Microsoft dismisses Windows 7 UAC security flaw, continues to insist it is “by design”

Update 3: Microsoft has since addressed this problem by correcting the problem. In the more final builds of Windows 7, the UAC control panel will require elevation to change its options.

uacbrokenwindows7

I’m not too sure if Microsoft is on the same page as I am, but a Microsoft spokesperson has emailed me in response to the Windows 7 UAC security flaw I wrote about and demonstrated yesterday. In summary, Microsoft claims this is “not a vulnerability”, is intended behavior and again indicates will not be changed. No, your eyes are not playing tricks on you. They’re (again) indicating it will not be fixed in the final version of Windows 7.

  • This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)

The whole reason why I had made the “issue” public yesterday was because private Windows 7 beta-testers were frustrated at how Microsoft treated their concerns, but it seems like it hasn’t changed.

What I do not understand is how they are treating the seriousness of this problem. The proof-of-concept VBScript Rafael and I had come up with was intentionally as obvious as possible. A malicious application could be much more silent and visually discreet, plus add in additional code to load even more malicious applications after a reboot then running with full administrative privileges.

Microsoft’s argument is entirely based on the user, which I agree to an extent – they have to download and execute such an application, but remembering this can be a low-privileged application so it would have no warnings what so ever.

How could a low-privileged application be able to turn off the entire privileged-applications security-layer not be a security flaw? Let me repeat, a low-privileged application, some people seems to have missed that. I just don’t get it.

In contrast, if they implemented a solution as I have suggested, even if a low-privileged application (without UAC prompts) tried to turn off UAC, there is a last line of defense just before UAC is turned off to give the user a second chance. One more chance than no chance at all.

Update: A reader has kindly asked me to highlight a particular condition for this to work, the user must be in the “Administrative” user group, and not in the “Standard” user group where they will be prompted for a administrative password. In defense of the seriousness of the issue, the Vista and Windows 7 default user group is “Administrative” and I’m sure that’s what most home users are running.

Update 2: Microsoft’s Jon DeVaan has posted a response on the official Windows 7 blog with an extensive look at the UAC system in Windows 7 and their decision on the default security policy. In conclusion, they continue to stand by their decision and does not indicate they will change the default UAC policy.

Update 3: Microsoft has since addressed this problem by correcting the problem. In the more final builds of Windows 7, the UAC control panel will require elevation to change its options.

146 insightful thoughts

  1. Look’s like they’re shooting themselves in the foot with this one. It seems as though they haven’t even bothered to try out the proof-of-concept. Honestly, I wish they hadn’t of bothered catering to those who despise UAC. They’ve opened a new can worms by doing so.

  2. I read Raymond Chen and his blog carefully, but I think this is infact a vulnerability, at the very minimum of ‘elevation of privileges’.
    Scenario: I download an app, know that UAC is at its default level, so in complete peace of mind, run it. The app surreptiously reduces UAC level, and relaunches itself with admin privileges and wreaks havoc.

    Uh Huh. This is a vulnerability.

  3. I guess “the WoW starts now”…yet again.

    @Microsoft: Please don’t ruin Windows 7’s image…it has such great potential…

  4. The response sounds arrogant. They are trying to imply, “u complained when we did that, now stop annoying us by telling us to fix this.” Win 7’s good run is running into troubled waters.

  5. I agree, it’s NOT a vulnerability but an obvious consequence of lower UAC security (bad choice to set this as default though).

    A simple advice for MS and Win7: for some critical settings I suggest to still force UAC requester in any case. This simple workaround will shut up all this polemic.

  6. Changing system settings should always be limited to Admins (=maximum UAC security level).
    If lame users don’t want that, well it’s at their risk.

  7. Let’s try not to overestimate the impact of this.

    UAC has always been disputable and I guess it will always be. There simply is no way to guarantee both security and usability on this level (no warnings at all).

    Please allow me to remind you that Vista’s problems were more than UAC alone and that 7’s strengths are certainly not limited to this less annoying version of UAC.

    I actually understand Microsoft’s reply; they’ve got security people at one side, screaming at them to fix this, and many millions of users at the other side, begging them to get rid of those irritating messages.

    But still, this is a security flaw and I hope Microsoft will reconsider implementing the solution Long has suggested: always prompt the user to make changes to UAC. It is not perfect, but I consider it to be acceptable. If Microsoft has any reasons not to implement that specific solution, I’d love to hear about them.

    Wouter Devinck

  8. Whatever happened to Windows 7’s principal of being trustworthy, and doing what is expected?

    I expect that changing UAC to require a prompt for downsizing the security at the least.

  9. Just a minute… Is this vulnerability any more serious than being able to send keystrokes to programs running with admin privileges? Is that even allowed?

  10. @Sushovan: It’s not that a program can send keystrokes to a program with admin privileges, it’s that you don’t need to be admin to turn UAC off, thus making all programs admin.

    Explorer running at medium can turn UAC off
    Other programs at medium can influence explorer.
    Therefore:
    UAC can be turned off by programs running at medium.

  11. Wow. I’m speechless. What’s the problem of just turn the UAC prompt always on for changing UAC settings? Some changes do always ask for elevation no matter what UAC settings you are using (e.g. starting regedit).

    So how annoying would this change be? How often do they expect us to change the UAC settings?

  12. After the security debacle that occurred around the pre XP SP2 era, I had finally begun to think that things have changed and MS was taking security seriously. I am really disappointed with this. This is a really serious problem, and shipping with this as the default will work against everything they’ve achieved with Vista. How can they be so blind?

  13. @Wouter:

    Your completly thinking the wrong way. This fight is not against the option to lower down UAC itself, or the less number of UAC prompts people get. We think that a great improvement.

    The issue is that loweing UAC doesn’t require UAC. What means that UAC by default is no UAC against malware, so it is an security issue.

    If only this window to loweing UAC requires UAC, then this security issue has been solved, and peopel still won’t be annoyed about tons of prompts. People aren’t going to change uac settings every minute u know.

    That’s the issue, and thats need to be fixed.

  14. What!

    If you or malicious code change the UAC level you are not asked for your admin password? Surely UAC is the last line of defence when all other measures (antivirus, firewall, etc) fail. Tell me I’m reading that wrong?

    It probably wouldn’t catch people like you or me but i’m sure i’ll be doing the 200 mile support trip to my parents when this bites them. Stupid truly stupid.

  15. Hey, that’s how NSA and other Gov agencies get into your computers and collect the data they want. Ask yourselves who is behind M$, Google, Apple,Oracle etc. Have fun being paranoic.

  16. The future is certain now. A malicious code will be released. UAC will be compromised. MS will have to release a hotfix to take care of the issue.

    But that is their emergency response procedure.

    After such an impressive run up to the RC and the RTM stages, wonder why they want to scew this up! A simple workaround would be to make UAC prompt necessary for any change in the UAC setting, irrespective of the UAC setting.

  17. Just making UAC settings changes require a prompt is missing the point – if any program can control the explorer window that alters the setting, what is stopping any program from altering *any* resource that requires admin right simply by choosing the built-in app that does so.

    IE. If a program can’t make a folder in program files without admin rights, but explorer can, then just use explorer to make the folder.

  18. Basically all this does is keep the honest program honest and does nothing to stop the dishonest.

    I would have expected this in Vista as a teaser to “real UAC” so as to better prepare for LUA, not the other way around.

    Shatter Attacks 2.0 here we come.

  19. Look, I get what Microsoft is claiming. And as an IT administrator, I’m not asking them to revert back to Vista-like annoyance, because I’m the one who is annoyed by it more than the average user when I have to double the amount of time to support an issue because of answering umpteen prompts.

    HOWEVER…

    All I want (and if I read correctly, I conclude it’s what Long is asking for as well) is ONE, SINGLE prompt IF AND ONLY IF the UAC security level is modified… otherwise behave EXACTLY as is currently designed. This is a simple conditional statement on their part and could be coded into their existing model in a very short time.

  20. Long,
    Could you please correctly update the article on UAC yesterday and this one to inform the general public of two very important things:
    A)  A ‘USER’, in terms of security implications, is someone who does not have ‘ADMIN’ privileges.B) The script does in fact NOT work when a ‘USER’ attempts to run it.  When a ‘USER’ attempts to change UAC settings, the ‘USER” is prompted to enter an ‘ADMIN’ password.
    Please see my further comments over at Dwight Silverman’s Techblog over at Dwight Silverman’s Techblog.
    If you want to get nitty about it, I guess ‘USER account’ and ‘ADMIN account’ should be used.  Unless there is a very good reason (and I can think of none), everyone should run their day to day tasks as a ‘USER’ on Win7 or Vista and when required enter the ADMIN password.
    I am sure you are aware of the important security concept of ’least privilege’, correct?  How about an article on that?
    MG

  21. @Master Guru: While it is true this does not apply to a “standard” user, the default and most common user group people use on their home PCs (who are at most risk) are “Administrator” users.

  22. Fowl is right. The original script can be changed to alter ANY Windows setting just by playing with the set of keys you have to press. It’s trivial to disable the firewall, for example, or any other critical setting.

    “Master Guru “: the problem is that in Vista, using an admin account for regular tasks was perfectly safe because an UAC prompt was always required for any privileged action. The default UAC setting in 7 defeats this achievement.

  23. One has to wonder if Microsoft would keep up this ‘by design’ BS if main stream media picked up on this story…

    Hint hint, Long. You could get on TV again… 🙂

  24. Well you all bitched about UAC in Vista and made it look like a huge issue as if you run admin utilities every 1 minute. And now you seem unhappy with the reply although UAC has been adjusted to match your moaning. I have to agree on this though, if the script is running, it means your antivirus is down/misssing or you are poking with the OS.

  25. daniel f., others,

    It was never OK to run day to day tasks as an admin in XP, nor is it in Vista or Win7. To reduce security threats I strongly recommend to run as a “user” for daily functions and not as an “admin”, especially when browsing or downloading files onto a computer from the internet. By running as a ‘user’ you can and will mitigate attacks. It is sound policy and is “by design”…

    Furthermore, if I may:

    I am quite frankly concerned about how contrite so many are about this seemingly simple fact: it appears clear to folks with half a brain that neither Long nor Raphael even tested their little piece of supposed “code” from a standard user account.

    This conveys to me a serious issue. Even supposed experts do not seem to be aware of whether they are running with admin privileges. This is why I call on MS to make the default account created at install a non-admin account. It also is the right thing to do.

    BTW, just for clarity, when you disable UAC completely from an admin account, you also disable it on all user accounts. I recommend that not be done.

    I again call on the whole of the blogosphere to stop spreading bad habits and to inform the general public of the right way to run day to day tasks, which is not as an admin, but “as a user”.

    Thank you,

    MG

  26. For me, this does not change my assessment of Win 7. I already run UAC with the lowest level of UAC, and I believe Microsoft’s stance on it is correct. They have implemented 3 separate levels of security Firewall -> Defender/Security Center – >UAC. The VBScript would have to surpass all three levels to then be activated by the user. Again security comes down to the person between the chair and the keyboard. I don’t open any program I havent explicitly downloaded for use. As a result, I’ve had no virii/malware/spamware issues since XP before SP2.

    I do know some of my friends and family members do not practice this way of being secure, but there really is no hope for them. I believe they should implement Long’s fix for it, but for the most part, I am very satisfied with the way it has been executed. I do not want to be prompted for a password everytime I want to perform an elevated action in Win 7. If i wanted that, I’d just use OSX… which I’m not to keen on using.

  27. Windows Defender is suppose to be the second defense when a malicious software pass the UAC. What the hell is Windows Defender doing in the background while VBScript is being executed? should it be stopping and warning user that VBScript is running in the first place because it’s trying to change the UAC setting.

  28. Well, Microsoft is right, this is not a flaw. Let me explain.

    As you have written only programs signed by MS can be run without UAC asking you, however there are a lot of control panel applets and other apps signed, so if you want you can achieve the same thing (modify windows files, install root kits, whatever), for example you could spawn cmd.exe and send some keystrokes for example (sc create… sc start…) , that way avoiding UAC. So removing certificate from this applet doesn’t solve any problems.

    The only flaw is Microsoft naming of this, they should have named it “Ask if some grateful malware want to infect your PC”.

