backtop


Print 71 comment(s) - last by bodar.. on Feb 3 at 10:14 PM


Blogger Long Zheng of Started Something has published a proof-of-concept attack of how to use a script to easily disable the Windows UAC, do to the inherent design flaw that it trusts changes to itself blindly. Microsoft thus far has refused to acknowledge that it needs to fix the problem calling it "by design" and yanking a MSDN blog on the UAC changes.  (Source: Started Something)
Microsoft insists big Windows 7 security hole will not be fixed, is "by design"

When Windows Vista was launched, it brought to the table a new feature that was supposed to safeguard the user:  the User Account Control (UAC).  However, the useful feature, which could be disabled, became the source of a great deal of the OS's early criticism due its warning messages which some users found irritating.

With Windows 7, Microsoft decided to switch gears and is offering a less nosey UAC in the beta version of the OS.  This move was the subject to much early praise.  However, it may have now backfired as a blogger Long Zheng, who runs the blog Start Something, has detailed a proof-of-concept attack against the new Windows 7 UAC.

Mr. Zheng says the attack is a vindication of Windows Vista, and evidence that the new Windows 7 approach, while more pleasing to some, is inherently insecure.  He states, "This is dedicated to every ignorant ‘tech journalist’ who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things."

The flaw, which he calls "blatantly simple" to fix, was raised to his attention by a "security-minded 'whistleblower.'"  Ignored largely by Microsoft in chatter in its Windows 7 beta feedback, the issue may be present in the retail version of Windows 7 and has been known to many for some time.

Normally Windows 7 is set with the options "Notify me only when programs try to make changes to my computer" and "Don’t notify me when I make changes to Windows settings".  It uses a security certificate to determine if a program is part of Windows -- in other words, changes in the control panel don't raise warnings as they have a trusted certificate.

The "Achilles heel" as Mr. Zheng describes is that the UAC is a certified program and thus changes to it are also trusted -- even if that change is to disable it.  While he admits that he had to "think bad thoughts" to come up with a way of disabling the UAC without directly tricking the user into doing it, he says it wasn't tough.  He has posted a proof-of-concept VBScript, which uses keyboard shortcuts to select the UAC and then disable it.  The attack works against any user who has administrative permissions (as standard users are prompted for an administrative password when changing the UAC settings).

He elaborates, "We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

He adds, "This is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides."

The fix, he says is to force the UAC into a secure desktop mode, whenever the UAC is changed, regardless of its state.  This, he says, while by no means foolproof, will prevent basic attempts.  He suggests Microsoft adopt the fix as soon as possible.

Microsoft, however, appears to be relaxed about the topic, as it responded to Mr. Zheng that the flaw is "by design", indicating it will not be changed before release.  Furthermore, as of this morning it has pulled a MSDN post about the topic which Mr. Zheng linked. 



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: ?
By Master Kenobi (blog) on 2/2/2009 8:59:22 AM , Rating: 5
Because many tech journalists blasted Vista's UAC as annoying, problematic, and a pain in the rear. So Microsoft responded in kind by easing it up, but when easing it up you get the caveat that security is also not as good. This is a simple you can have your cake, but you can't eat it. All these journalists want both, but the reality is if you want more security, you need to deal with an additional prompt/check.

Frankly, if anyone is to blame, its people for blasting UAC in Vista. Vista got it right, people just don't want security that badly yet.


RE: ?
By anotherdude on 2/2/2009 10:37:22 AM , Rating: 2
Users didn't like UAC, granted, but the tech journalists and (even many of the local talent) should have defended and explained it instead of tearing it down. THAT was the problem.

There was a feeding frenzy on Vista, for some reason (made a good story, lot's of Mac\Linux fanboys out there in West Coast and NY bloggerland?), that went WAY beyond what it deserved and the new and lesser secure UAC default setting is the cost of this. MS's hands were tied here.


RE: ?
By VaultDweller on 2/2/2009 11:15:23 AM , Rating: 2
I agree.

