Sensationalist News & Tergiversation

It's curious how even in internet "the news" manipulate and tergiversate information to make it more interesting, dramatic, or like in this example, worse than really is.

Let's take a news post from The Register (a sensationalist site which from time to time says something useful, the rest of the time wastes bandwith of its readers): Program Names govern admin rights in Vista.

The article says:

"[...] If Vista sees that you have created a Microsoft Visual C++ project with install in the project name, then that .exe will automatically require Admin Rights to run. Create exactly the same project, but call it, say, Fred, and the problem disappears," he explained. "Vista's security isn't just concerned with what an .exe is doing to your PC, but what it's actually called. [...]"

F**k! All that UAC and security stuff was for nothing? Oh, we're doomed!!!

But wait... What if we dig a bit and read something about installers, UAC and Vista? Maybe we should try

Ok... we can find a lot of info, and we can download all of it in CHM. Let's do it.

We open the CHM file, and navigate to Fundamentals -> Secure Applications -> Developing Secure Applications -> User Account Control (UAC) -> How UAC Works -> New Technologies for Windows Vista

Mmm... "Installer Detection"... What can this topic title mean?

"[...] Windows Vista heuristically detects installation programs and requests administrator credentials or administrator approval in order to run with access privileges. Windows Vista also heuristically detects updater and un-installation programs. A design goal of UAC is to prevent installations from being executed without the user's knowledge and explicit consent since installations write to protected areas of the file system and registry."

"[...] Installer Detection only applies to:

1. 32 bit executables

2. Applications without a requestedExecutionLevel

3. Interactive processes running as a Standard User with UAC enabled

Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:

  • Filename includes keywords like "install," "setup," "update," etc.

  • Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.

  • Keywords in the side-by-side application manifest embedded in the executable.

  • Keywords in specific StringTable entries linked in the executable.

  • Key attributes in the resource file data linked in the executable.

  • Targeted sequences of bytes within the executable."

So, what do we have here... So it's not just the name. And more important, to make an application friendly to Vista's UAC you should create an application manifest and specify the requestedExecutionLevel.

Then, maybe this "installer name stuff" is not only part of additional security countermeasures, but a way to try to "catch" old installers and possible malware...
I've seen this news changed to even telling that UAC is "more or less just related to the exe name".

I don't think about myself as a "pro-MS" developer (excepting that I love C#), I don't love Vista and prefer Windows XP, but I'm actually working with UAC and developing a Vista-compatible application and the truth is that it may not be perfect, but it's a good improvement from the XP security model.

And I hate information manipulation ;)


Posted by Kartones on 2007-04-23