backtop


Print 71 comment(s) - last by bodar.. on Feb 3 at 10:14 PM


Blogger Long Zheng of Started Something has published a proof-of-concept attack of how to use a script to easily disable the Windows UAC, do to the inherent design flaw that it trusts changes to itself blindly. Microsoft thus far has refused to acknowledge that it needs to fix the problem calling it "by design" and yanking a MSDN blog on the UAC changes.  (Source: Started Something)
Microsoft insists big Windows 7 security hole will not be fixed, is "by design"

When Windows Vista was launched, it brought to the table a new feature that was supposed to safeguard the user:  the User Account Control (UAC).  However, the useful feature, which could be disabled, became the source of a great deal of the OS's early criticism due its warning messages which some users found irritating.

With Windows 7, Microsoft decided to switch gears and is offering a less nosey UAC in the beta version of the OS.  This move was the subject to much early praise.  However, it may have now backfired as a blogger Long Zheng, who runs the blog Start Something, has detailed a proof-of-concept attack against the new Windows 7 UAC.

Mr. Zheng says the attack is a vindication of Windows Vista, and evidence that the new Windows 7 approach, while more pleasing to some, is inherently insecure.  He states, "This is dedicated to every ignorant ‘tech journalist’ who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things."

The flaw, which he calls "blatantly simple" to fix, was raised to his attention by a "security-minded 'whistleblower.'"  Ignored largely by Microsoft in chatter in its Windows 7 beta feedback, the issue may be present in the retail version of Windows 7 and has been known to many for some time.

Normally Windows 7 is set with the options "Notify me only when programs try to make changes to my computer" and "Don’t notify me when I make changes to Windows settings".  It uses a security certificate to determine if a program is part of Windows -- in other words, changes in the control panel don't raise warnings as they have a trusted certificate.

The "Achilles heel" as Mr. Zheng describes is that the UAC is a certified program and thus changes to it are also trusted -- even if that change is to disable it.  While he admits that he had to "think bad thoughts" to come up with a way of disabling the UAC without directly tricking the user into doing it, he says it wasn't tough.  He has posted a proof-of-concept VBScript, which uses keyboard shortcuts to select the UAC and then disable it.  The attack works against any user who has administrative permissions (as standard users are prompted for an administrative password when changing the UAC settings).

He elaborates, "We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

He adds, "This is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides."

The fix, he says is to force the UAC into a secure desktop mode, whenever the UAC is changed, regardless of its state.  This, he says, while by no means foolproof, will prevent basic attempts.  He suggests Microsoft adopt the fix as soon as possible.

Microsoft, however, appears to be relaxed about the topic, as it responded to Mr. Zheng that the flaw is "by design", indicating it will not be changed before release.  Furthermore, as of this morning it has pulled a MSDN post about the topic which Mr. Zheng linked. 



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: ?
By Motoman on 2/2/2009 12:20:02 PM , Rating: 1
...they're trying to protect people from their own stupidity...which will always fail. Idiots always find a way to prevail.

In a way, I really hate attempts to remove the responsibility for your machine from the user. If you're an idiot user, and you load your machine up with viruses and spyware and whatnot...well, you're an idiot and by the way, no, the nice guy from Nigeria isn't really trying to send you eighty bazillion dollars.

On the other hand...ah, screw it. If you're too stupid to not screw up your computer, then maybe you should just stick to cell phones.


RE: ?
By BansheeX on 2/2/2009 1:03:58 PM , Rating: 2
Yeah, and if I wasn't being clear enough, I essentially think the prompting part is what's useless and annoying. Setting up file access/editing privileges on created user accounts, whether you're an OEM or an individual or an IT guy, is fine.


RE: ?
By Motoman on 2/2/2009 2:28:22 PM , Rating: 2
Yeah, the UAC prompts are in a way kind of like taking your laptop out of it's bag and putting your shoes on the belt at the airport. Neither of which do anything (nor does limiting liquids, so on and so forth), but it appears that you're doing "something about the problem."


RE: ?
By gochichi on 2/3/2009 12:17:02 AM , Rating: 2
Mac users are still relatively "safe"... so yes, you CAN protect idiots from themselves. If by idiots we mean people.

