Microsoft changes Windows 7 UAC after new exploit code surfaces
Bug in User Account Control is now fixed, claims Microsoft, but not in beta version users have
Computerworld - A pair of Windows bloggers posted more proof-of-concept code today that subverts an important security feature of Windows 7, a problem that Microsoft knew about as long ago as last October and that one of its software engineers said would be fixed in the beta.
Today, however, the company said it had addressed the issue in post-beta builds that have not yet been released to the public.
According to bloggers Rafael Rivera and Long Zheng, hackers can easily piggyback on "preapproved" Microsoft applications and code to trick Windows 7 into granting their malicious code full access rights to a machine. "This is a real threat," Rivera, who is also a developer, said in an interview today. "No reconfiguration of UAC is necessary."
At issue is UAC, or User Account Control, a security feature that prompts users for their consent before allowing tasks such as program and device driver installation to take place. UAC, which debuted with Windows Vista in 2007, has been modified by Microsoft in Windows 7 in an attempt to dampen criticism of the feature, which has been blasted by users as being too intrusive.
In Windows 7, UAC prompts the user less frequently, in part because it checks to see whether the application making changes to the system is preapproved, said Rivera and fellow blogger Long. If the application is considered safe -- Microsoft uses a combination of a digital certificate and a new, undocumented flag to mark approved code -- UAC steps aside and "auto-elevates" the application without putting up a prompt.
The trouble, according to Rivera and Long, is that attackers can use one of several preapproved applications to fool Windows 7 into giving a malicious payload full administrative rights, something it would not have if the user were following Microsoft's advice and running the operating system in standard user mode.
"Windows will ... automatically elevate the process to High Mandatory Level, executing your payload wearing an administrative hat," Rivera said in a post to his blog early this morning.
The danger, he and Long argued, is real and significant. "Existing malware can be easily tweaked to accommodate the new weaknesses in Windows 7," Rivera said via instant messaging today.
Although Rivera and Long reported their concerns to Microsoft, it was not the first time the company faced questions over Windows 7's implementation of UAC. In late October, just days after Microsoft handed out an early version of the new operating system to developers at its Professional Developers Conference (PDC), users running the preview began debating UAC's weaknesses on Microsoft's own Channel 9 Web site.
Windows 7: Vista Reloaded
- New post-beta Windows 7 build leaks to Web
- Report: Free Windows 7 upgrades to run until January 2010
- Microsoft dumps Ultimate Extras from Windows 7
- HP says its netbooks will likely run three versions of Windows 7
- Economy could slow enterprise adoption of Windows 7
- Microsoft caves, will change Windows 7 UAC
- Microsoft tweaks Windows 7 UAC after new exploit code surfaces
- Microsoft cites 'click fatigue' for Windows 7 security change
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!