Update: Microsoft have now updated that they are going to deliver two changes to the Windows 7 Release Candidate regarding this issue. Before getting into the actual news, lets take a while to understand the current Windows 7 UAC dilemma
Windows 7 UAC Dilemma
As Windows 7 was receiving much positive feedback than expected from the beta testers, we had Long Zheng and Rafael, two Windows enthusiasts, come with a proof that malware can turn off UAC in Windows 7. Later Microsoft responded insisting that this is by design and actually not a bug. Later, again, we had Zheng and Rafael come out with a second flaw which showed Windows 7 UAC was still flawed. At this time, everybody thought Microsoft had done the right thing with Windows Vista UAC and compromised security over consumers' feedback in Windows 7.
UAC - A quick History
One of the highly criticized features in Windows Vista is the User Account Control(UAC) which prompts up a dialog box seeking users' permission to continue or stop whenever a system-level change is made. The problem with Vista is that even the default user account which is created during the install, who is a protected administrator (unlike in XP where the user is an Administrator), could not bypass the UAC until its tweaked. This created lots of criticism and the feature which was built to make Vista secure became the most hated feature amongst users. Of course, this was a drastic change for Microsoft and as well as end users who were very much inclined to a single user account (till Windows XP) who is an Administrator.
Based on the feedback Microsoft received on UAC, they decided to:
- Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified.
- Enable our customers to be more confident that they are in control of their systems.
- Make prompts informative such that people can make more confident choices.
- Provide better and more obvious control over the mechanism.
UAC in Windows 7
So, what has changed in Windows 7 in regard to UAC?
In Windows 7, User Account Control was created with the intention of putting you, the user, in control of your system and thus Microsoft came up with four different settings that a user can choose from:
- Always notify on every system change
- Notify me only when programs try to make changes to my computer
- Notify me only when programs try to make changes to my computer, without using the Secure Desktop
- Never notify
The default settings in Windows 7 is - Notify me only when programs try to make changes to my computer
This means that, you as a user when you do changes to your computer, the UAC would not prompt for consent, but will do so when other programs (like, third party applications) try to change system settings. This is strictly under the assumption that, you as a user know what you are doing with your system.
This would overall reduce the UAC prompts. Remember, this is the default UAC setting for the protected administrator in Windows 7.
UAC Issue 1
Long Zheng and Rafael discovered the first issue with UAC in Windows 7. The issue was that a malware could easily disable UAC if executed.
How could this happen?
As the default mode is set to - Notify me only when programs try to make changes to my computer - Windows 7 thinks that the change malware doing as a change that the user is doing and changes the UAC setting without any prompts for consent.
UAC Issue 2
Later again, Zheng and Rafael came up with another issue. The issue this time was that a malware can silently self-elevate with default UAC policy.
How could this happen?
Microsoft states that the change made in Windows 7 default UAC settings is that any operation that is necessary to manage windows will not require an elevation - which in technical terms translates into a white list of trusted action / binaries which the user can make perform without UAC prompting from an elevation.
Microsoft's Response
For quite some time, Microsoft was silent and later came out with a response that this behavior of UAC was by design and denied the fact that this was a bug.
Why does Microsoft think this is by design and not a bug? Jon DeVaan from Microsoft has posted an update which explains it all.
It is agreed that whatever proof Zheng and Rafael came up with indeed disabled UAC in Windows 7, but not until the malware was running. It is clear that the malware does not by itself execute unless user agrees to run or without any consent.
I downloaded the script file which Rafael had created for the UAC Issue 1. I was able to download and save it without any problem. So, now, I have downloaded the malware in my system, but it is still not active. I executed the script and immediately I received this prompt:
This is what Microsoft is insisting - Malware making it onto a PC and being run Vs What it can do once it is running
I didn't click Run as I am aware that this is a program that I dont know and might be a malware or a virus or something else. Clearly, there is a difference and nothing was changed in my system.
Similarly, when we open a .vbs (script file) or any other .exe file via a browser, for example, Internet Explorer, we get prompted again:
Images Courtesy: E7 Blog
Jon said that the recent feedback on UAC is about the behavior of the - Notify me only when programs try to make changes to my computer settings. He also added that the feedback has been clear and it is not related to UAC set to Always Notify, which is the default behavior of UAC in Windows Vista and it becomes much easier to mischaracterize the feedback.
What do you think of Microsoft's explanation? Are they right in what they say - Malware making it onto a PC and being run Vs What it can do once it is running ?
You as a user, do you think this is a big threat to Windows 7?
Seriously why would anyone not want this fixed when once fixed it won't decrease usability or performance one jot.
