If I’m beginning to sound like a broken record to you, I respectfully ask you to hear me out for what I would hope is the last time.
I know from my own experience that large chunks of technical blabber on the topic of software security is not the most enjoyable reading experience. To help illustrate my point better, I’ve embedded above a very brief 2-minute long screencast to demonstrate the Windows 7 UAC code-injection vulnerability I’ve been touting. If you don’t plan on reading any further, please at least watch that.
Assuming you have some insights into how this code-injection vulnerability works, I want to elaborate on a couple points to reinforce my case.
Firstly, I want to touch on the nature of remote code-execution vulnerabilities and how it relates to this code-injection vulnerability. If you’re an everyday Windows user, you would have without a slither of doubt come across the words “remote code-execution” (RCE) sometime in the past or even as recent as today assuming you’ve applied your Windows patches which covers several RCE vulnerabilities. In case you’re not entirely sure what it means, at the most basic level it describes a system executing code provided to it by a remote source without any intervention from the user. RCE vulnerabilities not only affect Microsoft products, but Adobe Reader, Mozilla Firefox and many popular third-party softwares millions of users trust.
RCE by itself warrants some attention, but with the introduction of default UAC policy in Windows Vista, the potential impact of RCE vulnerabilities were actually reduced because the malicious code can no longer assume full administrative privileges, instead, limited to what the target application was running which in most scenarios was medium-level or even low-integrity like in Internet Explorer. However, in conjunction with the default Windows 7 UAC policy and this vulnerability, the potential impact of RCE vulnerabilities is raised, as the malicious code executed could silently elevate itself to have much more free reign over the system than before. If this isn’t enough indication that the default security policy in 7 is worse than Vista, than I don’t know what is.
Secondly, besides the obvious malicious use for the UAC vulnerability, there is nothing stopping it from being abused by legitimate developers and their applications. After suggesting such a scenario in my original article, one such developer have already expressed interest in using this vulnerability in such a way that will remove UAC prompts from his applications.
Now I’m fairly confident that this developer has the best intentions for his users, but what this means if it is ever applied in practice is that for the large majority of users who will use the default UAC policy, UAC prompts be only a waste of their time. I say this because if some applications can elevate themselves with or without the user agreeing to a prompt, the prompt’s effects are nullified. To look at it in another light, at the default Windows 7 UAC policy, it’s as good as having UAC prompts turned off entirely.
Last but not least, since Microsoft has known about this for half a year as well as indirectly acknowledged and ignored this vulnerability, I have asked Leo Davidson to release the proof-of-concept source code and test application into the wild for public scrutiny. If Microsoft is right in saying this has no security implications, then this should mean nothing. If they are not then, well, at least there is still time to do something about it. A month to be exact.
I realize Microsoft will not by any stretch of the imagination return Windows 7 to the Windows Vista “always on” mode of UAC, there’s too much to lose. What I would like is for Microsoft to acknowledge that there is an increased security risk with using the default Windows 7 UAC policy, and communicate this to users where appropriate.
I’m not saying this is the end of the line for Windows 7, it’s an amazing operating system. But for Microsoft to simply ignore this seems irresponsible to me. There are so many people I’d like to evangelize the product to once it ships, and I’d hate this to be one thing I’d also have to mention.