Dude, without some basic tools from software providers most of us idiots would be swimming in viruses.

Whether it's Linux, or Windows or whatever... I mean, as an example, I wouldn't run Windows without an Antivirus or without updates. I didn't "create" any of that. They are all things to help me stay protected... and they work really well for the most part. The amazing people that give of their time to make Linux safe... I need them, I need them very much. They are watching out for me not to be utterly at risk when I run Ubuntu... and I like that, I appreciate that.

I'm glad that you absurdly believe that you could be safe online without software (and settings) to protect you. But it's perhaps the most naive stance of anyone. Systems should default to safe, that much is obvious. It shouldn't take a bunch of know how to enable safety... it should take know how (or at least "the intent") to increase the amount of risk.

I'll tell you... Windows users are wising up a little bit. Vista requiring you to click OK when installing something is hardly debilitating. I do worry about Mac users though... they are so unbelievably oblivious to security/virus concerns...

Protect everyone. That's what software companies should believe they have to do. Anything less would be utterly unethical. Yes, us so called experts should believe that "idiots" should be totally safe when using their computers. When I go to the doctor and he prescribes me medication... I don't expect to be called an idiot because the drug was unsafe... I expect it to be safe because ethical people are supposedly at the helm, making sure of it. What do you believe? I believe, protect 100% of users, that includes protecting grandparents, protecting teenagers, protecting businesspeople... everyone.

You are NOT stupid, because you see a deceptive ad while you're browsing the web ... a pop up with pretty graphics that says, "YOU have been selected" you click on it, and you're infected. It is NOT stupid to be a victim of that attack. It is malicious, it is a bad action, it is completely wrong to attack a user that way. Bad people doing bad things... it is up to the ethical expert community to shield the user from bad people. The open source community does it on ethics alone, but Microsoft has a mandate because those "idiots" are paying money for a service (the service being security).


RE: ?
By BansheeX on 2/3/2009 5:39:40 AM , Rating: 2
You have no idea what you're talking about. None of your fevered ranting or poor analogies accomplishes anything. UAC prompts don't protect you from machine-compromising exploits, user privilege restrictions do. All a prompt does is ask someone twice whether they want to do what they intended. It's the user's access restrictions that causes malevolent code be impotent.

Mac has miniscule market share, of course it's safer. It's design isn't a factor yet, too few people are using it for hackers to care.

quote:
Dude, without some basic tools from software providers most of us idiots would be swimming in viruses.


Can Vista fanboys read? I am attacking the UAC prompts. UAC prompts. UAC prompts. Not antivirus software.

quote:
I expect it to be safe because ethical people are supposedly at the helm, making sure of it. What do you believe? I believe, protect 100% of users, that includes protecting grandparents, protecting teenagers, protecting businesspeople... everyone.


There is no such thing as 100% security, software can't address the latest worms and viruses the second they come out. If you actually believe that or try to convince others of that, you are proving my point. You can't just install some software and proceed to browse and e-mail with reckless abandon, you're going to learn a very hard lesson. People MUST educate themselves with the fundamentals, there is no magic shield you can buy to avoid that.


RE: ?
By anotherdude on 2/3/2009 1:38:21 PM , Rating: 2
quote:
UAC prompts don't protect you from machine-compromising exploits, user privilege restrictions do. All a prompt does is ask someone twice whether they want to do what they intended. It's the user's access restrictions that causes malevolent code be impotent.


Not sure what you are driving at here. UAC puts the entire machine into user mode which stops both the user and ANY RUNNING SOFTWARE from changing important OS files or settings without the user giving explicit assent.

Yes, this is no where near as safe as locking a machine down in user mode but doing that is impractical for many situations. Yes, if the user foolishly clicks through a UAC prompt without stopping to think it will not help but if the user is not even installing software or making system changes and a prompt comes up they should have the sense to say no, or can be trained to say no - part of "learning the fundamentals" as you say. It's not perfect but it helps.


"I f***ing cannot play Halo 2 multiplayer. I cannot do it." -- Bungie Technical Lead Chris Butcher

Related Articles
Windows 7 Beta Gets Official
January 8, 2009, 10:21 AM
Windows 7 Features Revealed
October 28, 2008, 4:50 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki