Comments on: Want UAC-Free iReboot? You got it: iReboot 1.1 released!

By: MiniNoticias » Blog Archive » El mecanismo UAC de Windows Vista, poco seguro

Tue, 26 Aug 2008 21:22:01 +0000

[...] “Las limitaciones de seguridad recién implementadas en Windows Vista son como mucho artificiales, fáciles de sobrepasar, y que sólo dan la impresión de seguridad”, escribían los desarrolladores de iReboot en su blog. [...]

By: Big Business Proprietary Means “Secure” Part II « Microsoft Haters

Big Business Proprietary Means “Secure” Part II « Microsoft Haters — Sat, 14 Jun 2008 18:06:38 +0000

[...] from the non-profit NeoSmart Technologies have published a report detailing their experience with coding around Windows Vista’s UAC limitations, including the steps they took to make their software perform system actions without requiring [...]

By: Noticias » Blog Archive » El mecanismo UAC de Windows Vista, poco seguro

Mon, 12 May 2008 17:03:20 +0000

By: Harry Johnston

Harry Johnston — Thu, 01 May 2008 00:11:58 +0000

This may be of interest to those following this thread:

http://blogs.msdn.com/crispincowan/archive/2008/04/28/uac-desert-topping-or-floor-wax.aspx

By: Mark

Mark — Wed, 30 Apr 2008 11:16:03 +0000

Just wanted to say thanks for iReboot, it’s a real awesome utility!

Now I can just restart my PC via iReboot, go take a shower, come back and find the right OS booted

By: Vista UAC isn’t just annoying and stupid; it’s insecure too! | Arno# - The cutting edge of developer waffle

Tue, 29 Apr 2008 15:23:09 +0000

[...] Read the full details of how NeoSmart bypassed UCA to get their iRebbot product working with Vista. [...]

By: Mad, Beautiful Ideas

Mad, Beautiful Ideas — Tue, 29 Apr 2008 15:00:18 +0000

Secure Applications Programming…

Neosmart Technologies recently posted a diatribe about Windows Vista’s UAC subsystem, and how it basically forced them to rewrite their iReboot application. iReboot is an interesting Windows application which allows you to set the bootloader to l…

By: Eludir la protección de Vista, o programar como se debe « SeMaToVe

Eludir la protección de Vista, o programar como se debe « SeMaToVe — Tue, 29 Apr 2008 07:14:57 +0000

[...] Want UAC-Free iReboot? You got it: iReboot 1.1 released! http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/ [...]

By: Mahmoud Al-Qudsi

Mahmoud Al-Qudsi — Tue, 29 Apr 2008 02:35:57 +0000

Larry, the default account in Windows Vista is an administrator - but like you mention, it too runs in “Administrator Approval Mode” w/ UAC enabled.

Lew, I will not bother to answer your question. Just re-read the article and the comments.

Richard Steven Hack:

If iReboot is a user-initiated application, why shouldn’t it do what my openSUSE Application Updater forces me to do whenever it tells me I have new software updates to install: ask me for the admin password? Or be run using “Runas”.

That’s exactly what iReboot 1.0 used to do. Except that Windows Vista wouldn’t require an application that asked for the admin password to run at startup, hence the need for iReboot 1.1 to automate the whole thing.

By: Morten Mertner

Morten Mertner — Mon, 28 Apr 2008 23:30:52 +0000

Larry, I’m running Vista with an Administrator account as I strongly prefer a long and complex password (which just isn’t viable with a regular user account and UAC). Force people to re-enter the password often enough and they’ll pick something easy, count on it.

Harry, “program accounts” is just regular system accounts except that they cannot be used for interactive logins by users. This allows programs to run with tailored permissions.

Lew, that’s just arrogance speaking. Don’t presume that people without formal CS training can’t comprehend complicated security issues. Separation of concerns is good (QMail is a prime example of this), but there are many other concerns for application developers: performance, time-to-market (developer productivity), maintenance complexity, etc. If you want developers to write secure programs, just make it cost-effective to do so. Or at least reasonably cost-effective.

By: Nick

Nick — Mon, 28 Apr 2008 23:24:48 +0000

To Lew:

For your reference, since you asked, I have a BS in Comp Sci / Mathematics (from a fairly good college), and over 10 years of experience.

And for those people not familiar with Vista:

The reason you need a dual-component implementation is that anything which interacts with the shell (which is required to display a tray icon) cannot be running in a privileged context. If you want a tray icon context menu command or click operation to perform an operation which requires a privileged context, it must logically make a LPC/RPC call to another elevated process which can. Pre-Vista, services could interact with the user window session under certain conditions (Interact with Desktop), so the separation wasn’t always necessary.

Hope that explanation helps.

By: Lew Nathan

Lew Nathan — Mon, 28 Apr 2008 22:57:03 +0000

Now that all the pissing and moaning has stopped, I was just wondering: how many of those with opinions about network/computer/system security actually have the schooling and training that accompany the acquisition of a Computer Science degree? I suspect that those who were in favor of the dual-component implementation actually have this training because the ’separation of privilege’ paradigm is a core requirement for well-implemented security models.

I will not spend the time to detail the aforementioned security issues, but suffice to say, that if the only difficulty bothering the implementers is the amount of work involved or some other annoyance associated with writing software, maybe they should learn to touch-type… it will facilitate their jobs as programmers.

And although I loath most everything M$, they actually HAVE made VISTA more secure (not TOTALLY secure) than any of their previous products.

By: Harry Johnston

Harry Johnston — Mon, 28 Apr 2008 22:39:55 +0000

Morten:

I’m not sure how a “program account” could fit in with the current model. Certainly it would be an even more extreme change than UAC - although perhaps I misunderstand what you’re imagining. (Personally, I’d like to see even more radical changes; but my ideas would require a brand new OS and significant redesign work for application developers. Not really something that could fly for the foreseeable future.)

It’s true that there’s little security benefit to UAC in the short term, but there is a non-security benefit for at least some of us: more programs that work for people who don’t log in as administrator.

On the other hand, I guess I’m biased; I get the benefit without the cost, since we still run Windows XP almost exclusively.

By: Larry Seltzer

Larry Seltzer — Mon, 28 Apr 2008 22:26:53 +0000

Morten - Have you actually ever used Vista? Non-Admin is the default. And even if you run as Administrator you run (by default) in a non-privileged mode and, when you perform a privileged operation, get a dialog reminding you that youre running one and you have to click a button to continue. So even if you run as Admin you get some reminder of elevated operations. A normal user also has to enter Admin credentials at this point.

By: Morten Mertner

Morten Mertner — Mon, 28 Apr 2008 22:20:10 +0000

Harry, good points. However, using UAC to aggravate users so that developers start caring is hardly the way to go about it. And worse, there’s little security benefit to be gained from this until Administrator is no longer the default, as you also point out.

Instead, the OS should create a “program account” when installing applications (like is often used with unix services). Default to admin-privileges on x86 and non-elevated on x64 with options for installers to request additional privileges. Such a design would be in line with x64 introducing additional security features (e.g. PatchGuard) while x86 focuses on backwards compatibility.

Alas, Vista has shipped and UAC will remain with us.. I’m just amazed that this was the best idea Microsoft could come up with.