Microsoft denies Windows 7 security feature contains bug
Malware can turn off UAC, claim bloggers; Microsoft says 'not a vulnerability'
Last week, Rafael Rivera, a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes "I Started Something," argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.
UAC, which debuted in Windows Vista, is a security feature that prompts users for their consent before tasks such as program and device driver installation are allowed. The feature has been roundly criticized since Vista's launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC's problems last year, when it named it one of the five factors that contributed to Vista's slow adoption pace.
In Windows 7, UAC has been modified to pop up alerts less often. It also has been changed so that by default, the feature is set to "Don't notify me when I make changes to Windows settings," said Rivera and Long,
"Windows 7 now ships with UAC configured to hide prompts when users change Windows settings," noted Rivera in a post to his blog on Friday. "While this mode still ensures normal applications can't overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.
"Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart," Rivera continued.
The danger, Rivera and Long said, is that attackers can easily disable UAC without involving the user, and -- since by default Windows 7 doesn't warn when such changes are made -- without the user's knowledge.
The pair created a proof-of-concept script that disables UAC -- one of Microsoft's most heavily promoted security features in the past two years -- and posted it online.
"We soon realized the implications are even worse than originally thought," said Long. "You could automate a restart after UAC has been changed, add a program to the user's Startup folder, and because UAC is now off, run with full administrative privileges ready to wreak havoc."
Microsoft disagreed with Rivera's and Long's conclusion.
"This is not a vulnerability," said a Microsoft spokesman in an e-mail. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This [includes] changing the UAC prompting level."
The spokesman went on to say that the changes to UAC in Windows 7 were based on feedback Microsoft received from users, and noted that a script such as the one Rivera and Long created could only gain entry to a PC if the user downloaded and ran it, or if it was introduced as part of a broader attack. "In order for malicious code to have gotten on to the box," the spokesman continued, "something else [must have] already been breached, or the user has explicitly consented."
Windows 7: Vista Reloaded
- Economy could slow enterprise adoption of Windows 7
- Microsoft caves, will change Windows 7 UAC
- Microsoft tweaks Windows 7 UAC after new exploit code surfaces
- Microsoft cites 'click fatigue' for Windows 7 security change
- IT Blogwatch: Windows 7 vuln. in weakened UAC
- Microsoft denies Windows 7 security feature contains bug
- Microsoft: Six versions of Windows 7 for sake of PC makers, users
- Microsoft to offer XP-to-Windows-7 upgrades
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Windows White Papers | Webcasts