Print 71 comment(s) - last by bodar.. on Feb 3 at 10:14 PM

Blogger Long Zheng of Started Something has published a proof-of-concept attack of how to use a script to easily disable the Windows UAC, do to the inherent design flaw that it trusts changes to itself blindly. Microsoft thus far has refused to acknowledge that it needs to fix the problem calling it "by design" and yanking a MSDN blog on the UAC changes.  (Source: Started Something)
Microsoft insists big Windows 7 security hole will not be fixed, is "by design"

When Windows Vista was launched, it brought to the table a new feature that was supposed to safeguard the user:  the User Account Control (UAC).  However, the useful feature, which could be disabled, became the source of a great deal of the OS's early criticism due its warning messages which some users found irritating.

With Windows 7, Microsoft decided to switch gears and is offering a less nosey UAC in the beta version of the OS.  This move was the subject to much early praise.  However, it may have now backfired as a blogger Long Zheng, who runs the blog Start Something, has detailed a proof-of-concept attack against the new Windows 7 UAC.

Mr. Zheng says the attack is a vindication of Windows Vista, and evidence that the new Windows 7 approach, while more pleasing to some, is inherently insecure.  He states, "This is dedicated to every ignorant ‘tech journalist’ who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things."

The flaw, which he calls "blatantly simple" to fix, was raised to his attention by a "security-minded 'whistleblower.'"  Ignored largely by Microsoft in chatter in its Windows 7 beta feedback, the issue may be present in the retail version of Windows 7 and has been known to many for some time.

Normally Windows 7 is set with the options "Notify me only when programs try to make changes to my computer" and "Don’t notify me when I make changes to Windows settings".  It uses a security certificate to determine if a program is part of Windows -- in other words, changes in the control panel don't raise warnings as they have a trusted certificate.

The "Achilles heel" as Mr. Zheng describes is that the UAC is a certified program and thus changes to it are also trusted -- even if that change is to disable it.  While he admits that he had to "think bad thoughts" to come up with a way of disabling the UAC without directly tricking the user into doing it, he says it wasn't tough.  He has posted a proof-of-concept VBScript, which uses keyboard shortcuts to select the UAC and then disable it.  The attack works against any user who has administrative permissions (as standard users are prompted for an administrative password when changing the UAC settings).

He elaborates, "We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

He adds, "This is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides."

The fix, he says is to force the UAC into a secure desktop mode, whenever the UAC is changed, regardless of its state.  This, he says, while by no means foolproof, will prevent basic attempts.  He suggests Microsoft adopt the fix as soon as possible.

Microsoft, however, appears to be relaxed about the topic, as it responded to Mr. Zheng that the flaw is "by design", indicating it will not be changed before release.  Furthermore, as of this morning it has pulled a MSDN post about the topic which Mr. Zheng linked. 

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Smells like FUD.
By Smilin on 2/2/2009 5:58:31 PM , Rating: 2
Here are the Windows 7 UAC settings (copied from linked MSDN):

1. Always notify on every system change. This is Vista behavior – a UAC prompt will result when any system-level change is made (Windows settings, software installation, etc.)
2. Notify me only when programs try to make changes to my computer. This setting does not prompt when you change Windows settings, such as control panel and administration tasks.
3. Notify me only when programs try to make changes to my computer, without using the Secure Desktop. This is the same as #2, but the UAC prompt appears on the normal desktop instead of the Secure Desktop. While this is useful for certain video drivers which make the desktop switch slowly, note that the Secure Desktop is a barrier to software that might try to spoof your response.
4. Never notify. This turns off UAC altogether.

My take:
1 - Is the most secure mode and is how Vista runs.
2 - Should be the real improvement in Windows 7. It reduces the # of prompts.
3 - Is funcionally the same as has just as many annoying prompts but with less security. There is NO reason to run in this mode. Video drivers in the year 2009 can handle this crap just fine. The last time drivers had this trouble were during the early beta of VISTA.
4 - ..hey, it's your gun do what you want.

The author is all griping about #3 but in fact this same setting exists in Vista...just nobody uses it. You can find it under Security Options in gpedit.msc. It's called "Switch to the secure desktop when prompting for elevation".

The flaw discussed in the article exists when you drop from #2 to #3. Windows 7 is using #2 by default I say FUD.

RE: Smells like FUD.
By llamas on 2/2/2009 8:31:12 PM , Rating: 2
This is not correct. The article is complaining about option 2 (the default) because it does not prompt when you change Windows settings (like lowering the UAC settings to 4). However, what most people seem to be glossing over is that for this to be exploited, the user will still have to OK a UAC prompt before running the malware from a web site. The proof of concept is a script you can run without a UAC prompt, but that's you running it in your session, not navigating to a malicious web site.

That said, you'd think that it would be a good idea to offer the extra notification that something was not only requesting permission to load (a web app that you don't think is malicious), but also going to change your security settings (hard to take that for anything other than it is).

RE: Smells like FUD.
By leexgx on 2/3/2009 12:17:40 AM , Rating: 2
most users would click ok any way as most do not even know what UAC is there for

on Vista the help system in big letters should pop up enplaning what the UAC boxs are but nope, not many users know there is an help system in windows and even then thay would not know what to look for to find out what this allow, cancel or continue is, to them its one more click they need to do to make it go away

the extra check is needed to protect form this problem as well as explaining what is going on or an warning

RE: Smells like FUD.
By Smilin on 2/3/2009 9:45:23 AM , Rating: 2
You're right, I'm wrong. Looking into this..

RE: Smells like FUD.
By Smilin on 2/3/2009 9:39:56 AM , Rating: 2

I changed my mind. Looking into a way to get this fixed.

"This is from the It's a science website." -- Rush Limbaugh
Related Articles
Windows 7 Beta Gets Official
January 8, 2009, 10:21 AM
Windows 7 Features Revealed
October 28, 2008, 4:50 PM

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki