Microsoft: Malware can disable UAC in Windows 7 'by design'

A month has barely passed since the public beta debut of Windows 7 and we have our first horror story.

UAC (user account control) was the major gripe with Windows Vista which annoyed most tech savvy users and confused ordinary consumers. Microsoft has changed the behavior in Windows 7, lowering the requirement for user interaction when changing system settings. The apparent downside to this is, according to reports, the way Microsoft has changed the behavior makes it extremely easy for malware authors to write code to disable UAC without user intervention.

By default, Windows 7's UAC setting is set to "Notify me only when programs try to make changes to my computer" and "Don't notify me when I make changes to Windows settings". Microsoft makes the distinction between a (third party) program and Windows settings with a special signed Windows 7 security certificate. The applications/applets which manage Windows settings are signed with this certificate. Control panel items are signed with this certificate so they don't prompt UAC if you change any system settings.

The issue is as these applets are signed to not prompt for UAC, you could emulate some keyboard inputs and within a few moments have UAC disabled on a machine without user interaction. Rafael Rivera has done exactly that and posted concept code using some simple VBScript at his site. Malware authors could easily bake this into a fake program to trick the user to execute it.

You'd think this would be easy to fix right? Well you're right but beta testers have been filing bugs with Microsoft (via its connect program) and have met resistance from the software company when Microsoft employees state the behavior is "by design". We have contacted company officials for a statement on the issue but at the time of writing have not received a response.

Report a problem with article
Previous Story

47% of PC game purchases are digital

Next Story

Prince of Persia to get 3 hour DLC

114 Comments

Commenting is disabled on this article.

RageOfFury said,
Turn the slider up to the top...problem solved.

But if it's shipped as-is with this behavior, then the majority of home users would never even think of turning the UAC a notch higher.

XP has had loads and loads of security updates during the course of it's life and look how much praise that OS has received... seen by many as probably the best OS Microsoft ever released. It's been ages since it was released but still used quite a bit. As I see it, no matter how secure you try to make an OS, it WILL be cracked because there will always be somebody out there trying to find the weak links in the code. I believe the install base (popularity) of an OS is what draws the hackers in and becomes a prime target so in essence, it's success is it's own demise. All MS can do is plug the holes as soon as possible and I think they've been taking care of that pretty promptly in all fairness to them.

The default user group for Windows Vista and Windows 7 is administrative. If you don't create a new "standard" user account, you're running an administrative account.

Guys, seriously read before typing. The problem here has to do with the ability to change UAC's level of security without a prompt. No one is complaining about UAC being too stringent or lax, so this whole "damned if you do, damned if you don't" attitude needs to stop as it doesn't apply.

Sometimes either you sacrifice usability for security, or sacrifice security for usability. You cannot have it both ways. When Windows Vista came out most everyone made it quite clear that they hated UAC and now Microsoft is scared of making UAC bad again.

Tikitiki said,
Sometimes either you sacrifice usability for security, or sacrifice security for usability. You cannot have it both ways. When Windows Vista came out most everyone made it quite clear that they hated UAC and now Microsoft is scared of making UAC bad again.


MS can't win. It's not entirely their fault. These issues will continue to plague this company at the expense of the user.

But the problem is that disabling UAC at the default setting does not raise a UAC prompt. This is a major time bomb waiting to happen.

The solution given is very simple: enable UAC and secured desktop whenever anyone or anything make changes to the UAC setting regardless of the current setting.

They can still keep the default setting (where users aren't pestered with UAC prompt for making changes with the security certificate scheme), but make UAC mandatory for any changes to the UAC setting.

LTD said,
MS can't win. It's not entirely their fault. These issues will continue to plague this company at the expense of the user.

I think you're confusing a beta operating system with a simple video card issue that a certain company can't seem to fix properly.

So let me get this straight everyone complained about UAC when it launch with Vista and how you had to click allow a million times. now that microsoft changed it so people would stop belly aching, they still havent done it right, If people would stop clicking through every prompt that poped up and actually opened thier eyes and read what they were clicking Yes to, or just took a second by them selves to think "did i just install that?" then the writters of the exploits would never have gotten to where it is today, and microsoft would never have had to create UAC

in the end its never the people/customer/publics fualt blame everyone else

Microsoft, that's one of the worst bugs you want to have "by design". The last thing you ever want is a piece of security being disabled by malware.

