Vista: Insecure by design
Whoa - so much for the security refresh in Vista - it's broken by design - installers run with admin privileges, even if the account they are running from doesn't have them.
"[When] you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing it to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?," Rutkowska asked in a post on her Invisible Things blog.
So that's just astonishing - I can disallow an installer, or I can pray that it does nothing wrong - but I can't run it in limited access mode. That's just stupid, and it makes the rest of Vista's security fixes fairly worthless. If I'm happy with a "trust the source" method of security, I may as well let my browser run anything, on the theory that I won't visit untrusted sources.
Comments
But Linux and (I presume) Mac OS X works the same way
[Duncan] February 13, 2007 21:39:30.000
It's the same in all the Unix-derived operating systems, isn't it?
To Duncan
[Tom Sattler] February 13, 2007 22:25:07.000
Duncan, no it's not the same in Linux. It IS true that (in a Red Hat-derived distro) I can only run the RPM installer program as root. But the RPM program is on my machine, and it was supplied by Red Hat. When you download Tetris for Windows, you are using the installer that is included in the downloaded file, and you can only begin to guess what malevolent things it may be doing to your installation. All RPM does is copy files to your file structure. That is a huge difference, at least to me.
Not strictly true
[Tim Anderson] February 14, 2007 11:02:26.490
Actually this behaviour is configurable. You can specify in local security policy whether installation apps prompt for elevated privileges or not. Enterprise rollouts have this disabled by default. So it is a configuration choice.
That said, in general setup apps do need to be run with local admin rights. Frankly, if you think the app might be malware, don't run the install.
Tim