Windows 7 Testers Uncover UAC Security Issue
Microsoft developer Long Zheng, author of the blog istartedsomething, on Friday posted a proof-of-concept for the vulnerability in the Windows 7 beta, and said it stemmed from Microsoft's efforts to make UAC in Windows 7 less annoying than it was when it was introduced with Windows Vista.
UAC boosts security by reducing application privileges from administrative to standard levels with a goal of minimizing the damage caused by exploits, and giving users the chance to approve or disapprove actions through pop-up dialog boxes.
But many Vista users found the constant, nagging pop-up alerts UAC generated to be intolerable, and the solution, at least for some users, was simply to turn off UAC. That's why Microsoft designed a new UAC Control Panel in Windows 7 that gives administrators more control over UAC alerts.
But Windows 7's default UAC setting is to alert users only when third-party programs try to make changes to a PC, and not when users make changes to Windows settings. According to Zheng, because Windows 7 considers changes to UAC as changes to Windows, no alert would be generated by turning UAC off completely, which is why this issue has dangerous implications.
"You could automate a restart after UAC has been changed, add a program to the user's startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc," Zheng wrote in a blog post.
Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based solution provider, said UAC offers questionable security benefits because most users simply don't know the difference between a malicious application and a legitimate one.
"A warning that says 'BlackD.exe is trying to access the network, do you want to allow this?' is meaningless to most users," Plato said. "How are they supposed to know if BlackD.exe is good or bad? What are they supposed to do, open up the source code and look for malicious stuff?"
The good news, according to Zheng, is that Microsoft could easily address the issue of UAC without detracting from its security benefits by forcing UAC prompt in Secure Desktop mode whenever changes are made to UAC.
However, Microsoft has indicated to Windows 7 beta testers that the UAC issue is part of the Windows 7 design and won't be fixed in the final version. Microsoft couldn't be reached for comment.