It rather involved being on the other side of this airtight hatchway: Silently enabling features


A security vulnerability report arrived which went roughly like this:

When you programmatically enable the XYZ feature, the user receives no visual alert that it is enabled. As a result, malware can enable this feature and use it as part of an attempt to turn the machine into a botnet zombie. The XYZ feature should notify the user when it is enabled, so that to presence of malware is more easily determined.

Okay, first of all, before we get to the security part of this issue, let's look at the user interface design. The proposed change is that, when the XYZ feature is enabled programmatically, the user receive a notification "XYZ is now enabled."

You know what most users are going to do when they get that notification?

Ignore it.

There are two cases where XYZ can be programmatically enabled. The user may have enabled it themselves by, say, checking a checkbox, and the code that handles the checkbox turns around and programmatically enables the XYZ feature. In this case, the notification is an annoyance like my three-year-old niece who narrates every single thing she does. The user goes to the XYZ control panel, enables XYZ, and in response to the XYZ control panel enabling XYZ, the user gets a notification balloon that says "XYZ is now enabled."

Well DUH.

The other case is that the user did not enable it themselves, in which case the balloon is an annoyance because it says something that the user doesn't care about and probably doesn't even understand.

"The tech tech tech is now tech tech tech."

Displaying a notification doesn't really help. Either the user expects it, in which case it's an annoyance, or the user doesn't expect it, in which case they most likely won't understand it either, so it's still just an annoyance. (And taking no action leaves the feature enabled.)

Okay, now let's look at the security aspect of this report. Enabling the XYZ feature requires administrator privileges, so any malware which successfully turns on the XYZ feature has already pwned your machine. It's already on the other side of the airtight hatchway.

Displaying a warning when your machine is pwned doesn't accomplish anything: Since the malware already has complete control of the machine, it can patch out the code that displays the notification balloon. In other words, the only case in which the user actually sees the XYZ notification is when the user was expecting it to be turned on anyway, at which point you're just being a chatty Cathy.

Exercise: "You can get rid of the notification in the case where the user enabled the feature manually adding a fSuppressWarnings parameter to the Enable­XYZ function, and have the code that handles the checkbox pass fSuppressWarnings = TRUE. That leaves only the second case, which is exactly the case we want the user to be annoyed." Discuss.

Comments (41)
  1. Sunil Joshi says:

    Exercise: Your friendly malware author is likely to pass fSuppressWarnings = TRUE. The flag helps not.

  2. Zarat says:

    I already get these kind of notifications, from my antivirus software.

    I'm still annoyed because almost always they are false positives.

  3. alegr1 says:

    While it's not security related, am I only one annoyed by "Windows color scheme switched to basic, because an application is incompatible", the application in question being a popular DVD/BR player favored by OEMs?

  4. Dan Bugglin says:

    Exercise: Yeah, and let's add that evil bit to TCP packets while we're at it.

  5. Andrew says:

    @John Doe, maybe I'm remembering and it wasn't the UAC dialog that popped up below others.  But I remember getting a lot of modal dialogs under other windows.  I definitely never did anything explicit to configure anything about UAC.

  6. Matt says:

    @Andrew:

    Because the first click in on the explorer window, which is on your normal desktop. Malware on your desktop can post messages to that window to send fake clicks, hence the system cannot tell whether you decided to rename "C:Windows" to "C:Pwndows" or whether the malware did.

    For UAC, the dialog is on the secure desktop (in fact, the faded other windows you can see aren't actually there – that's the desktop wallpaper of the secure desktop). Since malware CAN'T post messages there, UAC can be sure that it's ACTUALLY you doing the clicking, and not the malware.

  7. Alex says:

    @Andrew

    Windows cannot verify (at least in current implementation) who clicked any button in any application. That is the whole point of Secure Desktop: it is isolated and under Windows' control.

  8. Matt says:

    @alegr1: That annoyance is fixed in Windows8. There is no more "basic mode" and aero is always on.

  9. Adam Rosenfield says:

    Speaking of airtight hatchways, I just read about this vulnerability in Windows 8: http://www.passcape.com/index.php .  The key text being "any user of the PC with the Administrator privileges can easily recover [the text password]".

    Of course, despite requiring being on the other side of the hatchway, it's still a serious issue because recovering the plaintext password of another user could have much larger repercussions if they reuse the same password anywhere else, among other things.

  10. Vilx- says:

    @Matt – Actually, there is no more "aero" in Windows 8. The DWM is now permanently on, yes, but the pretty "aero" skin is gone. :( I for one keep my fingers crossed and hope that it will return one day. Or maybe people will figure out how to make skins for Windows 8 like they did for Windows XP. Ahh, the good old days… :P

  11. alegr1 says:

    @Andrew:

    If you're using a default Windows installation, your everyday account type is a member of Administrators, with "Restricted" token attached (this confirms that Microsoft . For such account, you don't have to enter your password. The confirmation dialog is shown on a separate GUI surface called "Desktop" in Win32 terms, which is not accessible for other processes, so the confirmation cannot be faked.

  12. alegr1 says:

    @matt:

    "I had an annoyance that once in a while I had rash on my face. Now that somebody splashed acid on me, I don't have rash anymore. Problem solved".

  13. Philip says:

    about the exercise: How would the checkbox determine that it was actually the user who clicked it? It could easily have been clicked by the malware sending appropriate windows messages (or any other method for simulating input). I guess the only way to solve that is to show the dialog with the checkbox in a privileged desktop, but AFAIK, only windows itself can do that.

  14. @alegr1 says:

    "Now that somebody splashed acid on me"

    Subjective. I like win8 a lot more than 7, theme included. My only gripe is that with the aubergine-purple color I use for titlebars, the title text could not be customized white. I can live with that.

  15. Joshua says:

    There was this virus going around to which UAC was no barrier. It used remote desktop to press continue on the UAC prompt.

  16. Nick says:

    It feels like there should be an "airtight hatchway" category for blogs that mention "being on the other side of this airtight hatchway."

  17. "I guess the only way to solve that is to show the dialog with the checkbox in a privileged desktop, but AFAIK, only windows itself can do that."

    It's possible to switch between desktops with the right privileges (Mark Russinovich had a good article and code sample for this) – then again, of course, it's also possible to install your own keyboard, mouse and device driver to feed in "genuine" input from fake hardware, which of course is exactly what remote control software will do. Switching to your own secure desktop is quite a good way of locking out most would-be malware.

    Original suggestion rephrased: 'malware should tell the user when it installs itself'. Far too much of it does seem to do that these days, calling itself a 'toolbar' coming bundled with something legitimate…

  18. gubment.cheez says:

    @Andrew: in addition to everything else everyone has said about the UAC, if a minimized program triggers a UAC prompt, the UAC prompt itself is minimized as well, which leads to Fun Times(TM) if you're not expecting it

  19. I find UAC is actually useful now that I log in as a limited user account.

  20. Alistair Young says:

    Exercise: And even in the hypothetical powered-by-magic case in which you could prevent the malware from passing the no-really-not-evil flag, the user would <i>still</i> ignore it.  So, instead of alerting the user, that should instead e-mail the system administrator to go beat the user around the ears for letting the malware get on their machine in the first place.

    (For home users and others without system administrators?  Well, then, have it e-mail the genie who's providing the magic that makes the first part of this exercise work.)

  21. Burak KALAYCI says:

    > You know what most users are going to do when they get that notification?

    > Ignore it.

    Just like most people will ignore it when you tell them smoking/sugar/salt is bad for their health.

    If you can warn some users, even one user, why not do it? Not to annoy others who will likely to become a botnet zombie in a short time???

    Doesn't make sense to me.

    > It's already on the other side of the airtight hatchway.

    That is 100% correct.

    But, "if the burglar is already in your house, you need not be notified about that, because it somehow accomplishes nothing, you will be just annoyed." Is that the reasoning here? If my system is screwed, I would rather be given the chance to learn about it as soon as possible.

    > Since the malware already has complete control of the machine, it can patch out the code that displays the notification balloon.

    True. Then again we have activations, DRMs, registration codes, copy protection systems. And we know that all of these can be bypassed. Why do we bother?

    Not all malware will be able to, or even bother to, path the notification code. Some are bound to think that most people will ignore the notification and just be annoyed by it(!).

    [Now all you have to do is convince the people who hate UAC. "If you can warn some users, even one user, why not do it?" -Raymond]
  22. Andrew says:

    Raymond, I'm curious: I have a vague recollection, when Vista came out, of constantly getting the chatty Cathy form of *confirmation* dialog.  Is this different somehow, security-wise?  It seemed I would say, "Do this!" and Windows would pop up a dialog saying, "Warning!  Someone has just asked your machine to do this!  Allow or deny?"  I'd then have to click the "Allow" button.  Do you know why, and how this is different?  Sorry I'm fuzzy on the details.  (Side question: if I remember right, these confirmation dialogs often appeared *beneath* my active window in the Z-order, and they'd lock out all interaction with everything else, such that unless I noticed the flashing icon for the notification in the taskbar, I'd assume my machine had locked up.  Ever heard of that behavior before?  Any comment?)

  23. RP says:

    @Andrew: I guess you mean the UAC dialog, in which case the change happens *after* you respond to the dialog, not before.

  24. Andrew says:

    @RP: probably, yeah.  Just skimmed Wikipedia on UAC.  I guess here's my question: if Windows can somehow securely verify that *I'm* the one who clicked that "Allow" button (I don't remember having to re-enter my password like on OS X), why wouldn't the same apply for my initial interaction with the application that required elevated privileges?  I don't get how me clicking an extra button is any more proof that I wanted that task done than my initial click in the app.  Maybe I just need to read more.

  25. John Doe says:

    @Andrew, the UAC dialog appears in a secure, separate desktop by default. You must have customized it to not do so, instead appearing in the current desktop. Therefore, *you* allowed any software you're running to click the button.

  26. Ted says:

    Re: the exercise; could you do something along the lines of the broker pattern, where the manual control was run with higher trust than anything with programmatic access could get?

    [And how would the broker know that it was invoked by the user rather than programmatically? (And what's to prevent the malware from hacking the broker?) All you did was move the problem. -Raymond]
  27. cheong00 says:

    @Joshua: Emmm… I think Remote Desktop currently blocks connection from localhost to get rid of "infinate mirror" problem…

  28. Joshua says:

    @cheong00: No, it doesn't. It does indeed block a loopback connection onto the same session, but I forward the remote desktop port over ssh so to both ends it looks like I'm connecting to localhost but I'm not and that works so it doesn't know by port. BTW, the virus contained an internal remote desktop client to make scraping easier.

  29. sh code says:

    the malware can use the fSupressWarning parameter as well, what's there to discuss?

  30. Anonymous Coward says:

    The first half of the article can only be used to argue that XYZ should maybe not exist in it's present form, not that there is nothing to be done. For example, we only learn in the second half of the article that XYZ requires admin privileges; if that had not been the case already then XYZ would have had to be changed (possibly by adding admin privileges although it's impossible to know whether that actually is the best solution without knowing what XYZ is) although not in the way requested.

    As for the last sentence, that won't work because Windows is badly designed and all programs run at the same privilege levels. In a sensibly designed system, applications would be properly isolated and not be able to do all the same things as say the control panel. Making sure that a notification pops up only when the use checks the relevant box is possible but would require a complete redesign of the operating system.

    [All the malware would have to do is inject a thread into Control Panel (or attach as a debugger) and then call the "special API that only Control Panel can call." You would have to block applications from doing things like injecting threads. Fortunately, your long-desired complete redesign is here: The Windows 8 application model. -Raymond]
  31. I wish someone with Raymond's reasoning was on the Internet Explorer team.  My browser constantly warns me that a site is requesting access to a plug-in, but only gives me the option to "Enable" or "Enable for all Sites". Nobody thought to add a sorely needed "Ignore" (and "Ignore for this Session") option.

    And so it keeps nagging me and tempting me to lower security by "Enable for all Sites" just to be free of it.

    I also wonder how Acrobat and Java plug-ins manage to bypass these restrictions altogether.

  32. xpclient says:

    That's what Action Center somewhat does and we can selectively "Turn off messages/notifications about ______". If you don't want a setting silently changed, just use Local Group Policy to force enable/disable/configure the feature.

  33. Gechurch says:

    @Burak KALAYCI

    "If you can warn some users, even one user, why not do it?"

    There's a trade-off between usability and security. It's been well established that users don't like things they didn't ask for popping up and getting in their way or distracting them. If you make the decision to show notifications every time a feature that malware could potential use is turned on you're not just adding one alert – there may well be hundreds of features malware could misuse, which means potentially hundreds of notifications. Given the security benefits of doing this are dubious I can see why the decision was made not to do this.

    "But, "if the burglar is already in your house, you need not be notified about that, because it somehow accomplishes nothing, you will be just annoyed." Is that the reasoning here? If my system is screwed, I would rather be given the chance to learn about it as soon as possible."

    There are some fundamental differences here:

    1) People understand what a burgular is. They understand the consequences. Most won't understand what "a new site was added to the local intranet zone" (or whatever the notification is about) means.

    2) If a burgular is in your home then yes – you are definitely screwed. If a new site is added to your local intranet zone then although there's a chance you are screwed (or on your way), there's a much better chance that everything is functioning normally.

    A closer analogy would be a notification if a person was in your house. Sure, there's a chance that person is a burgular. But there's a better chance it's just an everyday occurrence that is nothing to worry about. If your security company started calling you every time a person was in your house you'd probably get annoyed pretty quickly. "Yes I know there's someone in my house. I live with my wife and two kids… it's not surprising someone is in my house. Stop calling me already!'.

  34. cheong00 says:

    [Fortunately, your long-desired complete redesign is here: The Windows 8 application model. -Raymond]

    I think lots of "gold finger patch" used by gamers work by injecting threads to the game. Gamers won't like to hear this.

  35. Burak KALAYCI says:

    [Now all you have to do is convince the people who hate UAC. "If you can warn some users, even one user, why not do it?" -Raymond]

    Hey wait! *I* hate UAC!

    I miss the old times when you could know if you had malware by just listening to the extra noise (or disk light flashing) of your hard drive.

  36. Joshua says:

    [Fortunately, your long-desired complete redesign is here: The Windows 8 application model. -Raymond]

    Nah. The malware will be a traditional desktop app. Since anything with enough power to do anything interesting will be one anyway, nobody will blink. I didn't check but I wouldn't be surprised if a traditional app that calls up no windows doesn't switch to desktop when launched from metro.

  37. NB says:

    Perhaps the idea is that after some time there will ONLY be the Windows 8 application model.

    The old desktop model might stick around as optional extension like Windows XP Mode in Windows 7 perhaps.

  38. Anonymous Coward says:

    Man that was predictable. Learn to read, Raymond. If application were properly isolated, a normal application wouldn't be able to inject threads into the control panel, or muck about with its user interface or whatever. Also, as already pointed out Win8 doesn't fix it. And again, it is possible to make warnings pop up only if the user didn't click on the checkbox in the control panel (although without knowing what XYZ is no one can be sure if that's the best solution) but to do that would require a redesign of the operating system.

    [As I already noted, new-style applications are isolated in the manner you describe. So stick to new-style applications and you're in good shape. -Raymond]
  39. Joshua says:

    [So stick to new-style applications and you're in good shape. -Raymond]

    That model can't live.

    Challenge:

    Write two applications that share data.

    Write a compiler.

    Automate builds of some project using the compiler.

    If you complete these tasks, show how the security model isn't equivalent to the classic security model.

    [Your typical end-user does not need a compiler. My point is that end-users who stick to new-style applications get the benefits of the new isolation model and can therefore use their computers more confidently. -Raymond]
  40. Joshua says:

    [Your typical end-user does not need a compiler.]

    And my point is an environment that is hostile to compilers is hostile to programmers, which results in most of the useful stuff not backed by corporate $$$ will not live in it, and so even ordinary users will be transitioning out of it all the time.

    [Can you and AC get into a room and settle your disagrement privately, then let me know what your answer is? The point is that desktop apps are the "full power, full risk" apps that you want, and the new-style applications are the "isolated applications that cannot interfere with each other" apps that AC wants. Choose the type of app based on your personality. -Raymond]
  41. 640k says:

    Sharing data between apps is so 90's. Even compilers are run in the cloud these days. File system access is GONE.

Comments are closed.

Skip to main content