Print 71 comment(s) - last by bodar.. on Feb 3 at 10:14 PM

Blogger Long Zheng of Started Something has published a proof-of-concept attack of how to use a script to easily disable the Windows UAC, do to the inherent design flaw that it trusts changes to itself blindly. Microsoft thus far has refused to acknowledge that it needs to fix the problem calling it "by design" and yanking a MSDN blog on the UAC changes.  (Source: Started Something)
Microsoft insists big Windows 7 security hole will not be fixed, is "by design"

When Windows Vista was launched, it brought to the table a new feature that was supposed to safeguard the user:  the User Account Control (UAC).  However, the useful feature, which could be disabled, became the source of a great deal of the OS's early criticism due its warning messages which some users found irritating.

With Windows 7, Microsoft decided to switch gears and is offering a less nosey UAC in the beta version of the OS.  This move was the subject to much early praise.  However, it may have now backfired as a blogger Long Zheng, who runs the blog Start Something, has detailed a proof-of-concept attack against the new Windows 7 UAC.

Mr. Zheng says the attack is a vindication of Windows Vista, and evidence that the new Windows 7 approach, while more pleasing to some, is inherently insecure.  He states, "This is dedicated to every ignorant ‘tech journalist’ who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things."

The flaw, which he calls "blatantly simple" to fix, was raised to his attention by a "security-minded 'whistleblower.'"  Ignored largely by Microsoft in chatter in its Windows 7 beta feedback, the issue may be present in the retail version of Windows 7 and has been known to many for some time.

Normally Windows 7 is set with the options "Notify me only when programs try to make changes to my computer" and "Don’t notify me when I make changes to Windows settings".  It uses a security certificate to determine if a program is part of Windows -- in other words, changes in the control panel don't raise warnings as they have a trusted certificate.

The "Achilles heel" as Mr. Zheng describes is that the UAC is a certified program and thus changes to it are also trusted -- even if that change is to disable it.  While he admits that he had to "think bad thoughts" to come up with a way of disabling the UAC without directly tricking the user into doing it, he says it wasn't tough.  He has posted a proof-of-concept VBScript, which uses keyboard shortcuts to select the UAC and then disable it.  The attack works against any user who has administrative permissions (as standard users are prompted for an administrative password when changing the UAC settings).

He elaborates, "We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

He adds, "This is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides."

The fix, he says is to force the UAC into a secure desktop mode, whenever the UAC is changed, regardless of its state.  This, he says, while by no means foolproof, will prevent basic attempts.  He suggests Microsoft adopt the fix as soon as possible.

Microsoft, however, appears to be relaxed about the topic, as it responded to Mr. Zheng that the flaw is "by design", indicating it will not be changed before release.  Furthermore, as of this morning it has pulled a MSDN post about the topic which Mr. Zheng linked. 

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: ?
By VaultDweller on 2/2/2009 11:06:01 AM , Rating: 2
I'll rephrase.

Corporate users are not logged in with admin rights in any corporation where the IT department is doing its job, and definitely not in any company that's able to pass compliance audits (for PCI, FISMA, HIPAA, etc etc).

I have never worked at a business that allowed admin rights for the masses. My current employer (small corporation, approximately 800 employees and 40 offices) doesn't even give admin rights to many people in the IT staff.

RE: ?
By Master Kenobi on 2/2/2009 11:22:58 AM , Rating: 2
Sorry but IT departments do not set policy in large corporations. 800 users isn't large, thats medium sized. I'm speaking from experience and through conversations I've had with IT professionals at other large corporations. All of these companies possess >5000 users. In companies this large, politics dictates policy, and Local Admin without having to get IT to install software, etc.... is required otherwise they simply fire the IT management and replace it with one that will do it. IT is a Cost Center, not a Profit Center, and thus we do not get to dicatate, security be damned.

RE: ?
By VaultDweller on 2/2/2009 11:55:16 AM , Rating: 3
Giving users admin rights to install their own software does not cut IT costs, it inflates them. This is just another failure by IT to do their jobs - in this case, they failed at the task of giving management the information they need (in a way they understand) to make financially sound decisions.

Also, have you or the IT professionals you've conversed with not worked for companies that have had to deal with standards like the PCI DSS or FISMA? Politics dictate policy, like you said, and money dictates politics. Where money is concerned, not much can have a greater impact than a failed PCI audit.

Maybe security is just handled better up here in Canada than in the US. The US does have an abysmal reputation for cyber-security at the federal level, but I've never seen any kind of comparison between the security postures of private industry in Canada vs America.

RE: ?
By Master Kenobi on 2/3/2009 7:46:22 AM , Rating: 2
Also, have you or the IT professionals you've conversed with not worked for companies that have had to deal with standards like the PCI DSS or FISMA?

FISMA applies to jobs I've had in classified environments, in which case your argument is valid. My original post specifically outlined unclassified workspaces/networks.

PCI DSS applies to credit cards. None of the companies I've worked at has ever bothered dealing with credit cards. We aren't running point of sale systems, were trillion dollar companies that do business by the millions/billions.

This is just another failure by IT to do their jobs - in this case, they failed at the task of giving management the information they need (in a way they understand) to make financially sound decisions.

Your assuming IT is in a position to make such a policy stick. When a major profit center in the company is complaining that they can't run System A or its costing them additional overhead because IT implemented policy B, you will see executives strike it down in short order. Profit Centers are elevated above all else. The lax security is simply considered a "cost of doing business" at many companies. Additional security is piled on to make sure a compromised system can't do damage to the rest of the network, but that one will be in for a reimage in short order.

Giving users admin rights to install their own software does not cut IT costs, it inflates them.

That is IT's problem, not the business profit centers problem. It doesn't balance out from a top down view overall, but this is how it is viewed in many companies. Let IT pay for it with their own budget. Welcome to corporate america.

RE: ?
By bodar on 2/2/2009 6:28:44 PM , Rating: 2
Wow... just wow. That's terrible. I work for state govt. (albeit a small dept) and we have the users locked down pretty tightly. I can't imagine working in a "Wild West" IT environment, where I have no idea what is installed and what damage an "admin" has done to his PC.

RE: ?
By Master Kenobi on 2/3/2009 7:31:17 AM , Rating: 2
Smaller environments can get away with tighter controls and restrictions from IT without too much hassle. But when your managing 5000 or 50,000 users, it becomes a nightmare in overhead to babysit them. This isn't IT's fault, this is the fault of convenience. No IT manager is going to do battle with corporate executives who want convenience over security.

RE: ?
By bodar on 2/3/2009 10:00:18 PM , Rating: 2
I definitely see your point, but it's sad to know that most execs would rather throw away money paying IT to put out fires all day, rather than focus on higher level services. It's much easier to babysit when he's in the playpen, not tearing around the living room in his walker.

RE: ?
By bodar on 2/3/2009 10:04:54 PM , Rating: 2
Well, at least that just means they need more IT personnel. Good news for us.

"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA
Related Articles
Windows 7 Beta Gets Official
January 8, 2009, 10:21 AM
Windows 7 Features Revealed
October 28, 2008, 4:50 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki