Yesterday I wrote about Joanna Rutkowska’s work that highlighted a serious security flaw in Windows Vista. Her finding was that in Vista, many applications require that they be installed with administrator privileges, and that during the install process users are given two options: 1) install with elevated privileges, or 2) don’t install the application at all.
Yesterday’s post was sloppy, however. It came to the conclusion that Microsoft made a security design error in implementing this system. The truth of the matter is that there is a serious security problem with respect to Vista, but that problem is not due to a recent decision by Microsoft.
The real problem is that thousands upon thousands of 9x and XP applications were written according to the old security model, i.e. the one in which installers were able to spray their parts all over the system with no issues because they ran as administrator. This won’t work in Vista because they’ve gone to a restricted user model, so they have only one choice — allow the applications to install with elevated rights.
Microsoft had no other choice, really. The alternative is telling people that their old programs are insecurely written and can’t be used. That wouldn’t go over well. Unfortunately, allowing the applications to go in as administrator creates a major problem for Microsoft: it trains the users to say yes when an application asks to be installed with elevated privileges.
This is what’s going to do the real damage. It’s the fact that people are going to get so used to allowing legitimate applications to install with elevated rights that when a piece of malware asks to do the same they’ll happily oblige.
But it’s not a Vista problem, really. It’s going to hurt Vista, but the real problem is that of legacy support. It’s ironic, really. All this work to make Vista more secure and it’s going to be largely undermined by how lax they were in the past.: