Can UAC Be Smarter?

Now that Windows Vista is out, everyone is talking about its supposed security holes. Some of these discussions focus on how Vista's User Account Control (UAC) feature handles program installations. So I can't resist tossing in my thoughts on the matter.

Here's my simplified version of the controversy. By default, Vista assumes that any setup program will fail unless an administrator runs it. That means that if you click Cancel at UAC's Are you sure you want to run this in administrative mode? prompt when trying to install an application, the installation will fail. This would happen even if the installation didn't need administrative rights to run. Even if you're installing some simple game that doesn't need to write files (e.g., a simple theoretical Tetris game that doesn't even write high-score tables to the file system or a registry key), then Vista will prompt you to lend your full administrative powers to Tetris's installer program.

Lending your administrative powers to the program creates an opportunity for bad guys. Bad guys want to trick you into installing some piece of malware, and just about any sort of malware requires administrative rights to install. Suppose a bad guy uses the Tetris game to deliver the malware. If you acquired the game from the Internet as a free program, you wouldn't actually be downloading Tetris itself. Instead, you'd be downloading the Tetris Setup program, and that's how the bad guys fool you into lending your administrative rights and installing the malware. (After all, if you were to download a Tetris game, install it, and try to run that Tetris game on Vista, only to be presented with UAC's May I run this as administrator? prompt, then you'd naturally be suspicious. You'd say, "What in blazes does this game need admin powers for? It must contain some kind of malware," and probably uninstall it.)

Such an imaginary setup program would install Tetris, but it would also install the malware. So when you run the program, Vista recognizes that it's a setup program and requests confirmation to run it with your full administrative token. As a veteran user of Vista, you'd expect this, and you'd click Confirm without any thought. The result? You'd have installed a completely malware-free game--but still unwittingly installed some malware.

Is this an important observation about Vista or just Microsoft-bashing? Well, is Vista less secure than Windows XP in this type of situation? Not really, as far as I can see. A person can slip bad stuff into setup programs now, and Vista doesn't make it any harder (or easier) to find that bad stuff.

This controversy highlights how Windows' model of "correct" application installation might not be the best model. The standard model of a well-designed Windows 32-bit application has always had a somewhat strict perspective about application installation. Under the standard Windows application model, Microsoft says that applications should install their initial configuration settings into a key in HKEY_LOCAL_MACHINE. Secondly, Microsoft also says that installers should copy the actual executable files that comprise the application into the Program Files directory. Inasmuch as both that registry key and that disk folder allow only administrators to write them, that pretty much means that, by design, only administrators can install applications--even Tetris games that don't write files or save high scores to the registry.

Might there be a better way? Sure. Maybe it doesn't make sense to require that someone be an administrator to install every application. But how could that work? I'll take up that question next month.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.