non-administrator can install - why?

[Ross Brown]

[Reposting from Jan. 7; hoping for a reply from
Microsoft.]

Microsoft AntiSpyware 1.0 Beta 1's help file says that
the software can only be installed by administrators on
modern Windows OSs. Contrary to that statement, I'm
finding that anyone with Power Users privilege can
install it. The result is that it is available only to
that one user.

Apart from this being a documentation error, I'm
wondering, how could the MAS installer accomplish the
necessary tasks unless it's running as an administrator?
Are the hooks it installs only valid in the context of
processes that run as the user? How does it put its own
hooks in all the right (ACL-protected) places in the
registry?

More generally, could someone from Microsoft explain the
chain of trust that assures us that malware can't disrupt
the operation of MAS, e.g., by replacing gcasServ.exe
(something any Web Trojan could do when running as a
Power User), or trying to alter the cached spyware
signatures? I see that there are some digital signatures
in use, but I'd like to know the "comprehensive"
explanation. At first glance, the security seems weak.

Ross Brown
Computer Sciences Corporation
(e-mail address removed)

 

[Kent W. England]

Ross Brown wrote on 13-Jan-2005 10:37 AM:

[Reposting from Jan. 7; hoping for a reply from
Microsoft.]

Microsoft AntiSpyware 1.0 Beta 1's help file says that
the software can only be installed by administrators on
modern Windows OSs. Contrary to that statement, I'm
finding that anyone with Power Users privilege can
install it. The result is that it is available only to
that one user.

This is a nomenclature difference between the XP environment and the
win2K environment.

Power Users can install software on 2K and XP. XP Home Edition only has
Administrators and Users (called limited accounts) and this description
often carries over to discussions of XP Pro and 2K.

Everything I have read about Power Users tells me they can install
software (write to Program Files and HKLM\Software).

 

[Ross Brown]

What you say about Power Users is true, but no, it's
right there in the Help (under the System Requirements
topic):

"If you are installing on Windows 2000, Windows XP, or
Windows Server 2003, you must install with administrator
privileges."

So, (A) the help is incorrect, and (B), the fact that
it's incorrect worries me - it *should* require
administrator privilege to install this software, else
it's not protecting the entire system, and can be
subverted by the first Trojan that comes along.

Ross Brown
Computer Sciences Corporation
(e-mail address removed)

-----Original Message-----
Ross Brown wrote on 13-Jan-2005 10:37 AM:

[Reposting from Jan. 7; hoping for a reply from
Microsoft.]

Microsoft AntiSpyware 1.0 Beta 1's help file says that
the software can only be installed by administrators on
modern Windows OSs. Contrary to that statement, I'm
finding that anyone with Power Users privilege can
install it. The result is that it is available only to
that one user.

This is a nomenclature difference between the XP environment and the
win2K environment.

Power Users can install software on 2K and XP. XP Home Edition only has
Administrators and Users (called limited accounts) and this description
often carries over to discussions of XP Pro and 2K.

Everything I have read about Power Users tells me they can install
software (write to Program Files and HKLM\Software).