Microsoft Changes Windows 7 UAC Due to New Exploit Code
A pair of Windows bloggers posted more proof-of-concept code today that subverts an important security feature of Windows 7 , a problem Microsoft knew about as long ago as last October and which one of its software engineers said would be fixed in the beta.
Today, however, the company said it had addressed the issue in post-beta builds that have not yet been released to the public.
According to bloggers Rafael Rivera and Long Zheng, hackers can easily piggyback on "pre-approved" Microsoft applications and code to trick Windows 7 into granting their malicious code full access rights to the machine. "This is a real threat," Rivera, who is also a developer, said in an interview today. "No reconfiguration of UAC is necessary."
At issue is UAC, or User Account Control, a security feature that prompts users for their consent before allowing tasks such as program and device driver installation to take place. UAC, which debuted with Windows Vista in 2007, has been modified by Microsoft in Windows 7 in an attempt to dampen criticism of the feature, which has been blasted by users as being too intrusive.
In Windows 7, UAC prompts the user less frequently, in part because it checks to see whether the application making changes to the system is pre-approved, said Rivera and fellow blogger Long Zheng . If the application is considered safe -- Microsoft uses a combination of a digital certificate and a new, undocumented flag to mark approved code -- UAC steps aside and "auto-elevates" the application without putting up a prompt.
The trouble, according to Rivera and Long, is that attackers can use one of several pre-approved applications to fool Windows 7 into giving a malicious payload full administrative rights, something it would not have if the user was following Microsoft's advice and running the operating system in standard user mode.
"Windows will ... automatically elevate the process to High Mandatory Level, executing your payload wearing an administrative hat," Rivera said in a post to his blog early this morning.
The danger, he and Long argued, is real and significant. "Existing malware can be easily tweaked to accommodate the new weaknesses in Windows 7," Rivera said via instant messaging today.
Although Rivera and Long reported their concerns to Microsoft, that was not the first time the company faced questions over Windows 7's implementation of UAC. In late October, just days after Microsoft handed out an early version of the new operating system to developers at its Professional Developers Conference (PDC), users running the preview began debating UAC's weaknesses on Microsoft's own Channel 9 Web site.
In a message thread titled "Windows 7 UAC crippled -- I broke it already!" users criticized the changes Microsoft had made. "They're going way too far in the opposite direction now," said Sven Groot. "You might as well not have UAC at all and put up a sign 'malware welcome!' or something." That same day, Richard Turner, who identified himself as software development engineer in Microsoft's Visual Studio group, defended UAC in Windows 7, and said that problems would be fixed before the company released a public beta.
"To your specific point about UAC and auto-elevation," said Turner, "in the PDC build, all Windows apps can auto-elevate when you set the UAC slider to the default level. However, this won't be the case in Beta. For Beta, Windows components that can execute arbitrary code and or apps (e.g. CMD, CSCRIPT, WSCRIPT, PowerShell, etc.) are prevented from auto-elevating.
"Thus, your example won't work in the beta and beyond. This has been validated on machines running more recent builds," Turner promised.
Long, who spotted the Channel 9 thread from October and linked to it in his blog, only added, "I guess they overlooked things then."
Rivera also took exception to Microsoft's response yesterday, when the company dismissed the initial report of UAC problems. Then, the pair noted that it would be easy for hackers to disable UAC without the user being any wiser, effectively ditching one of Windows most-aggressively-promoted security features. For its part, Microsoft downplayed that threat, with a spokesman saying, "In order for malicious code to have gotten on to the box, something else [must have] already been breached, or the user has explicitly consented."
On Vista, said Rivera, a typical home user is protected by UAC's prompts. "In this scenario, if the user has malware breach the outer layers of security -- for instance, he downloads and executes an innocent-looking e-mail attachment -- that malware is, in a general sense, confined to the permissions that user has.
"I understand 'something else' has to be breached ... I hear Microsoft loud and clear here," said Rivera. "The problem I have is that in Windows 7, this same user in the same scenario can have malware that can break its confinement to do administrative-level damage to the machine."
That, he said, pertains to both possible UAC attack avenues: the earlier one that disabled the feature and the newer one, which lets malware hoodwink UAC into thinking it's safe code.
The solution, said Rivera, is for Microsoft to revert UAC to its Vista behavior. "I understand some believe we're in a 'damned if you do, damned if you don't' dilemma," he said. "I can see where they're coming from. My personal feeling is to ship with UAC configured to behave like Windows Vista by default. It's a hard problem that won't be solved overnight."
But Microsoft's not going to take Rivera's advice. Late Wednesday, a spokesman said that the company had addressed the latest UAC concerns in post-beta builds of Windows 7. "No, Microsoft has not reverted Windows 7 UAC's behavior to mimic Windows Vista," the spokesman said in response to several follow-up questions.
He also downplayed the threat to people who have downloaded and installed the Windows 7 beta since its public launch Jan. 10. "We are not aware of anyone impacted by this issue at this time," the spokesman added.
Assuming Microsoft has closed the hole, the first time that most users will be able to obtain a patched or modified UAC will be when the company delivers the Windows 7 release candidate (RC). Although it has not set a timetable for that release, the head of Windows engineering last week confirmed that the OS is moving directly to that milestone from beta.
In the meantime, Rivera and Long have recommended that users change Windows 7's UAC setting to the "Always notify" option.