Long Zheng of I Started Something has uncovered a flaw in Windows 7's UAC that means malware can elevate itself to administrator privileges. This news comes after a previously discovered flaw in Windows 7's new tiered UAC system that meant malware can disable UAC silently.Zheng has stated "a second UAC security flaw in the Windows 7 beta's default security configuration allows a malicious application to autonomously elevate themselves to full administrative privileges without UAC prompts or turning UAC off", which is bad news for Microsoft. It is also bad news for all the people currently running the Windows 7 beta, leaving them with a security risk. Zheng recommends that, if you're using Windows 7 currently, set your UAC to High to reduce any potential problems. For more information on how to set the UAC level please read our UAC overview.
Windows 7 has the ability to allow Microsoft-signed applications to become 'trusted' by UAC, reducing the number of UAC prompts. However, certain Microsoft applications can execute third-party code, which, while being for legitimate reasons, can be exploited for malicious purposes. This can fool the average consumer, as they would (correctly) assume Microsoft products are safe, and that then has a flow-on effect, leaving them assuming that any code run within Microsoft products is also safe.
Microsoft has not commented on this latest flaw but last week Microsoft denied the original flaw was not a risk. Rumors are that it will be addressed internally and Microsoft will be making a statement regarding these issues.
For more information on this risk, and a non-malicious file to try this flaw for yourself, head over to Within Windows to check it out.
Exactly. The irony is that most of the people that cried about how insecure XP was also called for the nerfing of Windows 7's UAC, and as a result Windows security has taken a big step back in time.
Really? Is this about the same demographies?
Otherwise this is a common fallacy to make. Usually it's about different groups complaining. One group of people want less security for convenience, another group is more security-minded. Not hard to understand at all. And the reason you hear mostly complaining is because people being satisfied don't use to shout that out. (so, for the same reason, it's never a good idea to read forums on hardware support, because you'll most likely only see angry users even if it only affects 0.1% of shipping hardware)
Good point sir.
I hope so. Long Zheng's Twitter posts seem to hint it's just the tip of the iceberg. Microsoft says "we did what users told us to".
And now we have to live with that. FFS.
By DESIGN, wont FIX
If relying on WD to prevent malicious code is the answer, then why have UAC?
UAC must be able to prevent unauthorized code from elevating itself. If it can't, then it is broken. WD is a 'safety net' in this situation, not the primary means of defense. It is reactive, not proactive.
Vista's UAC rocks!
Win7's UAC sucks!
I couldn't agree more.
Vista's UAC rocks!
Win7's UAC sucks!
Vista UAC sucks. My neighbor got a new system and within one week of use, they got virus and malware that locks up the computer. The girl, about 7 years of age used the computer while the father was away. He came back from a trip and tell me to trouble-shoot. The virus locks out ALL admin privileged accounts and demote the Admin privilege down to a "Guest". It was tough to trouble-shoot and get rid off the virus. I would have done it but with a lot of time. He does not mention if he's gonna pay me, so I told him off.
Vista's UAC rocks!
Win7's UAC sucks!
Vista UAC sucks. My neighbor got a new system and within one week of use, they got virus and malware that locks up the computer. The girl, about 7 years of age used the computer while the father was away. He came back from a trip and tell me to trouble-shoot. The virus locks out ALL admin privileged accounts and demote the Admin privilege down to a "Guest". It was tough to trouble-shoot and get rid off the virus. I would have done it but with a lot of time. He does not mention if he's gonna pay me, so I told him off.
Well if someone is going to hit ok then there is nothing to be done for it. With UAC the only way to get a virus is for the user to allow it.
Should have made the girl a low privilege guest account.
My part is, if I don't get paid, walk away.
Vista's UAC rocks!
Win7's UAC sucks!
Vista UAC sucks. My neighbor got a new system and within one week of use, they got virus and malware that locks up the computer. The girl, about 7 years of age used the computer while the father was away. He came back from a trip and tell me to trouble-shoot. The virus locks out ALL admin privileged accounts and demote the Admin privilege down to a "Guest". It was tough to trouble-shoot and get rid off the virus. I would have done it but with a lot of time. He does not mention if he's gonna pay me, so I told him off.
Well if someone is going to hit ok then there is nothing to be done for it. With UAC the only way to get a virus is for the user to allow it.
Should have made the girl a low privilege guest account.
I think some viruses can exist in user spaces and not need administrative privileges to still be nasty. They are easier to remove... but in the end of the day my most critical data is the data that is stored in my user space. A virus should not need elevated privileges to destroy that data.
Vista's UAC rocks!
Win7's UAC sucks!
Vista UAC sucks. My neighbor got a new system and within one week of use, they got virus and malware that locks up the computer. The girl, about 7 years of age used the computer while the father was away. He came back from a trip and tell me to trouble-shoot. The virus locks out ALL admin privileged accounts and demote the Admin privilege down to a "Guest". It was tough to trouble-shoot and get rid off the virus. I would have done it but with a lot of time. He does not mention if he's gonna pay me, so I told him off.
Well if someone is going to hit ok then there is nothing to be done for it. With UAC the only way to get a virus is for the user to allow it.
Should have made the girl a low privilege guest account.
I think some viruses can exist in user spaces and not need administrative privileges to still be nasty. They are easier to remove... but in the end of the day my most critical data is the data that is stored in my user space. A virus should not need elevated privileges to destroy that data.
Viruses in today's world IMO aren't built to destroy data. They are built to make money.
So the end result is mostly people complaining, but different audiences. The problem here is that Microosoft is listening too much to a group that was just unaccustomed to UAC. You really don't get much about UAC notices once the system is set up and running.
I copy various things to my Program Files folder; its a place for storing programs. Putty comes to mind, it doesn't have an installer. I also have to paste over configuration files for certain apps that I use. Its about the only place I find UAC intrusive in windows7. :/
Hate to break it to you, but putty does have an installer at http://www.chiark.greenend.org.uk/~sgtatha...y/download.html .
You're moving a file from a drive with one set of permissions to one with different user tokens. It should prompt you for that. Any 5 year delay you're having is probably a hardware issue if it's for one picture.
This seems to be a lot easier to exploit than sending simulated key presses.
Note: Someone from Long's istartedsomething has been corrected in later builds. However, we don't know how Microsoft solved this issue considering that there're many Microsoft-signed applications that can be potentially used to run third-party code with admin privilege without UAC prompting.
Last edited by KevinN206 on 04 Feb 2009 - 08:49
A Low IL application *cannot* elevate itself by these mechanisms, nor turn off UAC, etc.
I assume what Long is talking about Microsoft-signed Medium IL applications only?
Yet another example of the user's carelessness that I don't expect UAC to be able to fix.
Again, the main point is that third-party code can use Microsoft-signed applications as a proxy to run itself with admin privilege WITHOUT getting a UAC prompt. This essentially bypasses the UAC protection at the default setting.
But as Brandon Live mentioned above, Low IL cannot do so. But any program run as a standard user, I believe, can use this bypass mechanism. Someone already mentioned that this flaw was fixed in later builds, but we don't know yet how it's fixed.
Again, the main point is that third-party code can use Microsoft-signed applications as a proxy to run itself with admin privilege WITHOUT getting a UAC prompt. This essentially bypasses the UAC protectio.
But as Brandon Live mentioned above, Low IL cannot do so. But any program run as a standard user, I believe, can use this bypass mechanism. Someone already mentioned that this flaw was fixed in later builds, but we don't know yet how it's fixed.
From the article, rundll32 is a public utility program whose job is to execute arbitrary code. Trusting a program and running it while KNOWING that it does the auto-elevate "trick" is equivalent of pressing on the "ok" button in the UAC prompt already, the UAC setting just saves you one prompt. If you aren't sure whether you wanna trust a piece of software to not do what it is not supposed to do like using such "tricks", the default UAC level is not for you.
With that aside, I am amused by everyone believing everything others say in the comments in some blog. "Someone" who says the flaw was fixed has no bearing on what MS is actually doing, unless he can prove his words with facts (which I would certainly welcome).
With that aside, I am amused by everyone believing everything others say in the comments in some blog. "Someone" who says the flaw was fixed has no bearing on what MS is actually doing, unless he can prove his words with facts (which I would certainly welcome).
But isn't it a security problem if a third-party code can execute with admin rights without getting UAC prompt, even though UAC is enabled by default at that setting? The trustworthiness of a program in question is not very relevant, because any program can potentially be malicious unless otherwise signed by trusted vendors. A user expects that if a third-party program is about to run, and it requires a UAC prompt to perform privileged operations, then the user should get a prompt. Isn't that what the article is about?
Just for fun, I ran the demo code and got the screenshot: http://img27.imageshack.us/my.php?image=ua...utprompteh3.jpg
The only prompt I got was the "download from Internet" warning.
Last edited by KevinN206 on 04 Feb 2009 - 10:10
With that aside, I am amused by everyone believing everything others say in the comments in some blog. "Someone" who says the flaw was fixed has no bearing on what MS is actually doing, unless he can prove his words with facts (which I would certainly welcome).
But isn't it a security problem if a third-party code can execute with admin rights without getting UAC prompt, even though UAC is enabled by default at that setting? The trustworthiness of a program in question is not very relevant, because any program can potentially be malicious unless otherwise signed by trusted vendors. A user expects that if a third-party program is about to run, and it requires a UAC prompt to perform privileged operations, then the user should get a prompt. Isn't that what the article is about?
In my opinion, it is not a security problem if third-party code elevates without a UAC prompt. It is a security problem if third-party code elevates _without user consent_. There are other ways of getting user consent than UAC prompts.
While you state that the trustworthiness of a program is not relevant, you argue that precise point by saying that programs signed by _trusted_ vendors are not likely malicious. I believe a reasonable user would expect that if he has given the consent to running the program from someone he trusts, Windows shouldn't need to ask him again.
By making this UAC level default, I can see how Windows is trying to shift some of the burden of identifying trustworthy programs to you, the user, because people always complained about "I know what I am doing so stop bugging me". Don't let Windows overestimate your intelligence.
Last edited by Nave on 04 Feb 2009 - 10:15
That's the whole issue with this UAC flaw. With UAC still on, even though I chose to run said third-party application, I do not want it to silently elevate itself. I at least want the option for it to prompt me for elevation.
The whole "I know what I'm doing so shut up" mentality is just ignorant. One of the effects of UAC is to let YOU know what YOUR pc is doing.
The whole "I know what I'm doing so shut up" mentality is just ignorant. One of the effects of UAC is to let YOU know what YOUR pc is doing.
hmm, I wonder why nobody called out on the people who had that mentality during Vista...
If you really are that paranoid, set the UAC setting to its highest.
I have offered a fix for the immediate future (crank your settings up). Whatever MS decides to do is up to them. I would argue that if actions can be taken so that you can make things work the way you want it, there is no flaw. I do see however that this discussion is going nowhere, so let's just agree to disagree with each other.
Yes, Linux has it, and Linux was designed from the ground up with various user privilege levels in mind, penalizing users with a "sudo" if having to raise them. This never happened in anything pre-Windows Vista, which caused lazy devs to assume "admin" status, and hit Vista much harder than Linux.
Yes, Linux has it, and Linux was designed from the ground up with various user privilege levels in mind, penalizing users with a "sudo" if having to raise them. This never happened in anything pre-Windows Vista, which caused lazy devs to assume "admin" status, and hit Vista much harder than Linux.
WinNT was also designed from the ground up with various user privilege levels in mind
Before Vista we just got "Run as" instead of UAC.
Yes, Linux has it, and Linux was designed from the ground up with various user privilege levels in mind, penalizing users with a "sudo" if having to raise them. This never happened in anything pre-Windows Vista, which caused lazy devs to assume "admin" status, and hit Vista much harder than Linux.
WinNT was also designed from the ground up with various user privilege levels in mind
Before Vista we just got "Run as" instead of UAC.
The flaw is they need to keep it as tight as it was in Vista and not listen to people like you.
Linux and others have everything to do with this particular comment. Vista is following in the footsteps of sudo with UAC, and like sudo, it is (or at least used to be) a massive security benefit. If it's a "PITA" for Windows users, why is it not a "PITA" for Linux users?
Laziness is exactly what is wrong with us Windows users (me being one of them). We took for granted the fact that we could do anything we wanted with our OS without "PITA" elevation, and as a result we ended up with elevation because we couldn't be trusted with the freedom (Malware, etc). Sure at first it wasn't our fault, but after XPSP2 it was.
Additionally, it's the fault of the Lazy devs who assumed admin privs for everyone for UAC being a PITA, not Microsoft.
Good god, can you not read? You just replied to a whole line of "so what" answers! It's "so what" because Linux and OSX have been prompting for elevation for ages and it's just not an issue.
Last edited by KevinN206 on 04 Feb 2009 - 09:50
Then Linux and OSX suck too because UAC has been in them for years.
Did you quote the wrong person? lol
We've never complained about those two particular implementations of the concept. They work quite well. I'm not sure why Windows users can't get used to it. Unless UAC pops up when it really shouldn't.
He clicked the right quote (98SExpert), but the news quoting is a bit broken.
http://www.pcworld.com/businesscenter/arti...tests_find.html
+1
It doesn't. I only see UAC prompts when I run the defrag tool manually now. I haven't had an elevation prompt other than that in months.
+2
I dunno. I saw this drunk driver going 90+ mph on the highway. Rammed into the guard rail and the car flipped at least 3 times in the air before landing upside down. The driver, also not wearing a seatbelt, was tossed out of the vehicle where he immediately got up, ran, jumped the guard rail, and stopped to look at the vehicle. His friend was in a seatbelt and was unconscious in the car.
I don't really have a point here, other than seatbelts do not always protect you. I suppose that could fall in line with UAC, as it won't protect you if you're going to drive drunk (that is, be retarded) anyhow.
Obviously you reap what you run but I thought that part of the whole f*cking push to x64 hardware/OS/software was a system (kernel) which was, at least somewhat, locked-down.
Forgive my silly backwards thinking, but the major selling point of x64, for me, was increased security and performance rather than simply the ability to address more RAM. It's a selling point so prevalent that when coupled with the increased memory should be pushing everyone everywhere into x64 operating systems and hardware/software. (right?)
I guess the best question to ask these days in regards to any OS is: If there is a supposed security benefit from using x64 over x86 then why aren't we seeing more flaws broken-down into which ones harm which architecture? And if the answer to that is that they are, in fact, relevant to both architectures then why the big push towards x64 with regards to security?
Last edited by Aahz on 04 Feb 2009 - 11:00
Nobody is forcing you to use x64, if you don't think that it's any more secure than x86, then that's up to you if you want to use or not.
It's not about Windows 7 or UAC per say but rather the overall push towards x64. Basically every OS that you could possibly care about comes in an x64 flavor at this point and security was supposed to be one of the major pillars of that hardware push.
But that selling point hasn't exactly panned-out in regards to there being a clear distinction between flaws which involve one architecture vs. the other or rather those reporting said flaws have made basically zero distinction. (perhaps simply because there is none to be made)
You will, soon enough, be forced to migrate to x64 whether you like it or not. If you want to address 'X' amount of RAM in OS 'Y' then you simply have to use x64 so the inevitable push/switch is, and always has been, built right in. (the same can be said for 128-bit down the line)
My gripe is with tech people, who for years and years, have cited security as a major reason to move to x64 but yet I'm still seeing the same flaws, the same holes, the same exploits, the same patch Tuesday bombshells that I have been for ages and next to none are harmless to x64 systems.
No doubt MS will 'fix' them, or just make the default UAC level the MAX.
+1
A cracking statement!
Try reading the comment thread.
To recap: People complained about UAC in Vista, and Microsoft listened to user feedback and dumbed down UAC in 7, which now opens up issues that Microsoft knew about in Vista (apps disabling UAC by emulating a keyboard, for example).
Microsoft probably should ship it with UAC at its highest settings if they decide not to address the issue, its a bad place we've all put MS in. i never found Vistas prompts annoying, i've even turned off UAC because i watch what i click, i don't stray off into corners of the internet i shouldn't
all that said, i'd like to see MS address the issue once again, like i said... requiring an admin password to change these settings is the key, its nothing to enter a password and it would actually vastly improve UAC IMO.
MS will probably set the default level to MAX for RTM - seems the logical thing to do now and if they are not going to fix the last issue then adding another bullet point informing the user that this setting may not 100% protect them (in other words) may be needed.
Edit: Seems that, after reading comments over at istartedsomething, MS has addressed the previous problem in the latest internal builds, so no doubt this one will also be 'addressed'. whatever that involves.
