StackOverflowBlog posts tagged: uac
News and other things I find interesting
Important change to UAC when disabled with process integrity in Windows 8
Last modified: Saturday, May 26, 2012
User Account Control (UAC) is a security enhancement in Windows introduced in Vista.
It makes applications that run by administrators, by default, only have access to what limited users would have access to.
Another way to say this is that applications run at medium integrity level by default.
If an application needs more privileges, it need to request it, and Windows will show a UAC dialog. If you press Yes to elevate on the UAC dialog, the process is said to be running as a high integrity process.
UAC can be disabled, and when it is, applications in Windows Vista and Windows 7 run as high integrity processes by default.
This changes in Windows 8, if UAC is disabled, your applications will no longer run as a high integrity process, they will run as a medium integrity process.
Applications can request elevation to a high integrity process when UAC is off explicitly and no UAC dialog will be shown.
We first realized this in Firefox because we noticed the update service was being used for all updates in Windows 8, even when UAC is off.
We designed the update service to only use the service when UAC is on though.
So this change broke that design choice, and to fix it we need to check if the process is running on Windows 8 and if UAC is off.
If those conditions are met we would elevate our process which would not produce a UAC dialog.
Overall this is a great change by Microsoft though. It makes Windows more secure when users disable UAC. It's good to know about if you develop software for Windows.
Tags: firefox mozilla uac windows8
Add a new comment | 5 comment(s)
|
Moving the UAC slider to the button no longer disables UAC in Windows 8. UAC is still on! This was done because Metro apps CAN'T run if UAC if OFF. If you disable the EnableLUA setting in the registry UAC is off and you have full admin token but all metro apps can't be launched. |
|
Could you expand on the last paragraph? I fail to see how this change improves security. Sure, a process that has been compromised (buffer overflow or whatever) won't have highest privileges automatically. But if UAC is off it will be able to request them at any time nevertheless. Effectively, it's the same situation as in Windows 7 with UAC off, only one more step required. And I don't see why malware authors would be afraid of doing that step. |
|
Why does it matter whether you use the service or a free elevation? |
|
Aren't they basically just removing the ability to turn off UAC? Presumably they can afford to do that now applications have learnt to deal with the UAC restrictions, whereas if they had done it when they launched Vista then lots of applications would have been incompatible. |
|
> Could you expand on the last paragraph? It's better to have your non malware process run as medium integrity. Sometimes things can be exploited where arbitrary code cannot be executed, but there is still an exploit to be had. That's a good point though that if you can run arbitrary code through the exploit, then they are equivalent. > Why does it matter whether you use the service or a Security has asked that we only use the service when we need to so that updates only run as SYSTEM account when needed. Personally I think it's the same since any admin can install a service and start it which would run as SYSTEM account. Free elevation is a new concept though only introduced in Windows 8 so this hasn't been discussed explicitly. Maybe the second sentence in the above answer to the previous question is a reason why it's better to run the process only as SYSTEM when needed, and I think that's what security would say. > Aren't they basically just removing the ability to In a way but this run as medium with free elevation concept is new. So whether you call that the new disabled or the new level when not disabled is up to you :) |
Mozilla Firefox and silent updates
Last modified: Monday, March 26, 2012
Mozilla's rapid release process allows us to deliver features, speed optimizations, memory reductions, and much more... faster.
Keeping up to date fast is an essential need for the ever changing web.
There is a new release of Firefox every 6 weeks instead of every year. Even with this shortened release cycle, these releases still include major enhancements. These faster updates are possible because Mozilla is growing significantly, and the community of Mozillians at large is growing month over month.
The rapid release process has some very positive side effects, like delivering new web technologies faster, and attracting world class developers who like to see their code ship fast. But rapid releases also have some negative side effects.
One of the negative side effects is that minor annoyances with software updates suddenly become much more noticeable. Most users don't want to think about software updates nor version numbers and now they are being forced to do so every six weeks.
One such minor annoyance is User Account Control (UAC):
Starting with Windows Vista Microsoft introduced UAC, and with it users across the world see this familiar dialog when doing any operation that requires administrative access:
UAC in particular makes every process run with limited permissions, and if you want to do something like write into Program Files, then the user has to give permissions to the application to do this.
This makes things like automated software updates hard to do without user interaction. If we don't have access to write into Program Files to perform an update, then we have to ask for elevated permissions. We ask for elevated permissions today when applying updates.
If a user with administrative access gives permissions to Firefox one time via a UAC prompt, and that user has automatic updates on, then there is no reason we should continue to ask them to elevate the permissions each and every time we want to apply an update. The user has already explicitly given permission to do it.
If this worries you, just remember that you can change your mind at any time by configuring silent updates on the Options > Advanced > Update tab.
The feature page for this task is located here: Remove requirement for the Windows UAC dialog when applying an update. I am the lead developer on this UAC task and the estimated target is the first quarter of 2012.
What's being done to solve the UAC annoyance:
There are several ways to tackle this issue. For example, some browsers that offer silent software updates will install into the user's application data folder and hence do not have this problem. We could do the same, but we chose not to because it can be an administrative headache for some people who manage updates themselves and have to maintain an installation for every user.
We are currently experimenting with a Windows service approach.
This means that an optional component will be installed that automates the software update process better without giving UAC prompts.
Only one Firefox service:
There are four different Firefox development channels you can use. At any time there is a Firefox Release channel, Beta channel, Aurora channel, and Nightly builds channel. These channels give you access to Firefox releases at different stages of the development cycle.
A user can have multiple installations across channels, but only one Firefox service will exist in Windows Services.
Firefox service as an optional component:
The Firefox service will be an optional component. It doesn't need to be installed, and if it is stopped or disabled, updates will work as they did before in every other recent Firefox release.
A user can also uninstall the Firefox service at any time. Updates will continue to occur using the old method.
Other uses of the Firefox service:
Having a Windows service installed means that we can investigate other integration and maintenance points. The possibilities are very exciting.
The Windows service may be used later on for a wider selection of maintenance related things including faster browser startup via prefetching, but initially will be only for software updates.
High level overview of other new Silent update features
Above I mostly talked about silent updates on Windows, but there are other update issues being addressed in several new features across all platforms. This section was originally written by Robert Strong with help from Chris Lee, and Lawrence Mandel and describes these features.
All of the silent update work can be tracked on the wiki.
-
Lessen how often the "What’s New" page is shown
Estimated target: fourth quarter of 2011.
Every six weeks Firefox informs you of what is new in the release. The feedback from our users is that the information is not required and is actually an irritant. We are looking at ways of displaying information only when it provides benefit. The ability to control if the "What’s New" page should be displayed after an update was added to Firefox 4. The server side capability should be completed soon. -
Lessen how often the update user interface is displayed
Estimated target: first quarter of 2012.
After an update is downloaded in the background Firefox waits 12 hours before notifying the user to restart to apply the update and since this can interrupt tasks the wait time is being increased to 24 hours. More details including how we decided upon 24 hours are available on this feature page and the bugs referenced on that page. -
Add-ons Default to Compatible
Estimated target: first quarter of 2012.
By default, Firefox requires consent to update if there are add-ons that are enabled and compatible with the current version of Firefox and are incompatible with the update’s version. With this feature there should be significantly fewer cases where consent is required to update Firefox while keeping your add-ons installed and up-to-date as well. -
Apply updates on shutdown
Estimated target: to be determined.
After an update is downloaded users notice that it takes longer to start up Firefox on the next run. This wait time is due to the installation of the software update. To eliminate the wait time on startup to apply an update the majority of an update’s operations will be performed prior to shutdown and the few remaining operations will be performed after Firefox has exited. This applies to all desktop platforms though on Windows the service that will remove the requirement for the Windows UAC dialog will typically apply the update. -
Improved process flow for updating when there are incompatible add-ons
Estimated target: to be determined.
If an update is declined when there are incompatible add-ons the time to wait until next notification will be increased. This feature is in the planning stage and the amount of time to wait until the next notification hasn’t been decided as of yet.
Other Mozilla products:
Other Mozilla products may use the service described above. We currently plan to have only one Windows service across all products. All supported architectures are also planned to share the same Windows service.
Every feature described in this post either applies to or can be done for other Mozilla based applications such as SeaMonkey, Thunderbird, and SongBird.
Platform Integration team:
Mozilla started a new Platform Integration team which focuses on issues which need Operating System specific solutions.
I am a member of this new team led by Robert Strong. Some of the tasks being worked on by this team are described above.
Tags: uac windows mozilla firefox silent-update
Add a new comment | 39 comment(s)
|
The service is a good solution, but an small advice, Windows permit to add services with different ACLs, for example you can define that it can be started by any user. I did a long time ago an application updater, that worked this way. 1) The application executable downloaded the update files this way the Updater Service is not a long running process, It only runs when the update is being applied |
|
Thanks for the detailed post. It's a shame these things couldn't be taken care of earlier, but I'm very glad to se it happening now. |
|
Can I ask why the service is always running? Could it not be demand start? |
|
Faster launch via prefetching? That sounds suspiciously like those processes Java, Open Office and a million other applications sneakily install to slow down your OS boot (because no one will ever notice that, right, and if they do, they'll just blame Microsoft instead of us), in order to marginally speed up "our" software. Please think thrice before embarking on something like that. It's possible that it could be pulled off without actually slowing down other parts of the OS, but on the surface of it, it sounds like a great way to get binned with Java and all the other crapware that stealthily makes Windows suck just to make their own software load marginally faster. |
|
Thanks for the excellent ideas and comments. Re: Starting the service on demand. That sounds like a great idea and I'll look into doing this. Re jalf on prefetch bloat: Other uses of the service is purely speculative right now and slowing down the system is the absolute last thing we'd ever let ship in the product. Thanks for the insight though, it's appreciated. The thing I wanted to try in particular was loading the DLLs that we're already loading for the service via memory from the app instead of from disk. So a custom built LoadLibrary that works from memory instead of disk. |
|
Actually I've never saw this mechanism behaving like described when I boot into Windows 7. |
|
We will only ask for elevation right now when the user installs into a protected directory that requires elevated permissions like Program Files. Most users install into Program Files today, but if you don't you will not see those prompts. |
|
Update prompts are also worse because of another bug: it will warn you not only if addons *become* incompatible, but also when they *remain* incompatible. So most users will see a warning that several Java Console extensions are incompatible, even though they've been incompatible for ages. |
|
You can also look into what Chrome currently does. They use Windows Scheduler to schedule their update app to run at predefined periods of time. Though it's not ideal either, it's still better than a constantly running service. With sneaky changes like running services and requiring special permissions on mobile(*), FF is rapidly charging into the spayware land. |
|
Thanks for the suggestion Walter, but I don't think it will apply to Firefox. Chrome was mentioned above about how other software does software updates, but it does not apply to us because we install by default into Program Files unlike Chrome. I wouldn't call this a sneaky change as it is a public change, and it is optional. Our intent is only to not annoy users, Mozilla is non-profit organization and the one web browser on the Internet that you can trust above all others. |
|
You've probably already thought of this, but for the update-on-shutdown bit it might be worth it to see if you get any notifications if the whole session is going away (i.e. logout / reboot / poweroff) and avoid it in that case. Having to wait for things as you leave is probably more aggravating... |
|
Mook: Absolutely, good eye. That's on the list already and probably one of the harder parts of that task. |
|
Looks like a great slate of work -- I'm happy to see the UAC prompt finally go away! Random comment on updating on shutdown... It might be interesting to look at ways of applying most of the update _while_ you're running (eg to an inactive staging directory), so that there's just minimal work left to actually apply the update. Then it doesn't really matter if that's done on launch or shutdown, because it would be extremely fast. |
|
Hello. Do you know why Firefox is installed into %userprofile%\Documents\ if the user has no admin-rights (example: on machines at works, the users are no admin)? Is it normal? What about this behaviour and the new Windows service feature? |
|
As always, take care of security issues. Having a new service running is a new door for attackers. |
|
Yeah, faster updates, new releases, new this and that .... sounds great, but .... f.e what about good testings ? What about bugs and why is it necessary to speed up the development ? I´ve enough to work, so i won´t have a new (or only updated) software every few weeks to install, learn what´s new and so on and so on. If every company speed up their release cycles, where shall it go ? More and more things, that changes in shorter and shorter times ? And if the peoples = users can´t get through, sometimes they need to sleep :-), what then ? Speed up things isn´t a good solution. regards |
|
If you are thinking about other uses of this service, try to name it differently. |
|
It's great news that the UAC dialog is finally going away. Thank you! Is there already a project under way for fixing the analogous problem for Mac? Updates don't work smoothly on Mac due to file permissions if Firefox is run by a user who isn't the user who installed Firefox. |
|
> "It might be interesting to look at ways of applying most of the update _while_ you're running" Yup we're talking about this already, thanks for the suggestion. > "Do you know why Firefox is installed into %userprofile%\Documents" I think it will apply there if you install as a limited user account. > "As always, take care of security issues." We will be scheduling a security review this week on the project to ensure we're on the right track and that we're thinking of everything. > what about good testing ? ... I personally believe that the new development channels that we have will ensure a more stable product. More users are using the pre-releases for longer periods of time now who accept that it's not a final release and may have some issues. |
|
> The Windows scheduler cannot be used to automatically gain elevated permissions. This is not correct from what I understand. Scheduled tasks may run with elevation, see http://www.winhelponline.com/blog/run-programs-elevated-without-getting-the-uac-prompt/ for an example or the description of the "Run with highest privileges" option in TechNet (http://technet.microsoft.com/en-us/library/cc722152.aspx) If you made your decision to implement an update service based on the assumption that this was the only way to bypass the UAC prompt, then I'd be glad if you reconsider that decision. Anything that does not rely on yet another update service permanently up and running with full privileges will be much better. |
|
> If you are thinking about other uses of this service, try to name it differently. The name is very much an open question still and won't be as I mentioned above. > Is there already a project under way for fixing the analogous problem for Mac? Please post to https://bugzilla.mozilla.org/enter_bug.cgi?product=Toolkit in the component Application Update to ensure. > ... Scheduled tasks may run with elevation ... Right I didn't say they can't run elevated, just that they can't be used as a trick to run elevated for unelevated processes. > Anything that does not rely on yet another update service permanently up and running with full privileges will be much better. I think we'll only start it when needed and shut it down again right, so it will have no overhead on system performance. |
|
>> "I think it will apply there if you install as a limited user account." Thanks for replying. Don’t you think it's a "largesse" that takes Firefox with the limited Windows user account? Does not Firefox stop the install in such a case? |
|
Concerning starting the Update service on demand (via Task Scheduler): that is how Google's Update Service does it, and it works really well. I would very much prefer this solution over a prcoess running all the time. |
|
> Does not Firefox stop the install in such a case I have never tried it myself but I've heard that it's allowed. |
|
I wonder if and how you ever will make firefox fit into a company's infrastructure. AFAIK there is no real support to deploy FF in an ADS-environment. Same being true for centralized management via GPO. Till some point we were ready to accept all this, but re-installing/patching every 6 weeks in a managed network (i. e. no user ever has an account with admin privs) is simply a waste of time and money. My boss is thinking of switching to chrome, because in his view chrome suits the needs of our it budget. If somehow, someday MS is to make an reasonable secure browser, company it stuff will gladly skip any third party browser. |
|
> I wonder if and how you ever will make firefox fit into a company's infrastructure I think this article may be of interest to you: https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal |
|
If there is one thing that would get me to drop Fire Fox completely, it would be forced updates. I like fire Fox but I detest the every 6 week updates and the resulting loss of crucial add-ons. I updated to FF 7.1 and lost the ability to reach several websites. Luckily. I still had the 6.0 DMG and was able to reinstall. I will not accept forced updates. |
|
Please enable this as soon as possible. It will protect the majority of layman users and more technical have a option to turn it off so it is a win win situation. |
|
Ahh, not one more boot service please. Would it be possible to integrate with, for example, Google Update Service instead? |
|
> I will not accept forced updates. You can configure updates in the Options. > Ahh, not one more boot service please It will not be a boot service, it will be an on demand service. |
|
Will the enterprise version be available to consumers? I really detest this rapid update cycle. I think once a year is plenty often for Fx to upgrade to a new version. I've been using Mozilla browser from 2001 and then Phoenix, Firebird, Firefox and this is the worst change I have seen in all these years. I very much want to use the Enterprise version. I want to be able to use the Enterprise version although even with it the upgrades are too frequent but a lot more sensible than with the consumer version. |
|
> Mele20: The updates tab in Options is probably your best bet you can turn off checking for updates there. |
|
Yes! A service-based update model will allow co-existence of updating and sandboxing on end-user machines. I prefer to set up friends' WinXP computers with Firefox (because XP does not have the half-decent IE9) and Thunderbird (to avoid migration issues between some of the MS email clients), but also with Sandboxie. At the moment this means having to turn off automatic updates, and give the end-users precise instructions for manual updates (shut down the sandboxed programs, open them normally, and manually trigger the updates). Roll on Q1 2012. |
|
I absolutely needs some extensions (not in AMO) and do not accept to update if they are not compatible to the new release. |
|
> So I don't wish to have an automatic update without my control ! You can configure this to do everything you want already, and in the future via the preferences. |
|
>> ... Scheduled tasks may run with elevation ... > Right I didn't say they can't run elevated, just that they can't be used as a trick to run elevated for unelevated processes. It's not a way for a process to auto-elevate itself, that's right. But nonetheless you should take a look at the schtasks.exe utility coming with Windows Vista and 7. It's able to start a previously defined elevated task from an unelevated process. |
|
Brian- |
|
I wanted to mention this to the developers of the silent update service - if the service ever attempts to connect to the internet, firewalls will block it and it will be unreliable. If the download is done by the browser and then the updating is done by the background service that should work much better. |
|
The browser will do the download, the service will use the already downloaded update. A signature check is done on the downloaded file to ensure it has not been tampered with by the service before applying the update. |
