Microsoft denies Windows 7 security feature contains bug
Malware can turn off UAC, claim bloggers; Microsoft says 'not a vulnerability'
Last week, Rafael Rivera, a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes "I Started Something," argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.
UAC, which debuted in Windows Vista, is a security feature that prompts users for their consent before tasks such as program and device driver installation are allowed. The feature has been roundly criticized since Vista's launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC's problems last year, when it named it one of the five factors that contributed to Vista's slow adoption pace.
In Windows 7, UAC has been modified to pop up alerts less often. It also has been changed so that by default, the feature is set to "Don't notify me when I make changes to Windows settings," said Rivera and Long,
"Windows 7 now ships with UAC configured to hide prompts when users change Windows settings," noted Rivera in a post to his blog on Friday. "While this mode still ensures normal applications can't overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.
"Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart," Rivera continued.
The danger, Rivera and Long said, is that attackers can easily disable UAC without involving the user, and -- since by default Windows 7 doesn't warn when such changes are made -- without the user's knowledge.
The pair created a proof-of-concept script that disables UAC -- one of Microsoft's most heavily promoted security features in the past two years -- and posted it online.
"We soon realized the implications are even worse than originally thought," said Long. "You could automate a restart after UAC has been changed, add a program to the user's Startup folder, and because UAC is now off, run with full administrative privileges ready to wreak havoc."
Microsoft disagreed with Rivera's and Long's conclusion.
"This is not a vulnerability," said a Microsoft spokesman in an e-mail. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This [includes] changing the UAC prompting level."
The spokesman went on to say that the changes to UAC in Windows 7 were based on feedback Microsoft received from users, and noted that a script such as the one Rivera and Long created could only gain entry to a PC if the user downloaded and ran it, or if it was introduced as part of a broader attack. "In order for malicious code to have gotten on to the box," the spokesman continued, "something else [must have] already been breached, or the user has explicitly consented."
Windows 7: Vista Reloaded
- Economy could slow enterprise adoption of Windows 7
- Microsoft caves, will change Windows 7 UAC
- Microsoft tweaks Windows 7 UAC after new exploit code surfaces
- Microsoft cites 'click fatigue' for Windows 7 security change
- IT Blogwatch: Windows 7 vuln. in weakened UAC
- Microsoft denies Windows 7 security feature contains bug
- Microsoft: Six versions of Windows 7 for sake of PC makers, users
- Microsoft to offer XP-to-Windows-7 upgrades
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Logicalis eBook: SAP HANA: The Need for Speed Without timely business insights, organizations today can suffer logistical, manufacturing, and even financial disaster in a matter of minutes
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Windows White Papers | Webcasts