Microsoft: Windows 7 Security 'Bug' Is a 'Feature'
Last week, Rafael Rivera, a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes "I Started Something," argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.
UAC, which debuted in Windows Vista, is a security feature that prompts users for their consent before tasks such as program and device driver installation are allowed. The feature has been roundly criticized since Vista's launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC's problems last year when it named it one of the five factors that contributed to Vista's slow adoption pace.
In Windows 7, UAC has been modified to pop up alerts less often. It also, said Rivera and Long, has been changed so that by default the feature is set to "Don't notify me when I make changes to Windows settings."
"Windows 7 now ships with UAC configured to hide prompts when users change Windows settings," noted Rivera in a post to his blog on Friday. "While this mode still ensures normal applications can't overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.
"Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart," Rivera continued.
The danger, Rivera and Long said, is that attackers can easily disable UAC -- one of Microsoft's most heavily-promoted security features in the last two years -- without involving the user, and -- since by default Windows 7 doesn't warn when such changes are made -- without the user's knowledge.
The pair created a proof-of-concept script that disables UAC, and posted it online.
"We soon realized the implications are even worse than originally thought," said Long. "You could automate a restart after UAC has been changed, add a program to the user's Startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."
Microsoft disagreed with Rivera's and Long's conclusion.
"This is not a vulnerability," said a Microsoft spokesman in an e-mail. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This [includes] changing the UAC prompting level."
The spokesman went on to say that the changes to UAC in Windows 7 were based on feedback Microsoft received from users, and noted that a script such as the one Rivera and Long created could only gain entry to a PC if the user downloaded and ran it, or if it was introduced as part of a broader attack. "In order for malicious code to have gotten on to the box," the spokesman continued, "something else [must have] already been breached, or the user has explicitly consented," the spokesman said.
Andrew Storms , director of security operations at nCircle Network Security Inc., took Microsoft's side in the discussion. "I would agree [that] it is functioning as designed," said Storms via instant messaging. "The word 'vulnerability' is probably misplaced in this case. [And] the point is that it had to have gotten on there and run by something...a user clicking, some third-party software, etc."
The Microsoft spokesman declined to answer a question about whether the company would alter UAC behavior in Windows 7 as it moves from beta to the next milestone, a release candidate. Long, however, noted that on the official feedback forum for Windows 7 beta testers, Microsoft has hinted that it will not change the UAC default settings.
In a follow-up entry posted Saturday , Long remained mystified by Microsoft's reluctance to address the issue. "What I do not understand is how they are treating the seriousness of this problem," he said. "Microsoft's argument is entirely based on the user, which I agree to an extent -- they have to download and execute such an application, but remember, this can be a low-privileged application so it would have no warnings whatsoever.
"How could a low-privileged application be[ing] able to turn off the entire privileged-applications security-layer not be a security flaw?" he asked.
Users can protect themselves by simply resetting UAC settings to the "Always notify" option. "Annoying, but safe," said Long.
To change UAC's settings in Windows 7, locate the control panel -- typing "UAC" in the Start menu's search field is the fastest way to bring it up -- then drag the slider up to the "Always notify" mark. Click OK.
Microsoft launched a public beta of Windows 7 three weeks ago, and recently extended the download deadline to Feb. 10.