I thought UAC was one of the best moves that Microsoft had ever made, and I was absolutely baffled that the same technical community that blasts MS for weak security could tear them up again for adding security features. Seriously, the same people that championed a Linux distro that by default disables the use of the root account and expects the use of sudo for all privileged actions were complaining that having to click OK was too much of a hassle. What the hell?

UAC has made my life as the free extended family tech support guy so much easier. It's like magic: after setting people up with Vista and explaining UAC to them, I never have to revisit their computer to format them or clean out malware infestations.


RE: ?
By Drexial on 2/2/2009 10:38:13 AM , Rating: 4
The thing about the UAC is that normal users will either not let anything install or let everything install just like they normally would. The pop up is just another step in the process for them.

It's kinda like getting into your car and a message coming up that you have to answer that say "Are you drunk?" then just to be sure "are you sure you are not drunk?". Whether you are drunk or not you are going to get asked this every time. The people that do drink and drive are just going to ignore it just like they ignore the fact that they are drunk now and will drive their car anyways.

This UAC was a poor excuse for security. Because its completely in the hands of the user to understand the risk. If they understand the risk then the UAC isn't doing anything to help them, if they don't understand it, they are just going to OK the message anyway.


RE: ?
By VaultDweller on 2/2/2009 11:21:44 AM , Rating: 2
Yes, users have to understand the risk - but it's not something hard to understand or to explain.

No, UAC won't do anything if the user actively runs an installer for malicious software, because of course the user has decided they want said software and will let it do whatever it wants.

On the other hand, it seems like most malware and virus installs can be prevented by one simple explanation: "If you open an e-mail or visit a web page and it causes a UAC prompt, don't click OK - it's a virus."

That has absolutely worked wonders for me so far. Drive-by installers don't work on a system with UAC unless the user gives permission at the UAC prompt.


RE: ?
By Drexial on 2/2/2009 11:33:24 AM , Rating: 2
I can understand that helping only if they understand that. That's great that they have you to explain it. I suppose its good for a lesson in proper computing as long as there is someone there to teach them the guide. But my grandpa has gotten along just fine with a similar lesson without the UAC.

That's because people like you and me were around to tell them what to look out for and what not to go to.


RE: ?
By VaultDweller on 2/2/2009 12:09:53 PM , Rating: 2
With the UAC, I don't need to give any kind of lesson about where they should and should not go. They can go wherever they want, and any malicious sites will hit a brick wall without admin rights. There's no need to teach a person or make them understand security concepts. They don't need to be able to make judgment calls about what websites or e-mails seem suspicious. It all boils down to one simple sentence with clear, easy to remember criteria: UAC prompt from an e-mail/website = virus.

Mind you, it won't do anything to stop them from providing information to phishing sites... but at least their system won't be compromised.


RE: ?
By FITCamaro on 2/2/2009 3:07:20 PM , Rating: 2
Agree 100%.

I have no real issue with UAC. Yes sometimes I get a little annoyed. But in the end I'd rather know if something tries to do something and I didn't want it to. Hopefully Windows 7 allows for a Vista-like UAC mode.


RE: ?
By RamarC on 2/2/2009 5:33:29 PM , Rating: 3
unless you're a developer. i'm constantly doing things that provoke the UAC as part of my normal day. and i have to have admin rights to run Business Intelligence Design Studio since it's based on VS 2005.

i just wish there was an option to allow me to hush the UAC for a specified length of time (a 'do this for subsequent actions in the next 15 minutes') or at least figure out that i do certain stuff repeatedly and not ask after i confirm the first action. (i set environment variables once, i'm likely to set 'em again this session.)


RE: ?
By Zoomer on 2/2/2009 7:37:13 PM , Rating: 3
Yes, to me that is the most annoying part of UAC. I might actually leave it enabled if that were the case. I don't need to be asked 10 times when I need to change something.


"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer

Related Articles
Windows 7 Beta Gets Official
January 8, 2009, 10:21 AM
Windows 7 Features Revealed
October 28, 2008, 4:50 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki