Microsoft 'neutered' UAC in Windows 7, says researcher
Blocks only 1 out of 8 Trojans from executing, claims Sophos
Computerworld - Microsoft Corp.'s decision to reduce the number of annoying security messages that Windows 7 delivers when users install software makes the new operating system more vulnerable to malware infection than Vista was, a researcher said today.
"UAC was neutered too much by Microsoft," argued Chester Wisniewski, a senior security adviser at Sophos PLC, talking about User Account Control (UAC), a Windows security feature that Microsoft debuted with Vista.
UAC prompts users for their consent before allowing a task such as the installation of a program or a device driver to take place. In an attempt to quash user complaints about the constant intrusions, Microsoft modified UAC so it appears less frequently in Windows 7.
That wasn't a good idea, said Wisniewski.
"We wanted to know if UAC was going to be effective in Windows 7," he said. "So we grabbed the next 10 [malware] samples that came in and tried them out."
The 10 samples, most of them Trojan horses, were loaded onto a clean Windows 7 PC that lacked antivirus software, simulating payloads that an actual exploit would deposit on a compromised computer. Wisniewski then ran each piece of malware -- as if a user had been duped into launching a file attachment or had surfed to a malicious site and been victimized by a drive-by attack and subsequent silent download.
Two of the 10 samples would not run under Windows 7 (probably because they were designed to execute on the far-more-common Windows XP and Vista), and of the remaining eight, only one triggered a UAC prompt, said Wisniewski.
He acknowledged that the test was just a quick-and-dirty exercise that didn't accurately portray how secure Windows 7 was overall -- or how well it would withstand attack if it was protected by even a basic antivirus tool like Microsoft's free Security Essentials. The point was to see how much Windows 7's reconfigured UAC would help block malware that made it past security software or got by the operating system's other defense mechanisms, like DEP (Data Execution Protection) and ASLR (Address Space Layout Randomization).
"UAC is really not protecting users properly," Wisniewski said. "Frankly, people should turn it back into the more aggressive mode, like Vista," he said, referring to the fact that users have the ability to set the frequency of UAC alerts. "And if you find it annoying, you might just as well turn it off, because otherwise it's not doing any good."
UAC's effectiveness has been questioned before. Last February, for instance, a developer for a Virginia-based company that sells secure messaging software to the U.S. government and a well-known blogger claimed that a change to UAC 7 could be exploited by attackers to secretly disable the feature. Microsoft first denied that that aspect of the software was a bug, saying instead that it was by design. But it later backpedaled and promised to fix the problem.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts