Feature request: Install and update as administrator to prevent tampering
I understand 1Password 7 has now installs itself into the user's application data folder to allow use on PCs where the user is not an administrator, but that also means 1Password can potentially lose out on some self-protection. By being installed into "Program Files" -- a high-integrity folder -- normal-integrity applications can't modify 1P's files to hook into it. But by being in "AppData", a malicious app can replace (or proxy) a 1Password library without needing admin privileges.
Could that be added to 1P7W as something optional? Similar to how Chrome can install (and update) itself in either "Program Files" or "AppData", based on the user's privileges.
1Password Version: 7.0.532
Extension Version: 4.7.1.3
OS Version: Windows 10 Pro 1703 (Creators Update)
Sync Type: Dropbox
Comments
-
Hi @Smileybarry,
Thanks for writing in.
It wouldn't prevent temperating even if you install 1Password to ProgramFiles as admin because the user launching it still runs it with their normal-level user access. The reason is that once the user account is compromised with a malware, that malware can just inject into any processes running form ProgramFiles as 1Password wouldn't be running under the admin level. System memory is a critical problem too.
Even so, the main reason for ProgramFiles is to install 1Password once for all users. This isn't going to change for the 1Password 7.0 release but we do want to reconsider our installer for the near future to support various edge cases.
I understand 1Password 7 has now installs itself into the user's application data folder to allow use on PCs where the user is not an administrator,
That isn't the only reason, automatic updating and other features do not work without admin rights. As soon as we switched to AppData, the number of install and update issues we saw dropped by 90% and almost all users are updating continuously to current update faster than ever. The simpler the updater/installer, the better it is for everyone.
We want to find a better installer that permits what you're asking but we haven't found one, we've tried ClickOnce, MSI, and so many that each had more problems than it helps.
0 -
The reason is that once the user account is compromised with a malware, that malware can just inject into any processes running form ProgramFiles as 1Password wouldn't be running under the admin level.
I know it doesn't affect runtime permissions, but what I meant is at least in that scenario a persistent hook couldn't be installed into 1Password by modifying its files. There are also several more mitigations available (enforce EXE/DLL integrity check, disallow non-DLL code allocations, DLL-load notification callback, etc.). But I see what you mean, and the end result might not be worth it if it doesn't stop a determined attacker.
Regarding easy updating: have you considered deploying 1Password to the Store as a desktop bridge app? If you simply package a desktop app (not UWP) your runtime capabilities are no different than a manually-run executable, but you still benefit from the Store keeping you up-to-date. (and apparently it also prevents outside injections in the same way that UWP apps cannot be injected into)
0 -
Hi @Smileybarry,
But I see what you mean, and the end result might not be worth it if it doesn't stop a determined attacker.
Yep, in this case, the benefits trump the end result. Not to mention having everyone on the latest version of 1Password with security improvements over time is also more helpful as well but at the same time, a determined attacker would be able to block the said traffic to our update service anyway.
It's just the question of how can we have the best of both worlds and so far, we haven't found one yet. We won't stop looking for sure.
Regarding easy updating: have you considered deploying 1Password to the Store as a desktop bridge app? If you simply package a desktop app (not UWP) your runtime capabilities are no different than a manually-run executable, but you still benefit from the Store keeping you up-to-date. (and apparently it also prevents outside injections in the same way that UWP apps cannot be injected into)
Yes, that's how we have support for 1Password extension in Edge that works with 1Password desktop app for standalone vaults. It's a bridged middleman app that communicates between the 1Password extension in Edge and 1Password desktop, with four separate processes involved. :scream:
Why didn't we add the full desktop app, you may ask next? The problem is UWP apps are not allowed access to the Windows registry, which means no support for Chrome/Firefox and other browsers except for Edge as we need it for Native Messaging support.
UWP apps have a virtualized "clone" of the registry and cannot modify the regular registry.
We're trying to talk to Microsoft about this because if they fix that, you can bet that we'd look at porting it to Microsoft Store.
0