Well it's really just a problem of UAC not telling when its own security level is changed, or when an app is running on your system with higher privilegies than expected. I think this is not a massive hurdle for Microsoft to fix technically, but more about something going against with their plan for Win7. They've made it clear by now that they are willing to go a very long way to make UAC non-intrusive, the question is more about if they're going too far.
I think, IMO, that anything that changes the UAC settings, with any means possible, should pop up a security box telling the user that the UAC settings are being changed, regardless of UAC settings.
They just want ALL changes to UAC settings to trigger a prompt , that way if you are using anything less than the highest setting, you get a fair warning if something is trying to lower it even further.
This is ESPECIALLY important as the default win7 setting is the proven to be flawed "Notify me only when programs try to make changes to my computer "
Sure it may require a user to have been tricked into running malware at this time, but who's to say further flaws wont be discovered later that do not even need that interaction. And if a user is tricked into running it, or even simply accidentally clicks the approve button, you would still later on want the UAC warning to come up notifying you that something was attempting to mess with UAC as then you would KNOW that something had gotten onto your system even before anti malware systems were updated to detect it.
Last edited by yakumo on 05 Feb 2009 - 14:19
Actually yes, those too, perhaps more so than the others. That group love the new win7 default setting, it cuts out a VAST number of the prompts that annoy them, adding in one new one that they will potentially never see is not a problem.
http://blogs.msdn.com/e7/archive/2009/02/0...-follow-up.aspx
In the RC, the UI manipulation of the UAC control panel will not work, and any change to the UAC setting will result in a prompt.
But that's not what they want. They want the UAC setting changes to always trigger a prompt (because it's a change to the system security settings, kind of a big deal), not all the settings. Obviously changing the time of day isn't an as big deal that should trigger it, and Win7 is right in avoiding that unlike Vista.
Microsoft is being put in a "damned if you do and damned if you don't" position by people with nothing better to do with their lives.
No; this is not a complaint to have Win7 work like Vista again, as for UAC. This is a suggestion for polish to be made to the Win7 UAC implementation, nothing more. Jeez, you guys are exaggerating this whole matter in order to try and make a point. :p
Like people have said, those that bitch about UAC are usually the ones that need it the most. Those that don't like it... don't bother bitching and just shut it off (like me).
Like people have said, those that bitch about UAC are usually the ones that need it the most. Those that don't like it... don't bother bitching and just shut it off (like me).
Good point there, that's exactly how it is.
People who are really concerned about security know better than to rely on Windows Vista/7's iffy "security" features and use proper security software.
That's all anyones been asking for. MSs new system in win7 relies on security certificates, all they would have to do to get any UAC setting change to cause a prompt is change the security cert for the UAC manager.
Actually, I doubt it would be trivial. To hook into the UAC setting change process and provide a security prompt could be a significant design change in that part of the system. In any case, a good deal of additional testing would be required to ensure the change doesn't expose another security risk.
While I agree this would be a good idea, I don't agree that the change would be trivial.
Bottom line: When a program that I choose to run wants system access, including making changes to system settings, I would expect to see a prompt.
On sites that deploy Malware, a lot of times they don't ask for permission to run. What Microsoft is implying is that everyone will need to run a VBS script to make it bypass the UAC. This isn't always the case.
Jeez, such a chaos over a simple thing...
Last edited by Kam1kaz3 on 05 Feb 2009 - 18:08
criticize with some ground guys...
I like it as it is, I am running UAC at highest level and no problem, if I need more control I just go to Admin account.
You can put lipstick on a UAC, but in the end you'll still end up turning it off because it's ****ing annoying.
What's so annoying about it? That I've still yet to figure out.
But, you're right, as far as lipstick goes. Instead of ACTUALLY improving UAC like they did with Vista SP1, they instead throw some lipstick on it and now they have these issues going on with it and its new default setting.
I'm not only worried about the first piece of malware. To my mind, the problem is that malware can be and frequently is designed to invite more malware in once a system is compromised. A user can be tricked into running a single bad program by some clever social engineering. I want to know that the second and third and fourth programs invoked by the first one will continue to bring up default Windows 7 UAC prompts when they try to make changes to the computer. If UAC is lowered, new programs can be invited in with no indication that they have arrived.
What I foresee is that a single wrong click to allow malware onto a computer will essentially always lead to flattening and reloading the system - period. I'm not sure I understand why the Microsoft team is resisting this modest change so strenuously.
With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.
EDIT: I'd also like to add that I've NEVER disabled UAC in Vista since I started using it. Yeah, at times I did disable the secure desktop feature, but with faster systems, even that has become unnecessary.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.