Welcome to Working Nets Tech Thoughts!

For more information about our company, please see our main website at www.workingnets.com.

To schedule a Free I.T. Consultation in the Greater Baltimore area, please use our Contact Us page, or phone us at
(443) 992-7394

Wednesday, August 4, 2010

What is User Account Control (aka UAC)?

The much-maligned UAC is an important Windows security feature that first made its debut in Windows Vista, and has continued into Windows 7 and Windows Server 2008. It's a really important feature that we should all be embracing. But most people don't really understand what it does; they find it annoying and largely ignore it. Worse, some folks actually turn it off, which removes a lot of the protections afforded by Vista and 7 over Windows XP.

In brief, UAC is the security feature that makes your screen go dark, and brings up a window asking you to Allow something to do something (i.e. install software) to your computer.

It is interesting that Macs have something very much like it, as do most current versions of Linux. But their users don't seem to complain about it too much. I think this is due, largely to the way Microsoft chose to go about it, particularly in Vista. Windows 7 has done it a lot better, but I still think we have a way to go.

So what, exactly, is UAC? What does it do? Why do you want it?

In order to understand that, we have to go back a little bit...

Why XP is so vulnerable

There's a concept in Security referred to as "Least Privilege." The idea is that you give someone the least access you can, while still allowing them to do their job. It makes sense, if you think about it. You give all of your staff access to the email system and the Internet, but the Accounting Dept. also gets access to the financials, and HR has access to the personnel files. There's no reason for HR to be rooting around in the accounting system, or for Accounting to be looking at whether Bill was reprimanded for that incident in the Break Room... The Janitorial folks, who come in when everyone else has gone for the day, have access to everyone's offices, but not the network. That's Least Privilege: Everyone has what they need, but not more.

Well, most people don't really need administrative privileges on their local computers either. Certainly not most of the time. It doesn't take an admin to write a Word document, or work on a spreadsheet. But those Microsoft Updates need to be installed, and there's that new version of Firefox, and they really wanted to try that new utility everyone's been talking about... In larger companies, those things are regulated by the central I.T. Dept. and that's that. But at home or in smaller companies, it's just easier to let people do those kinds of things on their own. So it's typical, on Windows XP computers, to just give the local user administrative-privileges on their own computers.

The problem is that now you use that administrative-user account to go to some perfectly legitimate website on a server that's been infected, and wham - things start popping up all over your machine. Nasty, vile things that you don't want to see; that you certainly wouldn't want your kids, or your boss, to see. Then you get a window that tells you that you've got 3 bazillion viruses on your machine, and that you've been barred from the Internet, but that for a mere $80.00, they'll unlock their "malware removal tool," which will immediately fix all the problems, and all will be right in the world again.

And then, you call me...


Now imagine that you didn't have to worry about some of those things. Imagine that your computer automatically stopped the bad stuff from infecting your computer. Imagine that, instead, your computer told you that something was trying to install itself, and then asked you if you were sure you wanted it to install. Then you could say something like, "Hey - I wasn't trying to install anything on my computer. I was just surfing on a website. Why is it trying to install stuff on my machine? That might be malware. I'm going to say No!"

Alright, stop imagining. That's what Vista and Windows 7 are doing. In keeping with the concept of Least Privilege, your "Normal" account is now secretly a "Limited" account. And for most of your day, that's fine. When something comes up that requires Admin-level privileges, instead of just telling you that you can't install it with a Limited account, it asks you if you'd like to temporarily upgrade your privileges, in order to do that particular function.

That gives you the best of all worlds: You're using Least Privilege at all times, without even knowing it. The bad guys can't install things surreptitiously on your computer, because they don't have the permissions required to do it. The only way they can get those permissions is by asking you! Sure, they'll use Social Engineering techniques to try to trick you into saying Yes, but that's more difficult. You can say No.

