Updated: Microsoft responds to the Windows 7 UAC flaw

Update: Microsoft have now updated that they are going to deliver two changes to the Windows 7 Release Candidate regarding this issue.

Before getting into the actual news, lets take a while to understand the current Windows 7 UAC dilemma

Windows 7 UAC Dilemma

As Windows 7 was receiving much positive feedback than expected from the beta testers, we had Long Zheng and Rafael, two Windows enthusiasts, come with a proof that malware can turn off UAC in Windows 7. Later Microsoft responded insisting that this is by design and actually not a bug. Later, again, we had Zheng and Rafael come out with a second flaw which showed Windows 7 UAC was still flawed. At this time, everybody thought Microsoft had done the right thing with Windows Vista UAC and compromised security over consumers' feedback in Windows 7.

UAC - A quick History

One of the highly criticized features in Windows Vista is the User Account Control(UAC) which prompts up a dialog box seeking users' permission to continue or stop whenever a system-level change is made. The problem with Vista is that even the default user account which is created during the install, who is a protected administrator (unlike in XP where the user is an Administrator), could not bypass the UAC until its tweaked. This created lots of criticism and the feature which was built to make Vista secure became the most hated feature amongst users. Of course, this was a drastic change for Microsoft and as well as end users who were very much inclined to a single user account (till Windows XP) who is an Administrator.

Based on the feedback Microsoft received on UAC, they decided to:

  • Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified.
  • Enable our customers to be more confident that they are in control of their systems.
  • Make prompts informative such that people can make more confident choices.
  • Provide better and more obvious control over the mechanism.

UAC in Windows 7

So, what has changed in Windows 7 in regard to UAC?

In Windows 7, User Account Control was created with the intention of putting you, the user, in control of your system and thus Microsoft came up with four different settings that a user can choose from:

  • Always notify on every system change
  • Notify me only when programs try to make changes to my computer
  • Notify me only when programs try to make changes to my computer, without using the Secure Desktop
  • Never notify

The default settings in Windows 7 is - Notify me only when programs try to make changes to my computer

This means that, you as a user when you do changes to your computer, the UAC would not prompt for consent, but will do so when other programs (like, third party applications) try to change system settings. This is strictly under the assumption that, you as a user know what you are doing with your system.

This would overall reduce the UAC prompts. Remember, this is the default UAC setting for the protected administrator in Windows 7.

UAC Issue 1

Long Zheng and Rafael discovered the first issue with UAC in Windows 7. The issue was that a malware could easily disable UAC if executed.

How could this happen?

As the default mode is set to - Notify me only when programs try to make changes to my computer - Windows 7 thinks that the change malware doing as a change that the user is doing and changes the UAC setting without any prompts for consent.

UAC Issue 2

Later again, Zheng and Rafael came up with another issue. The issue this time was that a malware can silently self-elevate with default UAC policy.

How could this happen?

Microsoft states that the change made in Windows 7 default UAC settings is that any operation that is necessary to manage windows will not require an elevation - which in technical terms translates into a white list of trusted action / binaries which the user can make perform without UAC prompting from an elevation.

Microsoft's Response

For quite some time, Microsoft was silent and later came out with a response that this behavior of UAC was by design and denied the fact that this was a bug.

Why does Microsoft think this is by design and not a bug? Jon DeVaan from Microsoft has posted an update which explains it all.

It is agreed that whatever proof Zheng and Rafael came up with indeed disabled UAC in Windows 7, but not until the malware was running. It is clear that the malware does not by itself execute unless user agrees to run or without any consent.

I downloaded the script file which Rafael had created for the UAC Issue 1. I was able to download and save it without any problem. So, now, I have downloaded the malware in my system, but it is still not active. I executed the script and immediately I received this prompt:

This is what Microsoft is insisting - Malware making it onto a PC and being run Vs What it can do once it is running

I didn't click Run as I am aware that this is a program that I dont know and might be a malware or a virus or something else. Clearly, there is a difference and nothing was changed in my system.

Similarly, when we open a .vbs (script file) or any other .exe file via a browser, for example, Internet Explorer, we get prompted again:


Images Courtesy: E7 Blog

Jon said that the recent feedback on UAC is about the behavior of the - Notify me only when programs try to make changes to my computer settings. He also added that the feedback has been clear and it is not related to UAC set to Always Notify, which is the default behavior of UAC in Windows Vista and it becomes much easier to mischaracterize the feedback.

What do you think of Microsoft's explanation? Are they right in what they say - Malware making it onto a PC and being run Vs What it can do once it is running ?

You as a user, do you think this is a big threat to Windows 7?

Report a problem with article
Previous Story

Neowin Review: Fence your desktop with Stardock Fences

Next Story

What it's like to work at a closing tech store: Circuit City

49 Comments

Commenting is disabled on this article.

It's fair. If a user ignores the browser / system security prompts and runs the file, then it's his own fault, not Microsoft's.

