UAC and Linux

[M4dn3ss]

So UAC is supposed to work in a similar way to Linux's security model right? As in, when actions require root access, it will prompt for a password to elevate the program's privileges.

So in theory, if malware were to add itself to the startup programs list on Windows, it would have to prompt a UAC alert, right? Then why is it that malware is able to bypass UAC's security measures on Windows and not on Linux?

On a related note, although Linux malware is far fewer in number, if one were to regularly use the Linux root account, will it be likely for the user to be infected?

 

[logicearth]

There is user-specific start up and system start up, user-specific start up does not require administrative power because it is controlled by the user. Second, UAC is not a security boundary, it is a convenience. Designed to let you run under a low-privileged account and elevate when needed.

 

[M4dn3ss]

Point taken, but shouldn't "[running] under a low-privileged account and [elevating] when needed" still mean that access to the core of the system is still restricted under Windows?
Nevertheless, although perhaps user-specific start up does not require root access, why is malware still able to copy itself into directories such as Windows and Program Files, and make registry changes without triggering UAC?

 

[Alejandro85]

UAC is basically a bad copy-paste of Linux's sudo command (from the little I know from Linux), which basically turns administrator accounts into non-admins and asking when a program requires elevation. For real non-admins users, it just ask for the user/password of an admin to continue.

There is a fundamental difference is that the default user account in Windows is an administrator one, which thanks to UAC gets silently demoted to a non-admin one and you're asked to elevate (as far as I know, Linux default account is non-admin and you must use the built-in root to manage system-wide things). Under that limited permission account you (and viruses) are free to manage your files, user-specific configuration and have read only to all system files and programs, but to modify those you need elevation, yes.

There is another thing. In Windows 7 a critical bug was introduced in UAC that affect the default configuration. When UAC is set to the default level (the 3rd position in the slider of the UAC's settings) or lower, any program running in an admin account (automagically demoted to non-admin by UAC) CAN bypass the prompt and get full admin permissions without user knowledge or consent. If you set UAC to the highest level or use an account not belonging to the administrators group, trying to exploit the bug will show an elevation prompt (and hopefully the user will realize that something is wrong and deny it). This bug was NOT present in Windows Vista. MS has acknowledged it and has no plans on fixing that, so plenty of viruses today exploit it.

Another chance to get infected is that a piece of malware does trigger an UAC prompt, and the user simply accepts it!, granting a virus full system control (this isn't a flaw of Windows of course). Often, you can know when to expect an UAC popup, common sense is the only way of knowing when to trust an app and when to not. If a prompt appears out of nowhere for example, I would NOT give my password. Many viruses rely on user's lack of knowledge to make him give full access too.

 

[M4dn3ss]

As far as I know, the default UAC level 3 automatically grants administrator permission to certain Windows programs such as Notepad and Paint, and malware can just inject code into Notepad to do... well, bad things.

Is it possible for malware to perhaps exploit security holes in the way UAC works (even on the highest UAC level) to silently bypass the UAC prompts? And if this were the case, wouldn't a similar attack be possible on Linux systems?

 

[Alejandro85]

As far as I know, the default UAC level 3 automatically grants administrator permission to certain Windows programs such as Notepad and Paint, and malware can just inject code into Notepad to do... well, bad things.

Exactly, that's the bug I was talking about. A few programs have granted this "auto-elevate" privilege that is supposed to make UAC less annoying, but actually it only makes it totally useless in the default level, because anyone (or anything) can bypass it at will by code injection.

Is it possible for malware to perhaps exploit security holes in the way UAC works (even on the highest UAC level) to silently bypass the UAC prompts? And if this were the case, wouldn't a similar attack be possible on Linux systems?

A lot of malware actually exploits that flaw and silectly bypasses UAC in that way.
But under the highest level, the auto-elevation isn't allowed and a prompt is generated, so even though a program may attempt to exploit the bug, the user would be alerted.

On Linux, this doesn't even exists and it works in a very different way. The auto-elevation bug on Windows is something very specific to their implementation that doesn't ports to anything else on other OSs. Each one may have it's own bugs though.

 

[M4dn3ss]

Are there any flaws in UAC's maximum security setting? I'm pretty sure there have been many viruses that have been able to bypass the UAC prompt

 

[Alejandro85]

Not that I'm aware of. The UAC-bypassing viruses relies on the default configuration only, there are a lot of viruses today that exploit the bugs introduced by Win7 to UAC, and users being mostly unaware or not caring at all helped to their spread. But once you set UAC to highest you should be safe from that at least.
It may have some other bugs of course (as every software has) but not related with the "by design" ones.
The main problem is that, once a prompt appears, is up to the user to decide if elevate or not, and a mistake there may lead to an infection. But this isn't a flaw in UAC (even Linux may have problems that way if the user gives away the root password all the time).

 

[M4dn3ss]

Really? I swear a couple of years ago I was infected from an infected advertisement on a web page which installed a Fake AV without prompting UAC. UAC was on max level too.

 

[logicearth]

Really? I swear a couple of years ago I was infected from an infected advertisement on a web page which installed a Fake AV without prompting UAC. UAC was on max level too.

Probably because it exploited Flash or Java which both have a nasty habit of poking holes in security. I don't know if they changed this but a while back Flash poked a hole though UAC so it can execute things without a prompt. Obviously this is not good. Also, are you sure the infection was rooted? It could have been only for your current user. Had a rogue AV infect my mothers computer at one point, however, it was contained for her user account only, creating a new user was unaffected.

 

[Layback Bear]

UAC is not the answer to all security problems. It was designed to assist in security. In my opinion it is just a small let me try and help program, thats all. Some infection do get around it and some don't. That is why one must have other security programs to assist. No one thing or program can protect your computer. I have 3 active programs for security.
1. Microsoft Security Essentials
2. Malwarebytes Anti Malware Pro
3. Windows 7 built in Firewall
I also use a router and several on demand programs to backup my active programs. Just to check and see if anything got by my active programs. Their is no one shot program or tool that does it all. With all this I just the other day got some add ons to both I.E.9 and FF for donating to some sort of charity and a coupon gadget. I don't know how they got there but with my checking with the on demand programs I got rid of them. It's a never ending struggle to keep this crap off a computer.

 

[M4dn3ss]

Sorry can't remember, it was too long ago.

Which running as a standard user be better than running as an admin with UAC? Or is the latter just the same as standard but with a yes/no prompt instead of requiring password?

 

[Alejandro85]

In theory, it should be the same, but subtle differences exists. The yes/no prompt vs the user/password is the major one, I think it at least prevent an easy "yes to all" on the user, but also provides some kind of isolation since the elevated program run under a different account than the logged in user (this has some bad side effects too). And if for any reason you ever had to disable UAC, you're still a non-admin.
That's the setup I prefer, it has its annoyances, but a bit more security is a good tradeoff I think (but try it yourself and see if that suits you). It's not a silverbullet and bad things can still happen.