But Microsoft doesn't explain that part so clearly. Instead, in typical Microsoft-ese, they tell you that "A program needs your permission to continue..." They don't tell you what, or why. And you get frustrated because you've seen it before, like when you were legitimately trying to install Flash Player, and they freaked you out with that pop-up window, (because you thought it meant you had a virus). But it turned out to be okay. Now, you see that window so often that you just Allow everything without even thinking about it. Or maybe you've disabled it entirely, to prevent it from ever bothering you again.

Software Companies and UAC

Also frustrating is that many software manufacturers actually recommend that UAC be turned off, in order to get their software to run properly. They do it because their software isn't really written to the Vista/7 specifications, but they wanted to get their applications to run on those OSes, without having to recode them a whole lot. This is most common with "Vertical Market Applications," which are applications written for specific industries: Beauty Salon Management software; Medical Office software; Auto Shop software; things like that.

The companies that make these types of software are usually smaller companies, with very limited budgets. They don't want to rewrite their software if they don't have to. And they often don't have to because there's no push-back from their target markets. They don't have customers threatening to switch to a competitor because of it. But they should! Essentially, they are saying that they don't care about their customers' security. They'd rather put your computers and your data at risk, than rewrite their out-of-date code to conform with new security standards. And since you don't know better, you don't complain about it.

Well, now you know better!

What else can I do?

So if you shouldn't turn off UAC, what do you do when some applications just won't run properly with it turned on? What do you do when the software vendor's Support Team tell you that it's not compatible with their software?

I'd like to say that you tell them that you're going to switch to another application unless they fix the problem, but that's not always realistic. I'd also like to say that Microsoft has provided a way to address it, but unfortunately, they haven't really.

Microsoft did improve the UAC configuration set significantly in Windows 7. In Vista, there were two settings: On and Off. And the On setting was very annoying, giving rise to things like this commercial, from Apple. Windows 7 now has an additional option in between those two poles. Alright, they give you two, but they're really identical, except for the question of whether the screen goes dark or not. This additional option(s) says that it will ask you about some things, but not about others. It's much less intrusive. But even this isn't good enough, in my opinion.

There's much talk from users about the possibility of a UAC "Whitelist", which would allow you to specify certain applications as being automatically Allowed by UAC. I think that would be a great idea! It would enable you to avoid UAC problems for known applications, while still protecting your computer from the things you don't want installed. Yes, it could lead to some compromises. You could expressly Allow malware to run, defeating the purpose of it. But let's face it: you just can't protect everyone from everything. And it would be better than having people turn UAC off on their machines entirely. But for now, that's not an option. Hopefully, they'll put something like that in soon.

If you're a Vista user, there is a Norton tool that's still officially in "beta," which apparently does exactly what I was suggesting: It allows you to save a UAC setting for a given application, so if you Allowed it once, it will always allow it. The tool looks like it does a great job, but it doesn't work for Windows 7 - I tried it.

Otherwise, in those situations, you may just have to turn it off. But you should be asking your software companies why UAC isn't supported, and when they'll have a version that works properly available. And you should be aware of the risks.

Tuesday, August 3, 2010

Microsoft Patch - MS10-046 - Critical

Microsoft released a Critical patch today for pretty much all versions of Windows, from XP on up. (This doesn't mean it doesn't also apply to earlier versions; just that earlier versions are no longer supported.)

The issue behind this patch lies in that when you create a shortcut for something, Windows actually reads part of the underlying file to pick up things like the icon to use for the shortcut. Well, they've found a problem in the way that this works, and that very process of displaying the icon can be exploited, enabling code of the attacker's choosing to run, with the privileges of the locally logged-on user.

In other words, you don't even have to run the program, in order to be attacked. All they have to do is make an icon appear on your desktop, and when Windows reads the file to display the icon for it, it will run the malicious code with your permissions. Since many people use Windows XP with Administrator permissions, this means they own your system. And since many people with Vista or Windows 7 routinely ignore (or even turn off) the UAC warnings, they're going to to own them too.

If your system is set for automatic updates, you'll have already applied this patch this morning. If not, do! It's a Critical level security patch, and it will likely require a system reboot - it did for me.