EDIT: I'd also like to add that I've NEVER disabled UAC in Vista since I started using it. Yeah, at times I did disable the secure desktop feature, but with faster systems, even that has become unnecessary.

http://blogs.msdn.com/e7/archive/2009/02/0...-follow-up.aspx

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

The heart of Jon DeVaan's comments are here: "Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent."

I'm not only worried about the first piece of malware. To my mind, the problem is that malware can be and frequently is designed to invite more malware in once a system is compromised. A user can be tricked into running a single bad program by some clever social engineering. I want to know that the second and third and fourth programs invoked by the first one will continue to bring up default Windows 7 UAC prompts when they try to make changes to the computer. If UAC is lowered, new programs can be invited in with no indication that they have arrived.

What I foresee is that a single wrong click to allow malware onto a computer will essentially always lead to flattening and reloading the system - period. I'm not sure I understand why the Microsoft team is resisting this modest change so strenuously.

Personally, I would like to see the final build ship with UAC at its highest level and allow users to make up their own mind if they wish to turn it down or off. With regard to others who are saying that changes to the UAC level should not be allowed to happen "silently", I can't disagree with that, but that could be addressed with a hot fix or service pack after the initial release. I believe that the desktop OS should ship like the server OS and be at it's most secure state out-of-the-box, and let the administrator open it up as needed.

I posted this on the e7 blog, wonder what their response to this is?

I'd accept that this is quite a valid argument. UAC can only protect you so much, but the onus is on your part to not click yes to run anything, but that also leads to one issue, where people can further circumvent this and make things seem more legit, and that is through an MSI installer, just imagine applications bundled with the reg key. I mean elevating for an MSI installer is pretty common, and if the malware vendor or what not, is intending to try to give away free software and also in turn getting the user to elevate the install so that they can install the reg key, then it's really not the users fault to unknowingly allowing elevation, as the installer could be well packaged really nicely and the app could very well be an excellent app, giving good incentives to the user.

This is exactly the problem Mac had recently ( users running dangerous code ) , I think it is next to impossible to protect users from themselves. A computer that could do that would have to lock out the user altogether, something like the "hangs" in Vista.
I like it as it is, I am running UAC at highest level and no problem, if I need more control I just go to Admin account.

everybody is yelling out fix it... but many have no clue as to any suggestions on how to fix it... all i see is people talking about how UAC is annoying. microsoft listened to those complaints and made it less annoying, but as a result making UAC weaker...

criticize with some ground guys...

Eventually someone will exploit this issue and Microsoft will be force to create patch for it but i would really hate to see a malware in Windows 7 that turns off UAC silently. It's better to fix it now than later.

FFS, just make the thing always prompt by default and add an "options" button/dropdown box/menu/whatever to the prompt dialog so if the user is annoyed by these he can disable them on the spot.
Jeez, such a chaos over a simple thing...

I can see microsoft's points with this, but why is changing the UAC level on the whitelist? That should be the one thing that requires a prompt when it's requested to be changed by anything.

The problem with the sample is:

On sites that deploy Malware, a lot of times they don't ask for permission to run. What Microsoft is implying is that everyone will need to run a VBS script to make it bypass the UAC. This isn't always the case.

WillGonz, what your talking about is different. You will always be asked for permission to run a script, unless there is a vulnerability. Those are really two separate things.

In coming years... hackers should exploit upon this issue and then Microsoft will think about how it could be patched. For right now, Its By DESIGN,wont FIX

I would expect a consistent behavior out of UAC. It's confusing to know that it's possible some apps can silently elevate themselves, thus ruining the whole point of UAC. MS STILL doesn't get it. Why can't they understand that "Notify me only when programs try to make changes to my computer" doesn't actually work like it says it should when it's been PROVEN?

Bottom line: When a program that I choose to run wants system access, including making changes to system settings, I would expect to see a prompt.

Would it be possible to set up some sort of prompt that asks for your password when a UAC setting is changed? I mean, making the UAC settings more secure doesn't sound like too bad of an idea to me. It's not like it'll be something people do every day, or even more than once or twice overall. Once it's set, it's set.

dead.cell said,
Would it be possible to set up some sort of prompt that asks for your password when a UAC setting is changed? I mean, making the UAC settings more secure doesn't sound like too bad of an idea to me. It's not like it'll be something people do every day, or even more than once or twice overall. Once it's set, it's set.

That's all anyones been asking for. MSs new system in win7 relies on security certificates, all they would have to do to get any UAC setting change to cause a prompt is change the security cert for the UAC manager.

iamwhoiam said,
It would be trivial, but they won't do it.

Actually, I doubt it would be trivial. To hook into the UAC setting change process and provide a security prompt could be a significant design change in that part of the system. In any case, a good deal of additional testing would be required to ensure the change doesn't expose another security risk.

While I agree this would be a good idea, I don't agree that the change would be trivial.

People want UAC to replace user intelligence which will never happen. They want it to be the end all to stupid users getting key loggers and what not on their system.

