Tuesday, 21 August 2007

"Run When Finished" -- A Vista UAC Security Hole?

Back in February a security researcher called Joanna Rutkowska blogged about her experiences with Windows Vista and a potential problem with Vista's User Account Control (UAC). The main point she raised was that when running a setup program the UAC presents you with just two options 1) run the installer with full administrator privileges or 2) don't run the installer. So if you are unsure about an installer then Vista puts you in the position of having to trust the installer completely or not at all. What you really want is the option to trust it a little and run it using the current user account. Malware/Spyware authors can use this against you by crafting a malicious installer, which will have unfettered access to the machine on which it is run. An issue not discussed though was the common "Run program when finished" option.

On the last screen of many installers there is a check box, selected by default, which asks you if you want to run the software when the installer finishes. Because the installer is running with administrator privileges the application is launched with the same set of enhanced privileges without triggering a UAC prompt! Now I can see two issues with this. Firstly a malware author doesn't have to try and craft a malicious installer program. They can just use something like InstallSheild to generate an installer for their malware and then hope that the user chooses to leave the "Run when finished" option selected and the malware will run with complete access to the machine. Secondly, even if the software is completely safe the user is now able to do things that usually they wouldn't be allowed to do and so could accidentally cause damage to files or settings on their computer. It is this second issue that alerted me to the problem in the first place.

Over the weekend I was testing some web development I was doing in the Opera web browser when it asked me if I wanted to update to the newest version. I thought this was an ideal time to go make some coffee (hey I mentioned coffee for the first time on this blog!) so I allowed it to download and run the installer for the new version. When it finished I allowed the installer to restart Opera and thought nothing else about it. Now when I was using XP I had got into a nasty habit of saving temp files into the root of the C: drive. Vista doesn't let you do this, but for some reason I must have tried anyway and it succeeded, although at time I didn't think this was weird. It was only about an hour later, having done some more development and re-oppened Opera, that I tried to save a second file in the same place as the first, so I could do a diff between the two files, that I noticed something was wrong -- Opera wouldn't let me save the file in the root of the C: drive, offering to save in the Documents folder instead. It took me quite a while to figure out how come I had been able to save the earlier file. When the penny eventually dropped and I realised that it must have been because the 1st instance of Opera I had opened after the update had been running with administrator privileges, I uninstalled and then re-installed Opera to check I wasn't being crazy. I wasn't and I can easily reproduce the behaviour. I have since tried installers for a number of other bits of software and in all of them where I'm offered the option to "run when finished" the program is run with administrator privileges and I can save into the root of the C: drive.

So what exactly does this mean for the average everyday user of Windows Vista -- to be safe don't rely on the UAC to protect you either from malware or yourself. From now on I'm going to be unchecking the "Run when finished" box to ensure that programs are not run with administrator privallages unncesseraily.

In the long run I think companies who develop software which is used to generate installers (for example the InstallShield product from Macrovision) should seriously consider either removing the "Run when finished" option from the installers or ensuring that the application is launched under the logged in users account and not under the account being used to run the installer. While I don't know enough about the Windows Vista API to know how to do this, it must be possible given that I can use the runas command line tool to run programs under any user account to which I can log in.
23 August 2007 at 03:57 , Scriptor Senex said...

By pure chance I have always restarted my computer before running any new software. I must have been just waiting for Microsoft to screw up. At least now I will have good reason for not running new programmes when finished. Thanks for the advice, keep it coming.

Post a Comment