[dailyteck]Windows 7 UAC Leaves Door Open for Attacks - Overclock.net

noobdown · 02-03-09

Quote:

Microsoft insists big Windows 7 security hole will not be fixed, is "by design"

When Windows Vista was launched, it brought to the table a new feature that was supposed to safeguard the user: the User Account Control (UAC). However, the useful feature, which could be disabled, became the source of a great deal of the OS's early criticism due its warning messages which some users found irritating.

With Windows 7, Microsoft decided to switch gears and is offering a less nosey UAC in the beta version of the OS. This move was the subject to much early praise. However, it may have now backfired as a blogger Long Zheng, who runs the blog Start Something, has detailed a proof-of-concept attack against the new Windows 7 UAC.

Mr. Zheng says the attack is a vindication of Windows Vista, and evidence that the new Windows 7 approach, while more pleasing to some, is inherently insecure. He states, "This is dedicated to every ignorant ‘tech journalist’ who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things."

The flaw, which he calls "blatantly simple" to fix, was raised to his attention by a "security-minded 'whistleblower.'" Ignored largely by Microsoft in chatter in its Windows 7 beta feedback, the issue may be present in the retail version of Windows 7 and has been known to many for some time.

Normally Windows 7 is set with the options "Notify me only when programs try to make changes to my computer" and "Don’t notify me when I make changes to Windows settings". It uses a security certificate to determine if a program is part of Windows -- in other words, changes in the control panel don't raise warnings as they have a trusted certificate.

The "Achilles heel" as Mr. Zheng describes is that the UAC is a certified program and thus changes to it are also trusted -- even if that change is to disable it. While he admits that he had to "think bad thoughts" to come up with a way of disabling the UAC without directly tricking the user into doing it, he says it wasn't tough. He has posted a proof-of-concept VBScript, which uses keyboard shortcuts to select the UAC and then disable it. The attack works against any user who has administrative permissions (as standard users are prompted for an administrative password when changing the UAC settings).

He elaborates, "We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

He adds, "This is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides."

The fix, he says is to force the UAC into a secure desktop mode, whenever the UAC is changed, regardless of its state. This, he says, while by no means foolproof, will prevent basic attempts. He suggests Microsoft adopt the fix as soon as possible.

Microsoft, however, appears to be relaxed about the topic, as it responded to Mr. Zheng that the flaw is "by design", indicating it will not be changed before release. Furthermore, as of this morning it has pulled a MSDN post about the topic which Mr. Zheng linked.

http://www.dailytech.com/Windows+7+U...ticle14127.htm

Penicilyn · 02-03-09

Cool I think it's a good thing, now how can I remove UAC all together?

justarealguy · 02-03-09

People complain UAC is in their face too much.

Then they complain when it's not around enough.

I really feel bad for MSFT.

killnine · 02-03-09

Quote:

Originally Posted by justarealguy

People complain UAC is in their face too much.

Then they complain when it's not around enough.

I really feel bad for MSFT.

QFT.

People first make a big deal about the boxes double-checking what you do.

Now its like "hey, not enough boxes!"

dralb · 02-03-09

I am a bit confused. Does this imply that the person disabling UAC already has access to the PC? I guess what I am asking is, can this be disabled remotely? If so, you would need to be vulnerable in the first place, right?

How does this change from having the same security and habits as any OS without UAC? Just because it CAN be disabled doesn't mean people can access it easily, right? (or, not as easily or as hard as any other type or breach)

Urufu_Shinjiro · 02-03-09

Quote:

Originally Posted by dralb

I am a bit confused. Does this imply that the person disabling UAC already has access to the PC? I guess what I am asking is, can this be disabled remotely? If so, you would need to be vulnerable in the first place, right?

How does this change from having the same security and habits as any OS without UAC? Just because it CAN be disabled doesn't mean people can access it easily, right? (or, not as easily or as hard as any other type or breach)

It's no different, just some people have to hate on M$ or they're not in the cool crowd, lol. Even in beta win7 is the best thing to come out of Redmond for a long time, if not the best thing ever.

ChielScape · 02-03-09

Quote:

Originally Posted by jayrcr3

i'm gonna cry!

behavior like that makes me cry. try to act a little grown up here, a little respect can get you pretty far in life.

SolShade · 02-03-09

If people are dumb enough to run every script file they come across they deserve to be infected.
Website:"Download this movie player to watch free porn!!!!!"
User: OK
There is nothing MS can do to prevent inherent stupidity.

MikersSU · 02-03-09

I personally don't mind UAC much. I got used to it. Win7 is in beta testing. I'd rather wait till the finished product to pass judgement. Hopefully MS will address this issue...or by a feat of miraculous proportions, people will develop common sense en masse and stop clicking on pop-ups or cruise free porn/malware sites.

*shrug* There's always hope...

onlycodered · 02-03-09

Quote:

Originally Posted by justarealguy

People complain UAC is in their face too much.

Then they complain when it's not around enough.

I really feel bad for MSFT.

This is exactly what I just said when I turned around to my co-worker after reading this article. I'm starting to feel somewhat bad for Microsoft. Everything they do gets criticized.

		Overclock.net - Overclocking.net > Industry News > Software News
[dailyteck]Windows 7 UAC Leaves Door Open for Attacks

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)