Last edited by bbfc_uk on 04 Feb 2009 - 14:44
+1
A vulnerability has been identified in sudo which allows a sudo-user to execute arbitrary shell commands as root (CVE-2009-0034).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034
http://www.derkeiler.com/Mailing-Lists/Ful...2/msg00032.html
Last edited by jamesVault on 04 Feb 2009 - 15:51
*nix systems are no less aggravating than UAC. They prompt for the exact same reasons: The program is trying to access something that requires administrative rights.
I've never heard of anyone complaining about the UAC in Linux or OS X. Ever.
UAC in Windows is implemented differently.
Last edited by LTD on 04 Feb 2009 - 17:55
UAC in Windows is implemented differently.
Nope. It is exact same thing.
UAC in Windows is implemented differently.
No, it's not.
Linux users have always really had it so they are used to the idea of having to run things as root and not using root by default.
OS X probably had complaints at the start but knowing apple they would have just PR'ed it to death and deleted the posts from their forums and even probably the lawyer dogs to aid in their endevors (most sites will delete and not risk having issues with apple regardless of their rights)
Now though they idea has sank in more and because backwards compatability was not the best for os 9 apps they, in a way wiped clean the slate of crud admin based apps. This means a more painful launch more then likely for os x (and there were a lot of complaints from people I knew with it) but when you have such a little market share and they are so loyal it wouldnt matter as it seems to have worked out.
As for the "flaw" as other users have said, its a BETA these issues are SUPPOSED to come out during it. Like beta testing the new os x will have issues but apple nda you where as MS at least have issues in the public eye, mass tested and found which at least means there is more userbase input rather then a few apple snobs who do all to gain access to the secret nda'd beta's apple release. I wonder how much positive PR you need to do to get access to a apple beta? any idea LTD?
People need to be licensed to use a computer, far too many people running around who think it's an appliance like a toaster and doing whatever they want.
Sudo allows you to run a command as a *different* user with more (or less, even) priviledges than the user you are currently logged in as. This works great in the Linux world because it has been the long-standing common knowledge that you don't log in as root, and only use sudo to run as root when needed.
In the Windows world, 90% of the users log in as an administrator. If you are logged in as a standard user, you have the option to do use the "Run as" option to do something that requires administrator priviledges - the same as using sudo in Linux. This functionality has been around since NT.
The problem is, since 90% of users are logged in as administrators, 90% of software is (or was before Vista) written to simply assume administrator access - it doesn't check to see if it has administrator access, and just breaks when it doesn't. With Vista, Microsoft tried to change this situation by encouraging developers to write their programs in a way that only used admin access if it really needed it, and added APIs for the application to request admin authority.
On the user end, rather than encourage users to log in with standard accounts instead of as admins (with all the fuss around UAC, can you imagine if users were required to remember and type in an admin password!
IMO, UAC really doesn't have much place in an enterprise and can be disabled. IT admins will have admin accounts, and users will have standard accounts. Security measures are already in place.
For the home user, though, I think it is an incredible idea. Once software is (and most software already has been) updated to work around the idea of not always running as an admin, it should give the best of both worlds for home users - except that if they remove the UAC prompts and automatically elevate any process that wants it in Windows 7, then why have UAC at all?
Last edited by daftperception on 04 Feb 2009 - 19:43
AV is a total waste of resources for anyone with common sense. Even the lean Russian code of Kaspersky will considerably slow down your PC.
I did not buy a PC for it to run at half speed.
UAC is definitely a strong component in my strategy and should not be dumbed down for the masses.
1. I scan any program before I install it with Norton IS
2. I scan it with Spybot S&D
3. I scan my hardrive with Ad aware as well.
If the program gets past all these it is safe to install (well 99.9% )
The UAC to me is just another barrier to stop Malware and should always be taken notice of.
It is better to be safe than sorry ! !
"As of today, there has been no official word from Microsoft regarding this issue. Birdies, however, have told me this problem was fixed in later builds. We'll just have to wait and see what Microsoft implemented. Removing of the auto-elevate flag from rundll32.exe would fix that process but what about mmc.exe that suffers from a similar problem?"
If the "Birdies" are correct this whole thing was a "storm in a teacup" and nothing more. But it does show two things...
1. Microsoft is paying attention (we will see for sure in the next public build ....the Release Candidate)
2. People (including me) really want Windows 7 to be the best that it can be.
Lastly this shows that that silly campaign of "release win 7 now" is just that ....silly !
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.