backtop


Print 71 comment(s) - last by bodar.. on Feb 3 at 10:14 PM


Blogger Long Zheng of Started Something has published a proof-of-concept attack of how to use a script to easily disable the Windows UAC, do to the inherent design flaw that it trusts changes to itself blindly. Microsoft thus far has refused to acknowledge that it needs to fix the problem calling it "by design" and yanking a MSDN blog on the UAC changes.  (Source: Started Something)
Microsoft insists big Windows 7 security hole will not be fixed, is "by design"

When Windows Vista was launched, it brought to the table a new feature that was supposed to safeguard the user:  the User Account Control (UAC).  However, the useful feature, which could be disabled, became the source of a great deal of the OS's early criticism due its warning messages which some users found irritating.

With Windows 7, Microsoft decided to switch gears and is offering a less nosey UAC in the beta version of the OS.  This move was the subject to much early praise.  However, it may have now backfired as a blogger Long Zheng, who runs the blog Start Something, has detailed a proof-of-concept attack against the new Windows 7 UAC.

Mr. Zheng says the attack is a vindication of Windows Vista, and evidence that the new Windows 7 approach, while more pleasing to some, is inherently insecure.  He states, "This is dedicated to every ignorant ‘tech journalist’ who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things."

The flaw, which he calls "blatantly simple" to fix, was raised to his attention by a "security-minded 'whistleblower.'"  Ignored largely by Microsoft in chatter in its Windows 7 beta feedback, the issue may be present in the retail version of Windows 7 and has been known to many for some time.

Normally Windows 7 is set with the options "Notify me only when programs try to make changes to my computer" and "Don’t notify me when I make changes to Windows settings".  It uses a security certificate to determine if a program is part of Windows -- in other words, changes in the control panel don't raise warnings as they have a trusted certificate.

The "Achilles heel" as Mr. Zheng describes is that the UAC is a certified program and thus changes to it are also trusted -- even if that change is to disable it.  While he admits that he had to "think bad thoughts" to come up with a way of disabling the UAC without directly tricking the user into doing it, he says it wasn't tough.  He has posted a proof-of-concept VBScript, which uses keyboard shortcuts to select the UAC and then disable it.  The attack works against any user who has administrative permissions (as standard users are prompted for an administrative password when changing the UAC settings).

He elaborates, "We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

He adds, "This is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides."

The fix, he says is to force the UAC into a secure desktop mode, whenever the UAC is changed, regardless of its state.  This, he says, while by no means foolproof, will prevent basic attempts.  He suggests Microsoft adopt the fix as soon as possible.

Microsoft, however, appears to be relaxed about the topic, as it responded to Mr. Zheng that the flaw is "by design", indicating it will not be changed before release.  Furthermore, as of this morning it has pulled a MSDN post about the topic which Mr. Zheng linked. 



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: ?
By lifeblood on 2/2/2009 9:07:35 AM , Rating: 2
Vista, deserved or not, was blasted, not just by tech journalists, but by customers as well. The reasons were long and varied, but UAC figured predominantly in their complaints. As such, many organizations and individuals have refused to update. Microsoft is trying to fix the complaints with Win7, and that includes lowering the annoyance of UAC. Otherwise Win7 may follow in the footsteps of it's predecessor and be rejected by users. That would be a shame as it appears Win7 will be an excellent OS.

This attack also only works if your logged in as admin. I know I never log in as admin except on very rare occasions, and I don't surf the web as admin.


RE: ?
By omnicronx on 2/2/2009 10:40:18 AM , Rating: 2
quote:
Vista, deserved or not, was blasted, not just by tech journalists, but by customers as well.
You think one does not have to do with the other? I still see countless articles making jabs at Vista, in which most of the claims are unfounded or just plain untrue. People just eat this stuff up, as it seems poking fun at Vista sells lots of copies for PC magazine than writing pro Windows articles. Sometimes when reading I wonder if I picked up a copy of MacWorld by accident.


RE: ?
By lifeblood on 2/2/2009 2:23:35 PM , Rating: 2
It was blasted by non-technical users who never read the trade rags. I had a few customers who insisted on upgrading to Vista on their old PC's (with additional RAM). They were all back on XP within a month. I had other customers buy new hardware with Vista pre-installed and they all requested to be downgraded to XP within a month. However, part of that was because they got Office 07 with it's new ribbon bar at the same time. That was a double whammy. I think a lot of users hate for Vista was exacerbated by Office 07.

I use Vista and Office 07 and I'm ok with Vista but despise Office 07. I look forward to Win7, but I see no relief from the Ribbon bar.


"I'm an Internet expert too. It's all right to wire the industrial zone only, but there are many problems if other regions of the North are wired." -- North Korean Supreme Commander Kim Jong-il

Related Articles
Windows 7 Beta Gets Official
January 8, 2009, 10:21 AM
Windows 7 Features Revealed
October 28, 2008, 4:50 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki