributing these great ideas! I feel obligated to once again reiterate that I am not an expert myself but I tend to know a fair amount about Windows and computer information systems, particularly PC and networking security.

But I must know nothing compared to m00nbl00d...look at you go, man, standing up to that Emsisoft dev!

There is so much I want to quote and comment on, but I have already ranted on so much and I think you guys, particularly m00nbl00d, have summed up why User Account Control provides necessary, security technologies that relate to both integrity control and the least user access principle.

That's the positive...now the negative. Some people on here are going to HATE me for saying what I'm about to say, but someone needs to say it...

I had a decent amount of respect for Emsisoft. Not anymore.

In fact, I don't have any respect for 3rd party security solution vendors chiming in on threads like this, because whenever they do, they almost always make the argument in favor of "Windows cannot protect Windows." That's no surprise...they have a product to sell...but what really made me mad was the developer's blanket statements/ideas that could not be farther from the truth...some of them just sound ludicrous...and he says he "proves" them by providing one or two semi-related articles?

* Avoid using exploitable software... Really? Really?! These are the people developing our security products?! That sounds like something a Linux fan boy would say AS A JOKE. You should be reprimanded by Emsisoft Corporate for saying that publicly, and if not, then they might as well let you say software on your computer can cause cancer while you are in the bath tub.

* Sandboxing is not the solution... Well, it kind of is. Be it sandboxing built into the OS via integrity levels, an application-level sandbox such as Sandboxie in which apps are fooled into thinking they are not running in a contained environment, or even complete virtualization; sandboxing is one of the best, if not the best, hands-down most effective whitelist-based prevention measure to stop almost any/all threat classes from succeeding. Many programs, such as Adobe, Java, heck even VLC Media Player, will release a patch. Even with the patch, immediately after release, Secunia (hopefully you know who these guys are) still shows proven vulnerabilities in their software that could allow an attacker to compromise your system remotely...if you were running it in a typical environment the attacker could exploit. Sandboxing can stop this from happening, because the program is being run in a fake environment and anything that gets exploited is also trapped in that fake environment. Doing your security updates and updating those applications as soon as updates are released is very important, but even doing that, will not even come close to the level of safety you can achieve by sandboxing. And to say the solution is to move to unexploitable software...then you must be talking about some mythical program created by God, because there is no such thing. Programs are made by humans, and humans make mistakes. Common sense here, folks. There's no way there is any truth-hood to what he said...

* Using UAC at a lower setting than Always Allow is useless; just disable it... How many times do we have to say YOU WILL LOSE PROTECTED MODE/VIRTUALIZATION!

My whole point in suggesting here a possible way Microsoft could improve the UAC slider bar was two-fold: I wanted non-tech savvy users to have more options so they would not just turn it off in frustration, and two, I wanted a silent mode for those that feel confident without the UAC prompts, and I wanted that mode to be configurable by using the slider, instead of having to use the registry or gpedit.msc.

Let us not forget that UAC also ties into compatibility a bit and when you turn it off you are risking having issues installing applications that are not written with LUA in mind.

Yeah, this thread is getting "out of hand", for those that rely on the delusion that Windows has no viable built-in security mechanisms, so buy ours. I know, I know, people are going to hate me for saying that because Emsisoft has so many followers on here, but rest assured I would have said that bluntly to any 3rd party vendor that chimed in the way you did.

Security software vendors should be wise enough to realize that they need to compliment/supplement/praise what already is built into Windows. Webroot does some of this with the SecureAnywhere firewall. A lot of vendors need to do this more, in my sincerest opinion. Again I am no expert, but I am disturbed by Emsisoft's attitude on security. Yes, it should be set to Always Allow, and yes that is what I advise and that's the first thing I do when I install Windows 7, but really, come on? Advising people to fully disable it? Security vendors (and the employees that post with their logo) need to be more responsible about what they say. Anyone can view these forums and if someone were to take that out of context and start disabling security functions, the results will be disastrous.

EDIT: I am feeling guilty for coming down so harsh on the Emsisoft developer, but I really don't like what was said.

 

I think he's just saying that protected mode shouldn't rely on UAC and because UAC is so easily bypassed turning it on or off does almost nothing (except for IE users, which as said shouldn't be the case.)

I don't think the virtualization is even a security feature. It's nice but eh.

I actually like Emsisoft. Mamutu's one of my favorite products lol though I obviously disagree about some of the things said.

 

Let's be honest, Fabian has a point about UAC on default with Windows 7 in regard to the default UAC, because
- UAC does not protect against side by side intrusions
- The convenient default is a build in white list invitation to malware.

On the other side. I am using Windows7 only protection (click on Safe-Admin sig) for 1.5 year now, I ran Vista with simular settings (only applying basic user instead of setting a mandatory Medium level token with ICACLS to internet and office software) for two years. In those years Chromium has gotten better and better.

Cheers