Microsoft insists UAC vulnerability is not a flaw

Yesterday we reported on a major UAC security flaw where malicious hackers could potentially execute a script on a users machine by tricking into them into opening a disguised exe. This script would disable UAC without user interaction and without the users knowledge.

A Microsoft spokesperson has provided Neowin with a response to the issue:

  • This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user's knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)
So at the expense of users and because "malicious code" could have gotten onto the box by other means, Microsoft will not put an obvious and simple fix into Windows 7 to prevent users having Windows settings disabled by malware without their knowledge by default. UAC is now officially rendered useless, why not turn it off before someone turns it off for you?

Report a problem with article
Previous Story

Q&A with HP Personal Systems Group CTO, Phil McKinney

Next Story

Review: Microsoft Wireless Entertainment Desktop 8000

93 Comments

Commenting is disabled on this article.

considering when you turn uac off it tells you that its being turned off and you have to restart before it will finish turning off i dont really see what the big deal is

Every time Microsoft gives people what they want, they moan and complain about it. Everyone got what they wanted with Vista - tighter security. Now Microsoft is delivering a better UAC based on user feedback and it's still not enough.

I guess when people keep changing what they actually want and Microsoft keeps trying to deliver they just can't win.

I really have no problem with this, as long as the shipping default in Windows 7 will be the "High" UAC security setting. Anything else is insanity and countering the whole idea of UAC protecting the user from system-wide administrative changes without their knowledge.

Microsoft's two last points there are moot because UAC was intended to protect the user from him/herself. Read "trojans".

# The only way this could be changed without the user's knowledge is by malicious code already running on the box.
# In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)

You need the damn UAC setting prompt so you are ALERTED TO THE FACT THAT THIS HAS HAPPENED SOMEHOW ASAP.


Yes the user may have done something stupid to allow infection, but the UAC setting prompt would then protect them from further damage even before the malicious code check package was updated to find whatever was out there infecting systems.

This subject has really taken the gloss off Windows 7 in my book, don't get me wrong I still want it, but......
I feel that rather than do nothing microsoft must act right now and make the changing of the UAC something where it needs a PASSWORD.
Everthing else no password required but changing definitely !!!!

That would accomplish nothing, and totally misses the point.

The current settings are fine. If you want to protect the normal -> admin boundary, use the "high" setting. That's what it is there for.

Microsoft has said since the start of all this that UAC is NOT a security boundary.

So what's the big deal? It's been this way for 3+ years now, since the early betas of Vista. Get over it!!

Thus this article is nothing but fear mongering and utter BS!!

As Microsoft has stated many times, this is not a security flaw but simply a limitation (by design since users requested it to be this way mind you).

Seems some neowin staff is out get Microsoft once again!!! Epic failure!!

Read:

http://blogs.msdn.com/crispincowan/archive...-floor-wax.aspx
http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
http://blogs.technet.com/markrussinovich/a.../12/638372.aspx

Of course it's a security boundary!! It's designed to improve the security of Windows itself by limiting application software to standard user privileges. What exactly is it if it's not for security? Those links you have provided all describe the security benefits of it so maybe epic failure on your behalf my friend.

Tom W said,
Of course it's a security boundary!! It's designed to improve the security of Windows itself by limiting application software to standard user privileges. What exactly is it if it's not for security? Those links you have provided all describe the security benefits of it so maybe epic failure on your behalf my friend.
I love it when people talk trash about my replies without even reading the articles I link to.

And I love it even more when those same people don't have a clue about the technology involved.

And I very much love it when people like yourself spread this FUD knowing full well they don't have a clue. Even more when they write for a site as big as neowin!

You really should read http://blogs.msdn.com/crispincowan/archive...-floor-wax.aspx again.

I quote:

"Clearly, all security boundaries are security features, but not all security features are security boundaries."

"Security Boundary: this is a special term to Microsoft. It means that if someone discloses a way to violate a Microsoft-defined security boundary, that Microsoft will release a security patch as soon as possible, so that the method to violate the boundary no longer works against patched systems."

From Mark I quote:

"It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries.

Microsoft has been communicating this but I want to make sure that the point is clearly heard. Further, as Jim Allchin pointed out in his blog post Security Features vs Convenience, Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use."

I quote again:

"Because elevations and ILs don̢۪t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs."

So again Sir, I say to you, that this article is total BS and needs to be redacted! Seems you need an editor!! Damn I love the media, always ****ing it up for the little guy!!