Like people have said, those that bitch about UAC are usually the ones that need it the most. Those that don't like it... don't bother bitching and just shut it off (like me).

necrosis said,
People want UAC to replace user intelligence which will never happen. They want it to be the end all to stupid users getting key loggers and what not on their system.

Like people have said, those that bitch about UAC are usually the ones that need it the most. Those that don't like it... don't bother bitching and just shut it off (like me).

Good point there, that's exactly how it is.

People who are really concerned about security know better than to rely on Windows Vista/7's iffy "security" features and use proper security software.

I think Microsoft is right. UAC works as it should and let's the user make decisions about 'their' system.

Microsoft is being put in a "damned if you do and damned if you don't" position by people with nothing better to do with their lives.

Microsoft is being put in a "damned if you do and damned if you don't" position by people with nothing better to do with their lives.

No; this is not a complaint to have Win7 work like Vista again, as for UAC. This is a suggestion for polish to be made to the Win7 UAC implementation, nothing more. Jeez, you guys are exaggerating this whole matter in order to try and make a point.

I agree with Microsoft. There's a prompt, it's not their fault if idiots click yes/open/run. Perhaps the default UAC level in RTM should be the highest, as those of us with brains will still be able to lower or disable it. However, I think the very best solution would simply be to always prompt, regardless of the set UAC level, whenever a change is attempted to be made to the UAC level.

i gotta agree with you man, there comes a point when people have to take some self-responsibility and try to tame the urge... you'd think with everything going on in the f'd-up world today people would get that

you have every right in the world to do that, also that is a higher risk of getting your online bank account/credit cards jacked, for one example

I think "the tech crowd" is overly sensitive. Microsoft's explanation seems perfectly understandable to me, and I'm not a techie though not a novice either! But if the tech crowd wants ALL settings to ALWAYS trigger a prompt, they have the option to set UAC to its hightest level. Problem solved...except for the fact that the tech crowd wants Windows to think for the the user and it should not be that way. Thats the way OSX works! It does everying for the user while at the same time making MAC users much less knowledgable about operating computers than PC users.

No, poor wording on my part writing in haste, my apologies, i'll rewrite it - all changes to the UAC settings to always trigger a prompt.

But if the tech crowd wants ALL settings to ALWAYS trigger a prompt, they have the option to set UAC to its hightest level.

But that's not what they want. They want the UAC setting changes to always trigger a prompt (because it's a change to the system security settings, kind of a big deal), not all the settings. Obviously changing the time of day isn't an as big deal that should trigger it, and Win7 is right in avoiding that unlike Vista.

if Microsoft made anything more advanced, they'd be sued by them europeans for integrating anti-malware-like code into the OS, depriving their anti-malware authors of potential revenue.....

I agree totaly.. the funny thing about UAC Is that the people that hate UAC are the people that need It more. The ones that knows how to use It (don't need It) hahahhahah

As shown by floods of comments all over the major news sites carrying the stories of both the 1st and 2nd flaws discovered, the tech crowd is NOT misunderstanding the problem and they are well aware that if you move UAC to the highest setting it protects as well as vista.

They just want ALL changes to UAC settings to trigger a prompt , that way if you are using anything less than the highest setting, you get a fair warning if something is trying to lower it even further.

This is ESPECIALLY important as the default win7 setting is the proven to be flawed "Notify me only when programs try to make changes to my computer "

Sure it may require a user to have been tricked into running malware at this time, but who's to say further flaws wont be discovered later that do not even need that interaction. And if a user is tricked into running it, or even simply accidentally clicks the approve button, you would still later on want the UAC warning to come up notifying you that something was attempting to mess with UAC as then you would KNOW that something had gotten onto your system even before anti malware systems were updated to detect it.

dhan said,
The same people who poke fun at Vista for "too many" UAC prompts? Yea, right.

Actually yes, those too, perhaps more so than the others. That group love the new win7 default setting, it cuts out a VAST number of the prompts that annoy them, adding in one new one that they will potentially never see is not a problem.

Not really. UAC is simply a line of defense between human and computer. Common sense is the best defense and people shouldn't rely on a program to accomplish that.

So lets not bother with tiered access levels at all then eh? in fact we should all go back to win95.
Seriously why would anyone not want this fixed when once fixed it won't decrease usability or performance one jot.

The problem is that people want it to be perfect.... which it will never be. Nothing can replace human intuition (or the lack thereof.)

The problem is that people want it to be perfect...

Well it's really just a problem of UAC not telling when its own security level is changed, or when an app is running on your system with higher privilegies than expected. I think this is not a massive hurdle for Microsoft to fix technically, but more about something going against with their plan for Win7. They've made it clear by now that they are willing to go a very long way to make UAC non-intrusive, the question is more about if they're going too far.

Jugalator said,
Well it's really just a problem of UAC not telling when its own security level is changed, or when an app is running on your system with higher privilegies than expected.

I think, IMO, that anything that changes the UAC settings, with any means possible, should pop up a security box telling the user that the UAC settings are being changed, regardless of UAC settings.