  29. @Master Guru, I compoletely agree. I also run as a limited user, so this won’t affect me personally.

    However, 99% of people use the defaults, which means an admin account and the reduced UAC level. It’s their security I’m worried about. The fact that there are more secure configurations that mitigate this problem is nice, but not really relevant to our concerns.

  30. Another thing i found disturbing is Action Center not alerting user with a yellow or red bar that
    UAC is turn off. Basically user must click the security expand button to see wether the UAC is turn off. I think Vista security center alert user that UAC is turn off.

  31. @ “Someone”

    Let me clearify my comment.

    You say I’m thinking the wrong way, but actually I’m thinking two ways (Microsoft versus me).

    1. I said that we shouldn’t exaggerate the impact of this and I really hope you agree. This is a problem, but it doesn’t make Windows 7 worthless as some comments suggested.
    2. I said I understand Microsoft’s reaction and why.
    3. I said what my opinion is and that seems to be the same as yours.

  32. @Master Guru: I’m growing tired of your comments all over the blogosphere. Long and I aren’t as stupid as you imply. It’s very obvious a limited user cannot change UAC with the script provided. We get it, really.

    When Windows 7 ships, how many users do you think will demote their user accounts to limited user and create proper administrative accounts? Get real.

  33. Long,

    I had hoped you would be more prudent and accept this matter in a constructive light…

    Again, please use it to convey the importance of security (rather than blame me for your misgivings).

    I teach people how to NOT infect their machines, not how to…

    Have a nice day.

  34. @Master Guru

    You teach, I hope your clients can get their money back, really. The name actually suggests to have control over being an standard user or an admin user. Meaning, even if your logged in as an administrative user, programs and yourself aren’t really running as an admin untill you say different with UAC.

    This issue Rafael and Long are showing, is that Microsoft will give out software with no ‘real’ protection by default settings. Like 95% won’t change it, meaning that 95% is not protected that well as they are in Windows Vista.

    And yes, you can teach them to tell different, but people are always teached even from Microsoft that default security settings are the one recommended. For those people who need UAC protection, that UAC protection need to be on a good level. Something that it is not.

    The only thing new users should know is, if you get such prompt but didn’t expect it, press cancel. Else be totally sure the warning is about that thing you mentioned and continue. The current issue, skips that window.

    So Rafael and Long aren’t wrong, nor stupid. You are, because you think that because of your little class everyone knows that they need to create another account as standard user.

  35. I noticed you cannot find this article or any that linked to it on any major search engine anymore. I wonder why?

    Someone,

    If you read my comments I said clearly that what the blogosphere should be doing is teaching home users the correct way to run daily tasks….not sure what your point is, but I guess you know.

    Also, I never said I was a teacher, only that I tought people how to run a PC right. It’s a free country, assume as you wish.

    Perhaps what you should do is actually create a user account, use it, and you would see the differences. Everyone should.

    Lastly, I am devastated that someone called me stupid, devastated…as in: 2.To overwhelm; confound; stun: was devastated by the rude remark (but not really)

  36. From a standard Windows 7 installation, with UAC on at the default level, Windows Defender turned on, Action Center activated, this script works and disables UAC without any prompts.

    Some of you have said Action Center will subtly notify the user UAC is turned off, while this is true, remember at this time UAC is disabled completely. A malicious application running would have full-privileges and could do anything it wants, including disabling the Action Center, faking “UAC is on”, fooling the user into a false sense of security.

  37. I would also like long to state that this issue also implies the end user is running windows 7 without a security suite and even without a antivirus. what i see in Microsoft response and the why they are confident of this problem not being a problem is because mot user have a antivirus or a security suite running.

    It was also announced that OneCare will be no more. now it will be split into two separate programs:

    Windows Advisor

    for the tuning, maintenance, etc

    Windows “Morrow”

    a Free security suite..

    so i don`t understand what the fuss is with this. i have seen some of the dumbest users and the changes in they getting screwed from XP to vista were pretty big. more if they were Vista 64. the problems will be even less with Windows 7 64 and that even without a antivirus or security suite…

  38. The fact that Microsoft considers this to not be a flaw in its design is of concern, it is. Anything that allows a script to downgrade UAC cannot be a good thing. Perhaps it really is a time to “Get a Mac”.

