Windows 7 UAC Feature Still Vulnerable

[raj11650]

The Microsoft blogger who first called attention to a security vulnerability in Windows 7's User Account Control (UAC) feature claims it still exists and that Microsoft won't fix it, even as the company nears final code completion on the OS.

Long Zheng, who writes the popular "I Started Something" blog, has posted a video online showing how UAC, a security feature first introduced in Windows Vista that sets user privileges on a PC in Windows 7, can be exploited.

Zheng also pointed to an instructional document by Microsoft Technical Fellow Mark Russinovich that attempts to explain UAC, saying it clearly states that Microsoft has no intention of fixing a change it made in the UAC in Windows 7 that leaves the new OS less secure because it allows someone to remotely turn the feature off without the user knowing.

Zheng first pointed out this change and its vulnerability back in February. At the time he said that the new UAC "standard user" default setting, which does not notify a user when changes are made to Windows settings, is where the security risk lies. A change to UAC is seen as a change to a Windows setting, so a user will not be notified if UAC is disabled, which Zheng said he was able to do remotely with some keyboard shortcuts and code.

Read more

[digg]http://www.sevenforums.com/news/13614-windows-7-uac-feature-still-vulnerable.html[/digg]

 

[chrysalis]

basically I am guessing if they made the change he wants then when toggling the setting you would get a UAC prompt, a small price to pay to fix the exploit I guess.

 

[xan K]

so.... is it safe or not?

 

[masterB]

I disable it myself anyway.

 

[xan K]

I wouldn't like that approach, but if it's not working as it should, then why keeping it on? Pitty, now when I got pretty much used to it.

 

[Scotteq]

Please keep in mind, this is a Bootkit exploit: Someone has to physically sit down at your computer and use corrupted media to boot the system. It cannot be downloaded, eMailed as an attachment, clickstreamed, hidden in a file for later execution, or any of the other ways people try to hack into your computer.

Also - Keep in mind this is the same way into a computer that technicians use to wipe a forgotten password.


Quite frankly, I'm having a hard time understanding why people appear to have so much sand in their vaginas over this. If Someone Has Physical Access To Your Computer, Then What's Preventing Them From Simply Stealing The Hard Drive? Or Stealing The Whole Thing Outright?

 

[dmex]

Looks like some of us will need to go back to using an Antivirus program full-time once again

Im guessing the decision not to fix UAC is a direct result of people like myself who have very good experience using computers who do not use an Antivirus, I can identify trojens and virus's before they are executed and have been able to run without an Antivirus for two years now without a single infection while downloading at least 80gb of data a month (least I do ) Ive tested my system each time a new AV product version has been released and have not found one infection in two years and I can thank UAC for giving Power Users the ability to dump their AV permanently like myself and others have.

Why change a perfectly good security model just for (noobs!) one that completely defeats the purpose of putting it into the system in the first place? Its not like users cant find and change UAC settings If its not fixed then It should just be removed because no one will continue using it, especially if it doesn't offer the security it once did and what people have come to expect.

Microsoft seriously needs to prevent any automated tampering of UAC controls by applications otherwise its not worth anyone ever using and as it stands right now, UAC is dead weight and offers users nothing for the annoyance it causes. I will disable it on all machines I build and sell in the future and advise customers it offers them zero protection

 

[holo88]

UAC is useless? HA! i knew that when i first used vista. i thought to myself, "you gotta be f%*kin' kiddin' me." now it serves as nothing more that a placebo, i think if you have a firewall, a decent AV, and anti-spyware, you'll be fine. UAC is just another annoying "feature" MS throws in there, to herd sheepish consumers (no offense folks).

XP didnt have it, and I've only gotten a few viruses, but that was due to my own stupidity. Most of which were catastrophic...like i said... my bad

 

[ikilledkenny]

I think that UAC was created to prevent unauthorized changes to your computer. If someone can turn it off without being authorized to do so, than that's just plain ironic, as well as useless.

For years, Windows has been the choice of computer compainies around the world. Since the 90's, UAC didn't exist, and people didn't have many problems. I think UAC is overrated, but it can be handy when you go to one of those websites that you just can't trust.

 

[Andysweb]

UAC is a royal pain, it simply gets in the way. At least the screen does not flicker away as it did in vista ....

 

[SIW2]

I think you'll find the default seting for UAC on 7 is the same as in Vista.

That is not susceptible to this type of exploit.

It is only if you turn it down ( no darkened desktop) that it becomes less secure - obviously.

MS are simply giving people the choice.

 

[ikilledkenny]

You see, I thought that the defualt setting was that one level lower than the Vista UAC setting.

 

[SIW2]

They have reduced the number of prompts required in some multi prompt scenarios involving Windows applications.

The behaviour for non-Windows elevations is the same as it was for Windows Vista.

 

[dmex]

I think you'll find the default seting for UAC on 7 is the same as in Vista.

That is not susceptible to this type of exploit.

It is only if you turn it down ( no darkened desktop) that it becomes less secure - obviously.

MS are simply giving people the choice.

The default Vista setting is High, Windows 7 uses one down that permits the majority of Microsoft's software to run without prompting. You can also turn off ScreenDarkening without affecting any other UAC policy via the Local Security Policy settings

They have reduced the number of prompts required in some multi prompt scenarios involving Windows applications.

The behaviour for non-Windows elevations is the same as it was for Windows Vista.

Unfortunately no, Microsoft are able to reduce the amount of prompts by checking executables for a specific Microsoft signature and auto-elevating any signed executable that matches that singature.

UAC is completely different from Vista's UAC, A non-Windows application can gain Administrative permissions without a single prompt with Windows 7's default configuration, hence why these changes have become a big issue, on Vista it cant be done.

Microsoft have always said UAC is not a security feature, It used to be on Vista but its not on Windows 7. It will not prevent an application from gaining administrative permissions even if you deny consent to the elevation.

 

[SIW2]

Thanks dmex,

I was quoting from Mark Russinovich

we reduced the number of prompts in several multi-prompt scenarios (for example, installing an ActiveX control in IE )

He did also say this :

we further refactored the system such that someone with standard user rights can execute more tasks.

The reason that elevation of (most) Windows executables in the two middle settings doesn't result in a prompt is that the system "auto elevates" Windows executables... it must be digitally signed by the Windows publisher, which is the certificate used to sign all code included with Windows (it's not sufficient to be signed by Microsoft, so Microsoft software that's not shipped in Windows isn't included); and it must be located in one of a handful of "secure" directories. A secure directory is one that standard users can't modify

and this:

The behaviour for non-Windows elevations is the same as it was for Windows Vista...From the perspective of malware, Windows 7's default mode is no more or less secure than the Always Notify mode ("Vista mode")

So it is the middle one that might be problematic, I suppose.

He might be trying to downplay the risk.

 

[Copyright]

I disabled UAC anyways. Plus barely anyone would want access to my **** computer in the first place lol.

 

[holo88]

I disabled UAC anyways. Plus barely anyone would want access to my **** computer in the first place lol.

eeh..heerm
see my specs ....
im hoping some hacker will feel bad for me and use my credit card to buy me a new computer.

 

[Copyright]

eeh..heerm
see my specs ....
im hoping some hacker will feel bad for me and use my credit card to buy me a new computer.

Haha I have an eMachines T2682 and a T2893 right next to me, from like 2006.

 

[holo88]

Haha I have an eMachines T2682 and a T2893 right next to me, from like 2006.

MFC date on my MoBo is 2004, down right dinosauric for technology standards

 

[ikilledkenny]

I have a desktop with a 2002 MFC date