Monthly Archives: January 2009

Microsoft dismisses Windows 7 UAC security flaw, continues to insist it is “by design”

Update 3: Microsoft has since addressed this problem by correcting the problem. In the more final builds of Windows 7, the UAC control panel will require elevation to change its options.

uacbrokenwindows7

I’m not too sure if Microsoft is on the same page as I am, but a Microsoft spokesperson has emailed me in response to the Windows 7 UAC security flaw I wrote about and demonstrated yesterday. In summary, Microsoft claims this is “not a vulnerability”, is intended behavior and again indicates will not be changed. No, your eyes are not playing tricks on you. They’re (again) indicating it will not be fixed in the final version of Windows 7.

  • This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)

The whole reason why I had made the “issue” public yesterday was because private Windows 7 beta-testers were frustrated at how Microsoft treated their concerns, but it seems like it hasn’t changed.

What I do not understand is how they are treating the seriousness of this problem. The proof-of-concept VBScript Rafael and I had come up with was intentionally as obvious as possible. A malicious application could be much more silent and visually discreet, plus add in additional code to load even more malicious applications after a reboot then running with full administrative privileges.

Microsoft’s argument is entirely based on the user, which I agree to an extent – they have to download and execute such an application, but remembering this can be a low-privileged application so it would have no warnings what so ever.

How could a low-privileged application be able to turn off the entire privileged-applications security-layer not be a security flaw? Let me repeat, a low-privileged application, some people seems to have missed that. I just don’t get it.

In contrast, if they implemented a solution as I have suggested, even if a low-privileged application (without UAC prompts) tried to turn off UAC, there is a last line of defense just before UAC is turned off to give the user a second chance. One more chance than no chance at all.

Update: A reader has kindly asked me to highlight a particular condition for this to work, the user must be in the “Administrative” user group, and not in the “Standard” user group where they will be prompted for a administrative password. In defense of the seriousness of the issue, the Vista and Windows 7 default user group is “Administrative” and I’m sure that’s what most home users are running.

Update 2: Microsoft’s Jon DeVaan has posted a response on the official Windows 7 blog with an extensive look at the UAC system in Windows 7 and their decision on the default security policy. In conclusion, they continue to stand by their decision and does not indicate they will change the default UAC policy.

Update 3: Microsoft has since addressed this problem by correcting the problem. In the more final builds of Windows 7, the UAC control panel will require elevation to change its options.

Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code)

uacbrokenwindows7

This is dedicated to every ignorant “tech journalist” who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it “less annoying” inadvertently clears the path for a simple but ingenius override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things.

First, I was originally going to blackmail Microsoft for a large ransom for the details of this flaw, but in these uncertain economic times, their ransom fund has probably been cut back so I’m just going to share this for free.

Secondly, the reason I’m blogging about this flaw is not because of its security implications – it is blatantly simple to fix – but Microsoft’s apparent ignorance towards the matter on their official Windows 7 beta feedback channel by noting the issue as “by design” and hinting it won’t be fixed in the retail version. A security-minded ‘whistleblower’ came forth to ask me if I could publicize this issue to maybe persuade them to change their mind. And that’s what I’m doing.

Now for a bit of background information on the changes to UAC in Windows 7. By default, Windows 7’s UAC setting is set to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. How it distinguishes between a (third party) program and Windows settings is with a security certificate. The applications/applets which manage Windows settings are signed with a special Microsoft Windows 7 certificate. As such, control panel items are signed with this certificate so they don’t prompt UAC if you change any system settings.

nevernotifyThe Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.

Of course it’s not a security vulnerability if you have to coerce the user into disabling UAC themselves (although sweet candy is exceptionally persuasive), I had to think “bad thoughts” to come up with a way to disable UAC without the user’s interaction. The solution was trivial, you could complete the whole process with just keyboard shortcuts so why not make an application that emulates a sequence of keyboard inputs.

With the help of my developer side-kick Rafael Rivera, we came up with a fully functional proof-of-concept in VBScript (would be just as easy in C++ EXE) to do that – emulate a few keyboard inputs – without prompting UAC. You can download and try it out for yourself here, but bear in mind it actually does disable UAC.

We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc.

securedesktopuacThis is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides, and that is to force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state. This is not a fool-proof solution (users can still inadvertently click “yes”) but a simple one I would encourage Microsoft to implement seeing how they’re on a tight deadline to ship this.

Having UAC on at the policy as it is currently implemented in Windows 7 is as good as not having it on at all.

Until when Microsoft decides to fix this, if they do at all, beta users of Windows 7 can also apply a simple fix. Changing the UAC policy to “Always Notify” will force Windows 7 to notify you even if UAC settings change. Annoying, but safe.

Update: I must credit Aubrey from WindowsConnected.com for also touching on this issue briefly today.

Update 2: Microsoft has officially responded to my concerns and continues to insist the functionality is “by design”, dismisses the security concerns and again leans towards they will not be addressing the issue for the final release of Windows 7.

Update 3: A reader has kindly asked me to highlight a particular condition for this to work, the user must be in the “Administrative” user group, and not in the “Standard” user group where they will be prompted for a administrative password. In defense of the seriousness of the issue, the Vista and Windows 7 default user group is “Administrative” and I’m sure that’s what most home users are running.

Update 4: Microsoft’s Jon DeVaan has posted a response on the official Windows 7 blog with an extensive look at the UAC system in Windows 7 and their decision on the default security policy. In conclusion, they continue to stand by their decision and does not indicate they will change the default UAC policy.

Update 5: Microsoft fixed this.

RSS-powered Windows 7 desktop slideshows

Desktop themes are making a comeback in Windows 7 with many new styling options to make sure it’s easy to create, mix and share your unique themes. And many there are already, including Paul Thurrott’s collection and various OSX inspired theme packs.

One of the new tricks to make your desktop “pop” (not literally) is the ability to run a slideshow as your wallpaper. Many already know you can select a couple of pictures to cycle through, or even a whole directory of (cute cat) photos, but did you know you can also exploit the power of RSS feeds?

themerss

Part of the new theme file specifications in Windows 7 (and first uncovered by Rafael Rivera) is the ability to specify a RSS feed as the source of slideshow images. To put this to the test, I created three themes that source images from the RSS feeds of various Flickr users’ who make available the original high-resolution photos to the public. If you have a copy of Windows 7 handy, feel free to download these and play along.

piser's Flickr Feed
Photo credits: piser (Flickr)
daisybaxter's Flickr Feed
Photo credits: daisybaxter (Flickr)
Kounelli's Flickr Feed
Photo credits: Kounelli (Flickr)

The first time you double click to install the theme files you might find yourself enjoying nothing more than the default “beta fish” wallpaper, this is due to a number of bugs related to this feature. First of all, this feature utilizes the Windows RSS Platform which automatically refreshes and download feed enclosures in the background. Because this is a background process, it will take considerable time to download the high-resolution photos within the feed. But once the photos are downloaded, the theme does not automatically refresh to queue the new photos in the slideshow. A logout/login should be sufficient, but more simply you could open the theme control panel and toggle between two themes to force a manual refresh. I hope both issues are addressed in the final build for a more intuitive experience.

Another issue in the beta is the lack of means within the themes control panel to specify a feed URL, so you will have to resort to a text editor to get the job done. If you fancy some RSS feeds of your own, add the following snippet to your .theme file.

[Slideshow]
Interval=1800000
Shuffle=1
RssFeed=http://www.fabrikam.com/Feed

Images must be an enclosure item in the feed for the slideshow to work. Unfortunately this means many feeds (such as the Nasa Astronomy Picture of the Day) are ineligible.

Whilst I can’t credit this functionality to Microsoft (Mac OS X has had both slideshow and RSS support for some time), it’s a very powerful idea that’s still in its infancy stages. Realizing RSS feeds are not limited to just photos but perhaps dynamically generated images with information visualizations delivered fresh to your desktop every day sparks some interesting concepts. A desktop wallpaper that changes with the weather maybe?

Tip: If you would like to increase the frequency the feed is refreshed, by default it is every day, you can manage your Windows RSS subscriptions inside the “Feeds” panel of Internet Explorer. Right click on the appropriate Flickr feed and click settings to change the update interval.

Update: In the spirit of extending this functionality to more uses than just displaying photos, Jamie Thomson uses Windows Live FrameIt and some BBC feeds to generate a dynamic wallpaper with weather and news information. Even though it’s a bit ugly, it demonstrates a lot of potential.

Microsoft Learning spoofs “I love the whole world”

Early last year, the Discovery Channel launched a very popular television advertisement called “I love the whole world“. The theme of the ad is an original song based on the camping song, “I Love the Mountains”. If you haven’t seen it, or would like to watch it again because it’s so awesome, here it is for reference.

As it turns out, “I love the whole world” can be adapted into many uses. Microsoft’s education and certification division, Microsoft Learning, took a stab at making a parody for itself. The video is officially described as “customers, partners, and Microsoft employees share what they love about learning.” More accurately, “geeks breaks into a song and dance.”

And because this was so awesome, here is another parody made with Halo 3.

Now I’m tempted to make a version in Left 4 Dead. Ideas welcome.

Songsmith plus black metal, hilarity ensues

Songsmith is a very powerful tool, and likewise, with great power comes great responsibility. This is an example of using Songsmith responsibly.

A contestant on an Austrian “Idol” television program chose to sing “The Brimstone Gate”, a heavy metal song. Regardless of your opinion on heavy metal, it’s probably not something you should sing without accompaniment. Which is why one user decided to test the tolerances of Songsmith’s vocal detection engine and generate an accompaniment for him. The result is a Benny Hill inspired musical you just have to hear to believe. The timing is just spot on.

In case you were wondering what the original sounded like, without the uplifiting accompaniment, click through if you dare.

Windows 7 marketing initiative outlined

windows7There’s great marketing campaigns, like 5.5 million views of a blender blending things on YouTube, and then there was “the wow starts now“. A job posting published today looking for a marketing manager to be responsible for the Windows 7 marketing campaign gives us some insights into how Microsoft plans to pitch the new kid of the block.

Take a leadership role on the team that will bring Windows 7 to market. Be a part of the launch and sustain marketing for one of Microsoft’s most important products – Windows 7.

We are looking for an experienced marketer to help launch, develop and drive key consumer marketing programs for Windows 7. In this core product marketing role on the Windows 7 consumer marketing team you will lead a cross discipline v-team and develop and execute programs in alignment with the marketing strategy. Key components of the initiative include:

  • Capture the consumer’s imagination and spark desire for Windows 7
  • Build confidence in the Windows brand
  • Establish an understanding of the Windows 7 benefits
  • Spark positive recommendations for Windows 7
  • Deliver on the brand promise of compatibility

This specific role will lead three key aspects of Windows 7 launch and sustain marketing:

  • Develop, own end-to-end, and drive key marketing programs including an advocacy plan – a key pillar to our strategy
  • Establish the engine and rhythm for the consumer launch including project management across the 20 v-teams to insure accountability, consistency and world class marketing
  • Manage pre-release marketing

If you’ve ever wanted to influence how we bring a world class product like Windows 7 to market in the consumer space this is your chance.

Whilst most of the initiatives are pretty predictable, “deliver on the brand promise of compatibility” is likely to play a big part of the Windows 7 campaign, especially since compatibility was one of the biggest concerns (and also most misconceptions) that plagued Windows Vista.