At the very least, the last "paragraph" should be removed and neowin and yourself should offer both Microsoft and all Neowin visitors an apology for blowing this way out of context and for misleading your users..

The only thing that was ever annoying about UAC was the Gray screen it would flash to. Once you disable the gray screen, UAC is FAR less annoying. So I say keep the Vista UAC in windows 7 and just turn off the gray screen.

I think if your gonna do that you might as well just shut it off. Yes it is FAR less annoying, but the virus/malware will now be able to just click through or tamper with the dialogue box now anyways. Whats the point then?

"an obvious and simple fix"

::sigh::
It may be obvious, but it is FAR FAR from a simple fix. Clearly, if there was a simple fix - it would have been impleneted. You try writing code that can tell the difference from a human changing the control panel setting vs an automated script. Its is incredibly difficult, if not boderline impossible.

The "obvious and simple fix" wouldn't have a goal of telling such a difference. It would merely prompt on UAC changes. Sounds simple to me.

Clearly, if there was a simple fix - it would have been impleneted.

No, it actually IS a simple fix; in Windows Vista, launching any process gives the developer the opportunity to ask for permission elevation. The reason Microsoft doesn't do this is not due to difficulty, but because of a mismatch in their odd Windows 7 design docs.

UAC is a crock to start with, prompt for a password to do something that requires admin rights, dont ask me 3 times If i'm sure I want to delete a text file from my desktop

Your Windows install is hosed if you're being prompted for anything from the desktop. It's not a protected location.

computergeek83 said,
UAC is a crock to start with, prompt for a password to do something that requires admin rights, dont ask me 3 times If i'm sure I want to delete a text file from my desktop

Wow, talk about being uninformed.

1. UAC doesn't ask you multiple times to do one thing.
2. Desktop is not a protected location, so UAC prompts from there are impossible.

Get your facts straight, computergeek. Your username doesn't suit you since you know nothing about them.

FrozenEclipse said,
Wow, talk about being uninformed.

1. UAC doesn't ask you multiple times to do one thing.
2. Desktop is not a protected location, so UAC prompts from there are impossible.

Get your facts straight, computergeek. Your username doesn't suit you since you know nothing about them.


It sounds like you're also uninformed. You can get a UAC prompt deleting something from your desktop. Your visible desktop is actually two folders merged into one. The All Users desktop (at C:Documents and SettingsAll UsersDesktop or C:UsersPublicDesktop) and your own personal desktop (C:Documents and Settings\Desktop or C:Users\Desktop). If you try to delete something from *your* desktop you don't get prompted. If you try to delete something from the *all users* desktop which is a *system wide* desktop you will get prompted since it will affect all users on the machine.

did you accidentally forget to update the early beta you installed?

must be tough for you.

If you try to delete something from *your* desktop you don't get prompted

well, he did say "his" desktop. If he's a computer geek, then surely he'd get the concept of the merged desktops that you explained (correctly & succinctly to your credit).

Gibwar said,

It sounds like you're also uninformed. You can get a UAC prompt deleting something from your desktop. Your visible desktop is actually two folders merged into one. The All Users desktop (at C:Documents and SettingsAll UsersDesktop or C:UsersPublicDesktop) and your own personal desktop (C:Documents and SettingsDesktop or C:UsersDesktop). If you try to delete something from *your* desktop you don't get prompted. If you try to delete something from the *all users* desktop which is a *system wide* desktop you will get prompted since it will affect all users on the machine.

The public desktop folder is also not a protected folder.

The best thing IMHO is like what most people said here, is when any change happen to UAC levels no matter it was on or off, the secure desktop mode shows and user must click yes or no with his pass, and admin credits too if he wasn't admin

Brandon Live said,
That would offer no protection at all from medium IL processes that wanted to circumvent the elevation dialog.

Circumvent the elevation dialog? Are you saying applications can already elevate themselves without prompting? Then what use is UAC to begin with?

SireeBob said,
Circumvent the elevation dialog? Are you saying applications can already elevate themselves without prompting? Then what use is UAC to begin with?


See my post above. It provides a mechanism for running processes in the "low" integrity level, such as Protected Mode IE and others. The is a HUGE security benefit.

It's really quite simple. If you are concerned about the boundary between medium IL (normal apps) and high IL (admin apps), which is arguably of small benefit especially on single-user systems, then use the "high" UAC setting. That's what it's there for.

Brandon Live said,
That would offer no protection at all from medium IL processes that wanted to circumvent the elevation dialog.

The "Secure Desktop" mode which is in Vista can't be fooled, so no app can change the UAC because no app can gain mouse or keyboard access or any other sort of access to any input device in the secure desktop mode, that was why MS did it, and in my post I said "the secure desktop mode shows" to prompt user of he want to change the UAC behavior.

It wouldn't matter. Please read above. The settings below "high" allow Medium IL applications to gain admin privileges *without* any prompt at all. So if a malicious app can turn off UAC in this way, it doesn't matter, they can already own your system a dozen other ways. That's simply the nature of those modes. They keep Low IL processes insulated, but if you want to protect the boundary between Medium IL (normal apps) and High IL (admin apps) you use the "high" setting.

Simple fix: no matter how low the UAC setting is (except for "off"), you should always be prompted when changes to UAC settings are done. That shouldn't be annoying or counterproductive, because changing your security level isn't something you do frequently.

z_rudy said,
Simple fix: no matter how low the UAC setting is (except for "off"), you should always be prompted when changes to UAC settings are done. That shouldn't be annoying or counterproductive, because changing your security level isn't something you do frequently.


That's exactly what people here (at least the intelligent ones who aren't Microsoft apologists) are asking for, but so far Microsoft is refusing to do that.

I use my PC all day for personal and professional use and not once in a day (unless I start installing something) I get prompted, my UAC level is ON on Vista, and I have no complaints about the occasional prompt by UAC, it is for safety, understand that and get over it.
Don't want UAC, switch it off but attain to the consequences and make sure you're a safe browser on the web. That means also scanning anything you download of a torrent these days, plenty trojans get in for free, good luck!

this is bleeding obvious. it has been stated many times.

Anybody can set the UAC slider to whatever they feel comfortable with.

The slider should be cranked up to max by default.

No matter where the slider is, there should be a secure UAC prompt to move it.

done.

Brandon Live said,
If the slider is at anything but the top, then protecting the UAC slider itself is currently impossible.

Then it should be made possible, or at least, when a UAC change is registered, a prompt should be displayed.

SireeBob said,
Then it should be made possible, or at least, when a UAC change is registered, a prompt should be displayed.

I agree. The registry setting for UAC, as well as the run keys and winlogon should have higher protections. If those are accessed for any reason, either thru changing them at UI level, or directly poking around in the registry, there should be some alert that they are being changed.

Following Microsoft's thinking any Windows vulnerability to malware, viruses is not a flaw because first you have somehow get infected. So it's not their fault:) I'm wondering why do they release security updates for Windows then after some exploits are discovered.

Maybe they just don't know how to fix it.

Wakers said,
They know how to fix it, use Vista's UAC. Oh wait, everyone told them not to do that...

See?


You're absolutely right and that's the point - they're in a kind of dramatic situation

Everybody says Windows should offer more options, so now it does. You can have the option to have UAC be a major hurdle for medium -> high IL elevations if that's what you want.

The thing is, malware running even with standard user privileges is plenty bad. It can still add itself to run at start-up (for that user), and can still read / write / delete data in any locations that user can access.

So the most important boundary is the Low IL -> Medium IL one, used by IE in Protected Mode and some other processes, which is still protected just as much as in Vista (or moreso) in this default state.

tom5 said,

You're absolutely right and that's the point - they're in a kind of dramatic situation :)

I don't see how. All it would require is a single prompt added whenever changing UAC settings. That doesn't mean making it exactly like Vista UAC in all cases.

SireeBob said,
I don't see how. All it would require is a single prompt added whenever changing UAC settings. That doesn't mean making it exactly like Vista UAC in all cases.


That wouldn't really achieve anything. In anything less than the "high" UAC setting, any medium IL app can trivially elevate itself to high IL.

The lower settings largely exist to keep IE's protected mode and other Low IL isolation mechanisms in place, while being more "user friendly." They also still run most applications with reduced privileges, so code injection into those processes (like, say, Outlook or Firefox) has to at least go through some additional hoops to make system-wide changes.

But yeah, if this mode were as secure as the "high" mode there wouldn't be a "high" mode.

They know how to fix it, use Vista's UAC. Oh wait, everyone told them not to do that...

See?


No, I don't see. They could retain the standard Windows 7 UAC setting here, just apply an extra nag for changing the UAC level. Nothing more, and still faaar less nags than in Vista. Most user wouldn't even notice the difference, because people generally don't meddle with the UAC setting.

See?

User Interface Privilege Isolation (Wikipedia, Microsoft). Microsoft should apply these restrictions to the Control Panel. It would prevent messages from being sent to the window by anything other than a signed, trusted uiAccess-enabled application, or one already running with administrative privileges. That would make Microsoft's "already compromised" argument valid. I know the Control Panel currently runs in the standard explorer.exe browser process, which runs at medium integrity, so it would take some work to isolate Control Panel into running at high integrity in a separate process (or whatever they decided to do), but I think it would solve this sort of problem. The keystrokes simply wouldn't go through, unless the script was running as an administrator.

And yes. They should also require a Secure Desktop prompt when changing UAC settings.

Microsoft would have to do this for everything which can UAC can elevate silently, as anything that can write to the UAC registry keys (ie: anything elevated) can make any changes it wants. It's a lot of work for little benefit.

There are already multiple prompts and warnings when running anything downloaded from the Internet - one more isn't going to stop people who are determined to install something. Really, the virtualization for low-rights users and IE Protected Mode are the only useful parts of UAC. I'd love to see it taken one step farther and have "Continue, Cancel, Virtualize" in the UAC dialog (essentially an integrated Sandboxie), but I can see that confusing a *ton* of people.

Brandon Live said,
If you want better security, use the "high" option in the UAC settings. That's why it is there.

Exactly, MS has left us with a "choice". No fault to MS if we don't exercise that choice. In my daily work, mainly using Word and some translation related programs I get few if any UAC prompts (at high).

just leave it to maxium settings (as it is with vista) and i you can't live with the occasional prompt, tough for you.

You shouldn't be getting prompted after you're done setting up your PC, only when you're installing/uninstalling would you get a prompt again.

Few people go in and tinker with their system settings every day.

GP007 said,
You shouldn't be getting prompted after you're done setting up your PC, only when you're installing/uninstalling would you get a prompt again.

Few people go in and tinker with their system settings every day.


As a developer I get prompted several times a day, but that is to be expected ;). I agree a normal user should almost never see an UAC prompt (except to break out of IE protected mode when opening a pdf or something like that) even on highest settings.

Is that due to the developer tools you use needed admin rights?

And do they actually need them? I take it a few will if they do low-level stuff, but like you said, that's expected.

The same would happen under any other OS with their own version of UAC, unless you ran as root/admin.

ok, FYI. A registry tracer is a security feature that warns you when your registry has been altered. It is an essential utility to protect against malware and rootkits.
So the utility runs a check every x minutes and prompts you if it found any changes. Using it for years and never had any malware/rootkit.
Ain't gonna turn it off to please uac. Just add to UAC a whitelist and then it's somewhat useful, because being warned by UAC that my registry protection works every time is pretty annoying

petrossa said,
ok, FYI. A registry tracer is a security feature that warns you when your registry has been altered. It is an essential utility to protect against malware and rootkits.
So the utility runs a check every x minutes and prompts you if it found any changes. Using it for years and never had any malware/rootkit.
Ain't gonna turn it off to please uac. Just add to UAC a whitelist and then it's somewhat useful

Why don't you just use something like teatimer that comes with spybot, that just tells you when a registry setting has been changed instead of checking every 10 minutes whether you've been using the computer or not?

the registry tracer is on otomatic, it just checks every x minutes (Regrun Platinum) Vista lets it pass without problem, win 7 puts op an UAC box even when on medium setting.

petrossa said,
the registry tracer is on otomatic, it just checks every x minutes (Regrun Platinum) Vista lets it pass without problem, win 7 puts op an UAC box even when on medium setting.

Wait, you paid for that software? Yipes..

What does the UAC box say under Win7? That something is poking around and looking at your registry? If that's the case then isn't it a good thing really? Wouldn't that mean UAC is checking the registry itself?

GP007 said,
What does the UAC box say under Win7? That something is poking around and looking at your registry? If that's the case then isn't it a good thing really? Wouldn't that mean UAC is checking the registry itself?


It warns that an application needs elevation. Just the regular. And as i said before, with Vista it passes without elevation prompt.

Well that's still good though, because it means something is trying to run that needs admin rights, and if you're going to scan the registry of all things you should at least get something like that. If the app ran under Vista without that sorta prompting then they'll have to update it for Win7.

It just sounds like it's doing something that is different for Win7 compared to Vista.

GP007 said,
Well that's still good though, because it means something is trying to run that needs admin rights, and if you're going to scan the registry of all things you should at least get something like that. If the app ran under Vista without that sorta prompting then they'll have to update it for Win7.

It just sounds like it's doing something that is different for Win7 compared to Vista.

A 'registry tracer' would be utterly useless against a rootkit. A rootkit hides itself from the registry at the kernel level.

Try that with a registry tracer put to check every 10 minutes and you'll find yourself clicking on the UAC box every 10 minutes.
UAC off by default for me

Why would you be clicking on it every 10 minutes? Do you sit there and install/uninstall or move files around every minute?

Now if you want it off, that's your choice, more power to you, but if you get bit in the but later don't turn around and moan that Windows isn't secure when you turn off one of the security features yourself.

GP007 said,
Why would you be clicking on it every 10 minutes? Do you sit there and install/uninstall or move files around every minute?

Now if you want it off, that's your choice, more power to you, but if you get bit in the but later don't turn around and moan that Windows isn't secure when you turn off one of the security features yourself.

I agree with this. It's like saying your anti-virus software is useless after you've turned it off.

Wakers said,

I agree with this. It's like saying your anti-virus software is useless after you've turned it off.

It should only prompt you when you run the program, not every time it runs its check.

This is if it's on the "users can make changes without prompting" level, basically, the stupid level. If it's on the highest level (programs and users get prompted) then it's all safe. Everybody wanted this, and so it's your own fault. You've made your bed, now lie in it.

I, for one, am going to keep it at the highest level, which is Vista UAC.

This is if it's on the "users can make changes without prompting" level, basically, the stupid level.

This is the default level in Windows 7. Can you see the potential for ugly malware now?

tunafish said,
Personally i think they should have left it as default like vista then allow a user to change it etc.
I think they should have either removed it entirely (as it stands, it really is a false sense of security) or made it a true security boundary.

This is the user's fault. You all complained that UAC was annoying, so they made it less annoying.

Now its not as safe and you still complain.

You get what you deserve.

On top of that excellent point I would like to say they also have this little thing called windows defender and avg is free. I mean I know avg isn't a Microsoft product but when there is a free solution to a common problem usually people don't complain about it but for some reason they jump all over Microsoft. I think Microsoft deserves are respect. They have managed to keep people paying for a piece of software with a better free alternative.

This is the user's fault. You all complained that UAC was annoying, so they made it less annoying.

Now its not as safe and you still complain.

You get what you deserve.


LOL.

This would be fixed if MS simply put a single warning on changing UAC permission levels. Something that should be blatantly obvious since it's a SECURITY feature. That wouldn't change the overall "feel" of Windows 7's reduced nagging. It would only be a single more dialog box in the specific case of changing UAC settings, which a user normally never do.

But Microsoft doesn't want to, because they're idiots.

UAC is now officially rendered useless, why not turn it off before someone turns it off for you?

I agree with this to a certain point. Even though the system is already compromised, UAC could still be another barrier for malware. Does system center notify the user that UAC is disabled?

Well there you go, you DO get told UAC is off, if it tells you this right when the change happens you should be able to figure out something is wrong.

Also, as it is stated by MS, for this to work something else has already gotten into your system. UAC isn't useless at all, saying so is stupid. IF something already got into your system, then on any OS not just Win7 or Vista, it'll then find a way to do something else.

The key here is to stop the initial breach, if users can't stop that then anything else isn't going to help much.

Chaks said,
Action Center does notify the user that UAC is turned off

And what happens in the default quiet state of UAC when something pokes in to the registry and turn it and action center off?

UAC is [or "should have been" in this case] a PRO ACTIVE counter measure for security risks BEFORE IT HAPPENS. If you are able to easily turn it off, even you are notified by Action Center LATER ON, the whole purpose of PRO-ACTIVE protection becomes obsolete.

So this is why UAC is useless right now...

Say you don't easily turn it off, so what? Users will then just run as Admin or in the case of *nix, as root to get past the "annoying pop-ups."

UAC is pro-active unless you make it not be by setting it low or off. The fact you even have the choice in Win7 compared to Vista is because USERS ASKED FOR IT.

Yet people moan that MS doesn't listen to them. We'll here is a case in point where they have.