Microsoft denies Windows 7 security feature contains bug

Malware can turn off UAC, claim bloggers; Microsoft says 'not a vulnerability'

Microsoft Corp. insisted today that what outsiders have called a "security flaw" in Windows 7 is not a bug, but the way the new operating system is meant to work.

Last week, Rafael Rivera, a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes "I Started Something," argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.

UAC, which debuted in Windows Vista, is a security feature that prompts users for their consent before tasks such as program and device driver installation are allowed. The feature has been roundly criticized since Vista's launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC's problems last year, when it named it one of the five factors that contributed to Vista's slow adoption pace.

In Windows 7, UAC has been modified to pop up alerts less often. It also has been changed so that by default, the feature is set to "Don't notify me when I make changes to Windows settings," said Rivera and Long,

"Windows 7 now ships with UAC configured to hide prompts when users change Windows settings," noted Rivera in a post to his blog on Friday. "While this mode still ensures normal applications can't overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.

"Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart," Rivera continued.

The danger, Rivera and Long said, is that attackers can easily disable UAC without involving the user, and -- since by default Windows 7 doesn't warn when such changes are made -- without the user's knowledge.

The pair created a proof-of-concept script that disables UAC -- one of Microsoft's most heavily promoted security features in the past two years -- and posted it online.

"We soon realized the implications are even worse than originally thought," said Long. "You could automate a restart after UAC has been changed, add a program to the user's Startup folder, and because UAC is now off, run with full administrative privileges ready to wreak havoc."

Microsoft disagreed with Rivera's and Long's conclusion.

"This is not a vulnerability," said a Microsoft spokesman in an e-mail. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This [includes] changing the UAC prompting level."

The spokesman went on to say that the changes to UAC in Windows 7 were based on feedback Microsoft received from users, and noted that a script such as the one Rivera and Long created could only gain entry to a PC if the user downloaded and ran it, or if it was introduced as part of a broader attack. "In order for malicious code to have gotten on to the box," the spokesman continued, "something else [must have] already been breached, or the user has explicitly consented."

Andrew Storms, director of security operations at nCircle Network Security Inc., took Microsoft's side in the discussion. "I would agree [that] it is functioning as designed," said Storms via instant messaging. "The word 'vulnerability' is probably misplaced in this case. [And] the point is that it had to have gotten on there and run by something ... a user clicking, some third-party software, etc."

The Microsoft spokesman declined to answer a question about whether the company would alter UAC behavior in Windows 7 as it moves from beta to the next milestone, a release candidate. Long, however, noted that on the official feedback forum for Windows 7 beta testers, Microsoft has hinted that it will not change the UAC default settings.

In a follow-up entry posted Saturday, Long remained mystified by Microsoft's reluctance to address the issue. "What I do not understand is how they are treating the seriousness of this problem," he said. "Microsoft's argument is entirely based on the user, which I agree to an extent -- they have to download and execute such an application, but remember, this can be a low-privileged application so it would have no warnings whatsoever.

"How could a low-privileged application be[ing] able to turn off the entire privileged-applications security-layer not be a security flaw?" he asked.

Users can protect themselves by simply resetting UAC settings to the "Always notify" option. "Annoying, but safe," said Long.

To change UAC's settings in Windows 7, locate the control panel -- typing "UAC" in the Start menu's search field is the fastest way to bring it up -- then drag the slider up to the "Always notify" mark. Click OK.

This is not the first time that Windows 7's version of UAC has come under fire. Last October, BeyondTrust Corp., a developer of enterprise rights management tools, ripped Microsoft's plans to alter UAC in Windows 7, saying that the changes were cosmetic and nothing more than "lipstick on a pig."

Microsoft launched a public beta of Windows 7 three weeks ago and recently extended the download deadline to Feb. 10.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
7 Wi-Fi vulnerabilities beyond weak passwords
Shop Tech Products at Amazon