Microsoft denies Windows 7 security feature contains bug
Malware can turn off UAC, claim bloggers; Microsoft says 'not a vulnerability'
Last week, Rafael Rivera, a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes "I Started Something," argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.
UAC, which debuted in Windows Vista, is a security feature that prompts users for their consent before tasks such as program and device driver installation are allowed. The feature has been roundly criticized since Vista's launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC's problems last year, when it named it one of the five factors that contributed to Vista's slow adoption pace.
In Windows 7, UAC has been modified to pop up alerts less often. It also has been changed so that by default, the feature is set to "Don't notify me when I make changes to Windows settings," said Rivera and Long,
"Windows 7 now ships with UAC configured to hide prompts when users change Windows settings," noted Rivera in a post to his blog on Friday. "While this mode still ensures normal applications can't overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.
"Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart," Rivera continued.
The danger, Rivera and Long said, is that attackers can easily disable UAC without involving the user, and -- since by default Windows 7 doesn't warn when such changes are made -- without the user's knowledge.
The pair created a proof-of-concept script that disables UAC -- one of Microsoft's most heavily promoted security features in the past two years -- and posted it online.
"We soon realized the implications are even worse than originally thought," said Long. "You could automate a restart after UAC has been changed, add a program to the user's Startup folder, and because UAC is now off, run with full administrative privileges ready to wreak havoc."
Microsoft disagreed with Rivera's and Long's conclusion.
"This is not a vulnerability," said a Microsoft spokesman in an e-mail. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This [includes] changing the UAC prompting level."
The spokesman went on to say that the changes to UAC in Windows 7 were based on feedback Microsoft received from users, and noted that a script such as the one Rivera and Long created could only gain entry to a PC if the user downloaded and ran it, or if it was introduced as part of a broader attack. "In order for malicious code to have gotten on to the box," the spokesman continued, "something else [must have] already been breached, or the user has explicitly consented."
Windows 7: Vista Reloaded
- Economy could slow enterprise adoption of Windows 7
- Microsoft caves, will change Windows 7 UAC
- Microsoft tweaks Windows 7 UAC after new exploit code surfaces
- Microsoft cites 'click fatigue' for Windows 7 security change
- IT Blogwatch: Windows 7 vuln. in weakened UAC
- Microsoft denies Windows 7 security feature contains bug
- Microsoft: Six versions of Windows 7 for sake of PC makers, users
- Microsoft to offer XP-to-Windows-7 upgrades
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Taking Windows Mobile on Any Device Taking Windows applications mobile has many advantages, but the process of identifying a solution is complex. Learn how to solve this complex problem...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Windows White Papers | Webcasts