User Account Control (UAC) is one of the key security mechanisms introduced in Vista.  In the past, the default account as an administrator. Following the principle of least privilege, the default Vista account runs with limited access, and Vista detects when something requires "administrator prompts", as mocked in the most recent Mac ad.

All told, this is a good thing. Unfortunately, Microsoft made some poor design decisions in the implementation, sacrificing some of the security for ease of use. Joanna Rutkowska summarizes the issue:

One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers! Why Tetris installer should be allowed to load kernel drivers?

How Vista recognizes installer executables? It has a compatibility database as well as uses several heuristics to do that, e.g. if the file name contains the string “setup” (Really, I’m not kidding!). Finally it looks at the executable’s manifest and most of the modern installers are expected to have such manifest embedded, which may indicate that the executable should be run as administrator.

This is a common problem I've seen in many systems where there is no differentiation in the level of trust. In fact, this is a big issue for me in a lot of social networks - they calculate "distance" based on your extended network, but to not account for the stength of any given connection. Certainly connections to my sister and my best friend are worth more than someone who randomly sent me a LinkedIn invite because we once had something in common but don't really know each other. In the same way, there are differing degrees of trust I want to offer executables.

After all, I would like to be offered a choice whether to fully trust given installer executable (and run it as full administrator) or just allow it to add a folder in C:\Program Files and some keys under HKLM\Software and do nothing more.

It's unfortunate that people are turning UAC off, and it's unfortunate that Microsoft didn't do a better job modeling trust - but the bottom line is that UAC is a good start and offers a lot (not the least of which is running as non-administrator by default).

blog comments powered by Disqus