Damned if they do, damned if they don't. UAC can be a pain in Vista, but for the most part it is secure. Users complained, so they tighten the grip, but now get complaints that they tightened the grip. You can't have it both ways people. It is very difficult to determine if user input is coming from a human being or an automated script. Even if this were possible, it would make some remote desktop technologies, like VNC, unable to properly interact with the desktop session.

Looking at all the feedback on connect about Win7, it's incredible the amount of bug reports that are closed with "By Design" or "Won't Fix".

The last time I've seen this huge amount of "ByDesignWontFix" is with.... Windows ME.

Win7 is good, much better than Vista, but I do get the feeling that it's being rushed out the door.

I just hope that the next build we will have (beta testers) will fix some of the many bugs that where reported.

TruckWEB said,
Looking at all the feedback on connect about Win7, it's incredible the amount of bug reports that are closed with "By Design" or "Won't Fix".

The last time I've seen this huge amount of "ByDesignWontFix" is with.... Windows ME.

Win7 is good, much better than Vista, but I do get the feeling that it's being rushed out the door.

I just hope that the next build we will have (beta testers) will fix some of the many bugs that where reported.

People think its being rushed, but remember, Vista took 5 years to release!!!

Windows 7 is shaping up to be Microsoft's most impressive OS to date!

See what happens when people bitched that Vista's UAC was annoying? now were stuck with another in-secure version of windows AGAIN...

FusionOpz said,
See what happens when people bitched that Vista's UAC was annoying? now were stuck with another in-secure version of windows AGAIN...

It had better not be. We're living in a different world now. The tech landscape looks quite different form a few years ago. MS can no longer take its position for granted.

LTD said,
It had better not be. We're living in a different world now. The tech landscape looks quite different form a few years ago. MS can no longer take its position for granted.

Nothing is secure...if you want something that is totally secure, then dont use a computer.

Microsoft should just turn that right around on it's users though, if they want a secure Windows then put up with UAC as it was in Vista, I have UAC on all the time in Vista (never once has it popped up while doing file operations outside of the System directories, unless I don't have permission to the file (if it was created with Windows XP, or another user).) and the kicker on Vista I do use the Limited user for my account. UAC is a joke in Windows 7, makes me feel like I'm on *nix running as root all the time, which as anyone with a single braincell would tell you is not a smart thing to do..

techbeck said,
Nothing is secure...if you want something that is totally secure, then dont use a computer.
techback we're not talking about it being 100% secure, we're talking about Windows 7's security being on the same level as Windows 2000/XP and not that of Windows Vista's. There should only be 1 level to UAC and thats the level it's at on Vista.

As many have said there is a simple fix for this, MS can just make it so you get a prompt if the UAC settings are changed.

I agree that the way it is in Vista is fine, that's how it's been in unix/linux since the start.

FusionOpz said,
Microsoft should just turn that right around on it's users though, if they want a secure Windows then put up with UAC as it was in Vista, I have UAC on all the time in Vista (never once has it popped up while doing file operations outside of the System directories, unless I don't have permission to the file (if it was created with Windows XP, or another user).) and the kicker on Vista I do use the Limited user for my account. UAC is a joke in Windows 7, makes me feel like I'm on *nix running as root all the time, which as anyone with a single braincell would tell you is not a smart thing to do..


hit start, type uac, you get uac settings, put it up one notch and it becomes the same as Vista.

This article is entirely about a vulnerability that only exists when it's on the default level for an Administrator account.

And I do know how to adjust UAC on 7, I'm saying I shouldn't have to set it higher myself to get the protection I deserve out of a stock install. The Vista level should be the default not this joke.

And like I said there should only be one level, not two, not three, just one, if users want to cry about "too many prompts" then they can cry, at the end of the day it's about a more secure system.

Vista has basically done it the same way Linux, BSD and OS X has done it for years, yet you don't hear the *nix users bitching about it now do you?

FusionOpz said,
yet you don't hear the *nix users bitching about it now do you?

The average Linux user and the average computer user are miles apart in comfortability with security permissions etc. That is something MS should try to educate the Average Joe Windows user about this time around.

vista was a crap but most of the features people hated where there "by design". now a lot of them are being dramatically changed in win7. Like, "uac" was like that (annoying) by design, but now it's a lot less annoying. Or the non-transparent taskbar and title bar when the window was maximized, that allowed people, by design, to focus more on the content of the window. It would be better to admit from the start what is wrong and be more receptive to suggestions

techbeck can disable UAC by design to...but seriously, UAC is annoying as hell and thats the first thing that gets disabled when i setup a system.

That's what I was going to say. Everyone cried about the occasional UAC prompts and the secure desktop in Vista, and now look...

If anyone thinks for a second that MS will ship Windows 7 with this flaw in it, really needs to go and learn the basics of business. MS cannot afford to allow scripting to disable UAC because any consumer with any common sense will steer clear and *no* business would touch it.

Please, stop believing everything you read ...

dwarhya said,
If anyone thinks for a second that MS will ship Windows 7 with this flaw in it, really needs to go and learn the basics of business. MS cannot afford to allow scripting to disable UAC because any consumer with any common sense will steer clear and *no* business would touch it.

Please, stop believing everything you read ...

It's actually not a big issue with corporations. User privledges are defined server side, and disabling UAC wouldn't enable malware to run at anything higher than it could with UAC enabled.

If anyone is impacted by UAC in any way, they are not of a sufficient technical level to be beta testing ANYTHING. If you have even a median level of tech knowledge, you have already turned UAC off (Vista or 7.)

Anyone with a high level of technical knowledge knows to leave it ON, and not to encourage the indiscriminate downloading masses to disable it.

yakumo said,
Anyone with a high level of technical knowledge knows to leave it ON, and not to encourage the indiscriminate downloading masses to disable it.

Precisely. Those who know what's going on leave it enabled. They know that it'll probably save them at some point.

Those who think they know what's going on disable UAC, because they heard about it on $publication (ex. zdnet).

yakumo said,
Anyone with a high level of technical knowledge knows to leave it ON

Wrong! Disabling UAC turned me into a SUPER1337PROFESSIONALPOWERUSER!!!!

Dashel said,
Exactly yakumo. Seriously nunja et all, stop peeing in the pool. Its adult swim here.

Of course, I should start doing what you kiddies do - whining and insulting each other. I was making a living in IT before most of you were born.

Too damn bad Darwin's law has been invalidated by the self-sustaining infinite support mechanisms in place in society today.

We could do with a good bit of culling.

nunjabusiness said,
Of course, I should start doing what you kiddies do - whining and insulting each other. I was making a living in IT before most of you were born.

Too damn bad Darwin's law has been invalidated by the self-sustaining infinite support mechanisms in place in society today.

We could do with a good bit of culling.

Your an idiot. you are less secure with UAC Off.

Exactly what i was thinking! Why can't they just make it so you ALWAYS are served a secure UAC prompt when you're changing the actual UAC settings?

Chestah said,
Exactly what i was thinking! Why can't they just make it so you ALWAYS are served a secure UAC prompt when you're changing the actual UAC settings?

Makes sense to me.

Yea, the whole UAC argument has always been weak. Outside of the first few days of a new build, once you get your apps installed and settings tweaked you rarely see a UAC dialog. I haven't seen one for days and most people won't either most of the time. MS should not back down on this and crank it up to prompt for settings changes, allow me to crank it down (instead of turning it off) while I get everything set up, that is helpful. But having the default be that low is a mistake.

Don't you just love sensationalist journalism.

While i agree the default level could be higher\include Secure Desktop, This is a perfect example of how the user base shot themselves in the foot. You did not want security when given UAC in Vista, You just went ahead and disabled it. Now, When it does not ask you for permissions when doing system changes, You cry over settings being non-secured. You asked for it, Really, This is the price you pay for not having to put up with a UAC dialog every now and then when altering your system.
In the end, If you knew how to disable it then, You know how to crank it up now.

Exactly. Vista UAC is very secure even if annoying. And it's a fair price to pay.

