Fixing "LUA Bugs", Part II

re: Fixing "LUA Bugs", Part II

PJ — Mon, 22 Oct 2007 17:34:16 GMT

thanks for these informations.

Reading this article i search for explanation why 'cocreateinstance' may fail when UAC is On...I did'nt find it.

did you have some ideas?

[Aaron Margosis] Most likely it's because the component you're trying to instantiate is doing something that requires admin- or admin-like permissions. Another possibility is that if you are running elevated and try to instantiate something that is registered in HKCU\software\classes, COM ignores that hive when the caller is running elevated.

Changing access control on folders vs. files

Aaron Margosis' WebLog — Fri, 16 Feb 2007 05:14:36 GMT

More info on the risks of changing access control lists to fix LUA bugs.

re: Fixing "LUA Bugs", Part II

Doug Deden — Wed, 27 Sep 2006 15:20:00 GMT

Permutor -

The Student Edition of Office 2003 did the same thing to me. The problem was access rights to a part of the Program Files\Common Files directory structure. I think it was MSOCache, which Office uses to install parts as needed. Even though I did a full install as admin, apparently limited users still needed to see MSOCache. I think I just gave them read-rights, but I don't have that PC handy.

Changed permissions on your %windir%

The things that are better left unspoken — Wed, 06 Sep 2006 08:39:49 GMT

On the second Tuesday of the month Microsoft introduces updates for it&#39;s products. As a system administrator

Changing permissions on your %windir%

The things that are better left unspoken — Tue, 05 Sep 2006 23:14:56 GMT

One way of coping with the challenges corresponding with "the principle of least administrative privilege"

LUA Buglight public [pre]-release

Aaron Margosis' WebLog — Tue, 08 Aug 2006 00:01:08 GMT

"Why does Application XYZ need to run as admin?"

re: Fixing "LUA Bugs", Part II

jjudeb — Thu, 27 Jul 2006 22:38:10 GMT

We're experiencing the same problem as Permutor, installing MSOffice 2003 Professional on a Citrix server. Everything works fine for Administrator, but not for limited user. Since Citrix Published Applications run under Anonymous user accounts, MSOffice cannot be used as a published application any more. Everything worked fine for years with MSOffice XP, but it's hosed with MSOffice 2003.

re: Fixing "LUA Bugs", Part II

John Bokma — Mon, 17 Jul 2006 02:39:18 GMT

Hi Aaron,

Contacting the developer of a program in order to report a LUA bug might be a huge PITA. I did twice, and on both accounts the developers came up with wonderful stories why the application misbehaved. See:

http://johnbokma.com/mexit/2005/11/09/irfanview-ini-fix.html

and

http://johnbokma.com/mexit/2006/07/14/launchy-lua-bug.html

Changing access control on folders vs. files

Aaron Margosis' WebLog — Tue, 20 Jun 2006 05:16:42 GMT

More info on the risks of changing access control lists to fix LUA bugs.

re: Fixing "LUA Bugs", Part II

Aaron Margosis — Tue, 09 May 2006 19:44:13 GMT

AC - no, I'm not saying that users shouldn't be able to - I'm just pointing out some caveats:

1) Many applications won't install correctly even to a folder the user can write to, because the installation may try to register COM/DCOM components (writing to HKCR) or write other configuration data to HKLM, etc.

2) Many organizations do not want end users installing unauthorized programs due to legal, licensing, security or compliance issues.

3) As I mentioned before, binaries that the user can write to increases attack surface - at least for that user.