  39. Master Guru: you don’t want to listen, that’s your problem. The default UAC setting was not broken in Vista. IT IS broken in Windows 7. Period.

  40. Are their any other reason why they can’t fix this security flaw? Great we have to wait for security suite to update the definition in order to stop the malicious software and without the definition update it’s pretty much useless on detecting the malicious software.

    I’m wondering if VBScript will be added in Windows Defender definition update list next week? Although i wish Any program that changes UAC setting should be detected by Windows Defender as malicious right away without requiring a definition update.

  41. Thank heavens for Win2K and WinXP without this UAC thingie. If I ever have to upgrade, I hope there will always be the option to turn off UAC for those of us who know how to take care of ourselves, thank you very much!

  42. Long, good find and good luck trying to get them to backdown and do what is right. I guess the motto of the day is: “The customer is always right, even when they are wrong.” The fact that they reply that this is by design, is just further proof of that.
    The whole UAC controversy has been a bunch of Power Users screaming their heads off because they suddenly got knocked down into userland. I always felt that the solution to the UAC usability control was to allow these power users a console that would allow them to work “Administratively” for the temporary time that they were working/troubleshooting the system.
    I even sat down and coded a little VB application in Vista that would allow this functionality, with only one UAC prompt, and with simple terms from the control panel for the applets. In short a classic control panel with only one UAC prompt.. I had hoped to see something like this in Windows 7, so the Power Users would be happy. I guess the solution was to sacrifice security for customer satisfaction.

    For those that are not worried by this exploit should remember it would not take much to turn Long’s code into an .hta file and have it run in IE. Whether you could get around the sandbox mode or not remains to be seen, until someone tries it.

    Anyone for a save Vista petition? 🙂

  43. Say what you will but i agree with Microsoft that this is by design. But I think that default setting should be prompt always.

    Why? well – you don’t want UAC prompts for system changes then why complain about only this. A rogue program can delete important stuff from your program files or windows folders or make any other changes to system without requiring prompts too using this very same technique. So why even care about UAC if you have in effect turned it off already since any rogue app can use this technique to use Windows Explorer or Control panel and hack around your system with ZERO prompts by UAC.

  44. UAC… lol.

    I think UAC does nothing even when it’s enabled or disabled. It’s just a mere kind of “notifications” or “alerts” to me.

    The thing is I have been using Windows VISTA and now Windows 7 WITHOUT UAC, WITHOUT ANTI-SPYWARE AND WITHOUT ANTI-VIRUS for 2 years and never got infected with one virus.

  45. MS is so ignorance in this case. If you can turn off UAC without a UAC promt, wouldn’t that defeated the purpose of UAC as well as average Joe’s security? Then why bother include UAC anyway.
    I like how they made UAC less annoying in 7 and now I do set it as lowest level. You dont want to know how many of my friends clicked on that “Look at yourself at the party last night http://www.your_name-party.com/pics” using live messenger and got a bunch of nasty stuff.
    With UAC, at least it’d warning a user the .exe maybe harmful with non-registered id and at least prevent it from taking full priviledge hence install crap/spy wares on one’s pc.

    We should do a petition on this matter. Long please start one. I bet the whole windows community will make MS re-thinking their decision.

    off topic: i totally dislike that OLD “open” icon still presents in windows 7 explorer.

  46. @Zm

    “The thing is I have been using Windows VISTA and now Windows 7 WITHOUT UAC, WITHOUT ANTI-SPYWARE AND WITHOUT ANTI-VIRUS for 2 years and never got infected with one virus.”

    If you dont have any anti-spyware or anti-virus programs installed, you cant say you’ve never been infected with absolute certainty, at most you can say, nothing of any real consequence has occured, not all viruses etc jump out and say HEY IM INFECTING YOUR PC AND DELETING THINGS HAI2U.

    Some effects are more subtle then decreased performance and files going missing…

    However I dont see UAC as a necessary at all if you take other precautions, but this seems to make the inclusion of UAC somewhat pointless without some default install changes.

  47. Well, it’s true some virus are in the ‘backyard’. But with essential programs like Sysinternals Process Explorer and Autoruns, it saves my computer.

    And if there’s any sluggish performance or abnormal loads, there I will suspect something.

    Also, I’d find UAC unnecessary too.

  48. This is without any question a really serious security problem and can’t understand why they won’t fix this issue. Ok, I agree with them that this is by design, but on the other hand what were they thinking when they designed such a useless UAC level.
    But I don’t understand why introducing a UAC prompt when changing the UAC settings should be enough to fix this. This does not solve the problem of having malware messing around with all your sensitive system settings. Maybe someone can explain that to me.
    In the meantime, here comes my suggestion:
    If I understand this right the core problem here is that windows can’t distinguish between the user sending mouse/key commands by using real devices or an application only simulating such actions.
    I personally think the best way to address this problem is by raising the integrity level of the configuration applets above medium (sort of between medium and high) and forbid applications with lower integrity level to send mouse/key commands (or messages in general -> I don’t know if this could break something) to applications with higher integrity level. Furthermore, changes to the filesystem or registry as changes to the UAC settings itself should (at this UAC level) always trigger a UAC prompt. This way it is guaranteed that no malware can use microsoft certified applications (like explorer) to install themselves (or manipulate their integrity level) or change sensitive system settings (firewall). In combination with the need for applications to be certified, this should (at first sight) preserve security. On the other hand, there is no need for the user to confront UAC prompts all the time if HID drivers run at the same raised integrity level. Conclusion: Everybody is happy 😉

    What ever they do, I really hope for themselves that they address this issue. Reading through the forums, Windows 7’s image is already kind of damaged a bit and I really don’t feel like I want to the spend the next years explaining people why raising the UAC level is the first thing to do on Windows 7.

    I agree with Nam that we should do a petition on this matter.

  49. Long, I’m not sure I’d call it a low-privileged program. It’s running at the same privilege as a user in the administrative group. That’s a high privilege user.

    Microsoft seems to be forgetting that the people who need UAC are the same people who need to be protected from themselves. As they mentioned, it would take “something else” breaching the system, or user consent.

    Users almost always give consent. I would wager that very few infections have been prevented by the Vista UAC model. Users are conditioned to give their consent and trust programs they run by the trustworthy programs they run.

    Am I saying that they should ditch UAC all together? No. I’m sure it provides a benefit to some people some of the time, but let’s face it: most of the people who would run a script/binary that disables UAC silently would also click “Yes, disable UAC” if prompted.

    The solution? Microsoft needs to not only exclude disabling UAC from the exempted list, but also design an overly helpful dialog that says “You or an application pretending to be you is trying to disable UAC. If you did not explicitly request, click no and blah blah blah blah blah”

    Not perfect but certainly better than trusting that users know what software they run.

  50. Long, could you please give me a hint where you have posted this security issue on microsoft connect. I’m new to the connect site and its a bit difficult to find.

    Thank you.

  51. @hux: There were several postings of the issue in the Windows 7 beta program, which is not a publicly accessible site.

  52. it is sooo frustrating that people always repeat always misunderstand security principles. this micosoft thing that answered your request is a stupid -beep-head.
    but in general we have to acknowledge that microsoft now understands secury much better that a few years ago and i think they understand it better than many companies now.

  53. Don’t release the code just yet. It’s the weekend, it’s SuperBowl. Give MS next week to fester a bit.

    I applaud your passion and what you want them to fix (and it does need fixing) but don’t cross that line.

    There’s no turning back once you do. Give the security and blogging community time to bubble up more.

  54. I have to agree I’m also extremely disappointed with MS’s response. I hope you do send this off to Ballmer – this could (and in fact most likely will) blow up in their face. In fact, if a hacker really wanted to embarrass Microsoft, they could release malicious “code” before 7 even launches, ready to go as soon as it’s released. And after seeing Raphael’s hilariously simple vbscript, it won’t require much effort.

    My mother always used to tell me, “if you don’t hear, you feel.” I certainly hope in this case they listen to their beta testers before this becomes the next best way to compromise Windows machines.

  55. It is by design — by poor design. They knew exactly what they were doing when they did this. Many people inside MS were against this decision, for precisiely this reason, unfortunately stupidity prevailed. Hopefully, just hopefully, they will come to their senses and change the default back to the most secure level (“secure by default” must be mantra).

  56. Long

    Well done to yourself and Rafael for bringing this out in the open. It can only benefit windows users down the track. Microsoft’s response to this issue was less than satisfactory. Keep up the good work.

  57. How could a “standard user account” be better than using administrator account? yes standard account is good to use to prevent people from changing setting that’s what it says in help and support. If i type in the administrator password and it’s a malware, I basically allowed the malware to make some changes and do the damage. I’m wrong ? will the malware still be limited on doing damage even tho i type the administrator password?

  58. Long,
    I understand and appreciate what you are doing. However, I respectfully disagree with your assertion about ‘normal’ users. All of the Vista and Win 7 PC’s in my house are setup so that everyone, myself included, are, in fact, ‘normal’ users. I have my ‘admin’ user, but rarely use it.
    I fear, though, that there may some fact in your assertion: people who buy those new PC’s with either Vista or Win 7 may not even put a password on the accounts. I know a few like that, despite my warnings. They cannot be bothered with entering a password, let alone clicking a few buttons to allow something. They deserve whatever they get.

  59. For those telling people not to release proof of concept; from what Microsoft is saying, it’s not a bug so the code isn’t doing anything wrong.

    It’s a beta anyway, vulnerability don’t have to be kept secret.

  60. What if the security permissions for “Solutions Center” service are denied in the registry after setting it to Automatic? At least then there’ll be a guaranteed notification.

  61. @Geogray: Not having a password is more secure in many cases as by default blank passwords deny all network logins.

    Blank > Weak

    The fact is that out of the box, in Vista, most programs are running with standards rights, on w7 they can gain whatever they like without any prompts.

  62. So you log in as the OS’s equivalent of root, you run some random program off the net and after it pulls a load of other malware, it turns off the (up till now silent) access control mechanism.

    Or am I missing something,

    Grandma Ubuntu

    CUPCAKES FOR ALL!!!!!!!!!!!!!!!!!!! Whoppee

  63. Please, give me a break…. I did not like UAC on Vista, but it gave me comfort that my wife could work peacefully. And she got used to it easily. I, on the other hand, disabled it completely.

    UAC has been criticized heavily by the same people who are now puzzled by the low degree of security. More or less the same level of XP (no complaints there as I remember correctly). Can MS ever do a good job or is everybody opposed by definition to their ‘listening to the users’?

  64. This bug renders the UAC *COMPLETELY USELESS*.
    It is exactly the security level XP was. The overhead for any virus is minimal.
    I think that Microsoft doesn’t understand this. Claiming that this is a “design decision” makes me wonder how stupid their software designers are. It can’t be so hard to make the UAC level switching a task with explicit confirmation through Secure Desktop!
    A more complete solution would probably be to differentitate between “real input” received from a user vs. “simulated input” by keystrokes sent from another program etc. The later could be enabled only by a security permission setting which could be set *with UAC prompt* by a user when the program calls such a “simulated input” function.

  65. Wont be long and people will be complaining when the os prompts them whenever they want to move their cusor. /facepalm

    Remedy for this is to not include any scripting components whatsoever in the base installation. Woohoo @ stuff now broken but it should be an optional component regardless.

  66. What I think MS should implement is a facility for distinguishing user generated inputs and program generated input and making that code path secure. An application could opt-in to have this behavior and know for sure that the user has initiated some input it receives. If they where to do this, control panels and OS preferences could be protected without UAC. As of right now I will most likely keep Windows 7 at the UAC level that Vista was at.

  67. @Fowl
    Yes, but the folks I know who do this never see the logins. They have complete access. Vista does attempt to protect the Windows and Program Files directories, but that is about it.

    Then again, they have no real networks, they are all single pc’s connected to a cable modem.

    At any rate, I see your point.

  68. @Long:

    “Some of you have said Action Center will subtly notify the user UAC is turned off, while this is true, remember at this time UAC is disabled completely. A malicious application running would have full-privileges and could do anything it wants, including disabling the Action Center, faking “UAC is on”, fooling the user into a false sense of security.”

    I think you are overstating the problem here. Yes, the malicious program will have admin privileges, but that does not mean that it can patch the kernel, as far as I know. Disabling the Action Center may be possible, but I don’t know about “faking UAC is on.” Maybe there is some clever way to do this, but the kernel should always report the correct status of UAC unless it has been compromised by a rootkit (which kernel code signing, DEP, and ASLR remedy). This is not to understate the problem; privileged code can do lots of nasty things like installing malicious drivers and keystroke loggers.

    Microsoft has decided that, if you ignore all the warnings about running downloaded executable script (remember IE and Defender will warn you about that), all bets are off. Whether this is a good decision is debatable, but this isn’t a flaw that doesn’t require user interaction, so it won’t receive the important treatment that more serious flaws do.

  69. @Patrick Jakubowski: But the layers of privileges is complete compromised. It’s not about the warnings, if I were told all applications are to be running in medium privileges and somehow they’re not without prompting me, that’s a broken model.

  70. Why don’t Microsoft listen? Why bother with a beta if they aren’t going to act on things like this!

  71. The users asked for it. Users wanted better compatibility with legacy applications (with all sorts of bad habits like spilling files and folders into the Windows folder), Windows XP threw away the default level of security that could have been achieved just like NT/2000, and defaulted all accounts to be Administrators. Windows updates are made, antivirus programs are used, Blaster came, SP2 beefed up and even added new security features. We all survived, we still have novices and some advanced users that are still swearing by XP today.

    Vista users asked for a UAC that is less annoying by default, and now we have this UAC that is seemingly insecure by default in Windows 7. The proof of concept applications is no EICAR or DFKTS, current antimalware programs are not obligated to detect it, but if an actual virus or malware tampers with the UAC settings, antimalware programs, including Windows’ built in Windows Defender, will probably detect it and remove it in no time, just like any other virus or malware.

    No computer is safe in the hands of an idiot. If they don’t know how to use a computer securely, they will get their computers compromised somehow. Even if something Blaster-y hit Windows 7 badly and Microsoft comes up with new security measures (User Account Control Control, anyone? :P) to beef up security just like how XP SP2 did, other flaws and security holes will be found somewhere else, and users with no sense of suspicion will still be able to have their computers infected after running “OMGLOL BUSH GOT HIT BY SH0E111.MPG.EXE” or whatever thing making use of the exploit.

    Yes Windows 7 might become another XP in the weakness of the default level of security provided, Apple might make some commercials about it, we might have to wait for Windows 8 to fix NT6 just like how Vista fixed NT5, yea whatever. For the extra security-conscious you can just set the UAC level higher in Windows 7, just like how some people choose to do their daily work only with a standard user account. For the rest of us istartedsomething readers and everybody who knows the basic do’s-and-don’ts of security, we can still use Windows, NT5 or NT6, in the way we are used to, securely and happily ever after.

  72. I think that part of the problem is the emulate-input DLL HOOKS in the Windows API, i think that Microsoft MUST provide a tool to disable some of this dangerous HOOKS.

    However in Windows 7 you can block batch and VB scripts with AppLocker in secpol.msc interface (also remember to start the AppID service and put it starting automatically).

    But this doesn’t defend you from the common executable files, pheraps I think this kind of “hack” can’t be hidden to the user.

  73. @Master Guru,

    “I noticed you cannot find this article or any that linked to it on any major search engine anymore. I wonder why?”

    Are you an idiot or just blind?

  74. Long,

    You have an update on this blog post pertaining to the latest engineering 7 blog on the UAC issue, and there are reports from computerworld.com microsoft has fixed/changed the UAC security hole in internal builds since the beta.

    Just to clarify: Your update to this blog really belongs in your earlier UAC post regarding the default notification level (?) and the UAC fix mentioned in computerworld refers to this one (?)

  75. UAC has been bugging me to no end in Vista and i’d rather have ’em throw it out before the Release of Windows 7.
    I hate it when my Operating System asks me thrice if I reeeeally reeeeally want to do what I just told it to by double-clicking on the app…

  76. I agree with Phil_123 taht No computer is safe if you don’t know hot to use it..but will ever MS do a good job on security? they should distinguishing user generated inputs and program generated input.

Comments are closed.