Is Windows Vista’s user security elevation better than Mac OS X’s?

Will Windows Vista have an edge in user security elevation over the Mac OS X?

Both Windows Vista and Mac’s OS X strive to ensure that most users and actions are done by accounts with limited permissions and rights (Microsoft has deemed this Limited User Account or LUA). Both OSs prompt the user, even if they are administrator or root, for an additional logon and confirmation when the user (or a program running with their user context) attempts to do something that requires elevated privileges (e.g. install a program, modify the system kernel, etc.).

Mac’s OS X has had this since the beginning and Microsoft’s upcoming Windows Vista will be released with a similar mechanism. I’ve tried out both OS X and Vista, and to be honest I didn’t see much difference. I was delighted to see Microsoft adopt a similar LUA strategy. While it won’t stop all malware and hackers, it will decrease some of the older malware and make it tougher for new malware to succeed. Most importantly, a LUA strategy will prevent most spyware and adware from being automatically installed against the user’s wishes, and that’s a good thing.

A friend of mine, Dana Epp, a fellow MVP in Security had this to say:

The Vista model approach is far superior than Apple’s sudo model if you ask me. And here is why…

When Apple OS X prompts for elevation and it has accepted, the default configuration for the built-in sudo actually has a period of time in which you can run ANY privileged tasks repeatedly without having to provide your credentials again. It is possible to manually go in to the OS and remove this grace-period, but the very fact it allows ANYTHING to be executed with elevated privileges shows a weakness in the ability to control the per process security context that Vista provides.

Windows re-prompts for elevated credentials for each and every process. More importantly, when Vista prompts the user for elevation of privilege, it’s not actually doing it on the native desktop as you would be led to believe. (Which OSX’s sudo does) It’s actually a neat little trick. They take a screenshot of your working desktop, then flip to a secure desktop. Moving to the secure desktop eliminates attack vectors born from malware that may use API hooking, keystroke loggers etc. to capture credentials or force a security decision that the user doesn’t want to make. Vista then paints your desktop on the background and then gives you the elevation prompt over top of that. It APPEARS as if you are on your desktop, when you are not. Nice trick.

In my opinion, that is much more safer than OS X’s sudo.

————

[Note to anyone commenting back, I don’t want this blog entry to dissolve into a “my OS is more secure than your OS” flame thread. I’m interested in thoughts on the user elevation schemes used by either OS.]