Has anyone tried using ZoneAlarm? Between ZoneAlarm and Vista UAC, I'd rather use Vista UAC!

Memnochxx said,
Except that in this case windows is supposed to notify you when a program changes system settings, but it isn't doing so.

Because a program isn't directly modifying settings. A program is indirectly modifying settings.

This vulnerability was known about back in the Vista days, and it's one of the reasons why Secure Desktop exists (so that an application emulating a keyboard can't confirm a UAC dialog).

Some people don't like to admit it, but Microsoft does listen to user feedback, and they listened to user feedback on this. Unfortunately.

I need to find some of this malware so I can send it around to everyone that's ever been irratated by this. People would probably ask for it, if they knew of it and didn't know how to disable that irratating piece of crap! It does NOTHING for security. UAC is EXACTLY the reason I've wiped at least a 100 computers clean of Vista and restored back to XP.

How's that for corking myself? LOL

cork1958 said,
I need to find some of this malware so I can send it around to everyone that's ever been irratated by this. People would probably ask for it, if they knew of it and didn't know how to disable that irratating piece of crap! It does NOTHING for security. UAC is EXACTLY the reason I've wiped at least a 100 computers clean of Vista and restored back to XP.

How's that for corking myself? LOL

UAC in Vista was good. It worked like it should.
But because of dumbass ikspertz like you, Cork, MS cripped its default mode in Windows 7.

cork1958 said,
I need to find some of this malware so I can send it around to everyone that's ever been irratated by this. People would probably ask for it, if they knew of it and didn't know how to disable that irratating piece of crap! It does NOTHING for security. UAC is EXACTLY the reason I've wiped at least a 100 computers clean of Vista and restored back to XP.

How's that for corking myself? LOL


It's funny, you're so monumentally thick that you forgot that Vista is not affected by this.

RealFduch said,
But because of dumbass ikspertz like you, Cork, MS cripped its default mode in Windows 7.

Hit the nail on the head there.

cork1958 said,
I need to find some of this malware so I can send it around to everyone that's ever been irratated by this. People would probably ask for it, if they knew of it and didn't know how to disable that irratating piece of crap! It does NOTHING for security. UAC is EXACTLY the reason I've wiped at least a 100 computers clean of Vista and restored back to XP.

How's that for corking myself? LOL
I suppose you run as root on your *nix machines, too, huh?

waruikoohii said,
I suppose you run as root on your *nix machines, too, huh?

LOL! What *nix machines? :P

sudo rm -rf /home/cork1958

Oops... He has been erased from Neowin... :P

Oh? He's using OS X?

sudo rm -rf /Users/cork1958

Problem solved.

RealFduch said,
UAC in Vista was good. It worked like it should.
But because of dumbass ikspertz like you, Cork, MS cripped its default mode in Windows 7.

Couldn't say it any better.

With XP, I used to run as Limited User, and it was a pain to run all sorts of "Run As" CMD files. But with Windows Vista, I am able to skip my batch files and go straight to putting Administrator password thanks to UAC.

Interestingly titled article, I think it should read "Microsoft: UAC can be disabled by design", not "Malware can disable UAC in Windows 7 by design". It's not like they set out to say Malware can disable it this way, it wasn't the reasons behind it.

The "ikspertz" who caused this mess are on their way to hell and nothing can change that.

P.S. I'm talking about those "know all" fools.

I don't see why this is a major problem - it's incomplete software. All they have to do is crank up the default UAC setting (really, it should be cranked up by default anyway for new/non-techy users).

It's a major problem as long as that security setting is chosen. It shouldn't be there if it just provides a false sense of security. It is of no use.

I've not tried Windows 7 so I'm just going from the above text, but surely they just need to make any change to the UAC status (by command, registry change or GUI) require acceptance on the secure desktop.

Yup. I don't know why it doesn't anyway. Changes of UAC should automatically run in the highest UAC level regardless of what the user has UAC set to.

rakeshishere said,
Does this happen in Vista too? If so, i'll stick to Vista :P

That would be a mistake if you value performance.
I am running 7 on a testbed PIII with only 512MB of RAM and it works way better than Vista with 2 or 3X that.

nunjabusiness said,
That would be a mistake if you value performance.
I am running 7 on a testbed PIII with only 512MB of RAM and it works way better than Vista with 2 or 3X that.
Most Vista users are using semi-modern hardware.

As much as I love Win7, I could deal with sticking with Vista on both of my computers (E4500 and 2GB RAM, and a Q6600 8GB RAM). Is 7 faster? Yes. But Vista is already extremely fast.

Shouldn't happen on Vista, provided you didn't mess around with UAC's settings.

On 7 you can up the slider to its max level and it'll be just as noisy as Vista. But of course, secure at the same time.

rm20010 said,
Shouldn't happen on Vista, provided you didn't mess around with UAC's settings.

On 7 you can up the slider to its max level and it'll be just as noisy as Vista. But of course, secure at the same time.

So that means reducing slider level down means you are prone to attacks? why all this FUD. I had thought about this when they had shown this in 6801 build for first time

At the end of the day, nothing protects the user from all forms of stupidity, either by accident or through coersion and trickery.

When everything is prompted by UAC, people complain. When only a portion is prompted, people complain. Whatever MS does, there is always someone who tells you that they are an idiot. That's why the slider is there. Windows is trying to give you some respect and cut you some slack when it thinks you can take care of making sound decisions. Otherwise, why not crank it up back to Vista levels if you think you can't judge what programs are potentially harmful?

That doesn't matter. UAC /has/ prompts telling you when system settings are being changed. But that prompt /doesn'/t appear with this code so unless that behavior is changed it doesn't matter what you want to do to test if a user is doing it, it won't appear anyway.

So why is UAC included with that security level in Windows 7? They need to either fix this or remove the security level altogether, or they will give their users a false sense of security, which is even worse than knowing UAC is not enabled at all. If this is left as-is, we can pretty much assume that most Windows malware in the future will try to do this trick first.

Because of those "experts" crying wolf over UAC. :P

The best suggested workaround as posted is to force a Secure Desktop UAC dialog whenever the security level is being changed. Or better yet, if they have the ability to temporarily modify the UAC prompt level for a particular task (in this case, switching UAC levels) make the user enter their password for that dialog only.

Yes, obviously prompting at changing the UAC level should pop up a dialog. That's the odd part here -- that that suggestion is written of by Microsoft as "wont fix, by design". :S

Just be clear, the script changes the UAC setting without getting a UAC prompt?

Would the script be effective if the same UAC default setting is used, but secured desktop is enabled?

This is curious because changing such a critical security setting should ALWAYS prompt a UAC regardless of the current UAC setting. I will test this script out tomorrow and see what happens.

Seems like they could just remove the certificate, or use a different certificate, for the UAC applet so any changes to that one group of settings requires confirmation.

How did they emulate keyboard inputs?
Ah, right, machine already compromised.

I can emulate keyboard inputs too! By breaking into a house and using the keyboard.

That's precisely what UAC is there for, to limiting application software to standard user privileges until an administrator authorizes an increase in privilege level. There is no authorization using this method so the bad guys can totally disable the protection and then execute much worse commands on the system without UAC protecting it.

^ lol, yes, and there's your problem ;)

UAC is there to stop users owning their computer from running trojans. So the "machine already compromised" argument don't apply here; it's not there to protect from remote exploits, it's there to protect users from themselves.

@Jugalator: I'm not sure what you mean. The point is, a user could download an app that said "FreeOffice.exe", execute it, and it'd shut off UAC without any prompts. That shouldn't be able to happen.

I agree with you long, I didn't write that reply in sarcasm to you.

The second paragraph was in general about the topic and billyea, sorry if I was unclear.

By design huh, i've seen few of those responses to bugs i've filed too. Well hopefully they don't get bitten in the butt by this. People are prone to file lawsuits "by design."

After many years of testing, one thing I've noticed is that Microsoft will only change/fix what they want to change/fix. The views and opinions of the testers rarely count for anything. Sometimes I wonder why I even bother... having said that, a couple of my bugs have been passed on to teams this time around, so hopefully it'll be better this time but I'm not holding out much hope.

Brandon Live said,
The UAC dialog has a "high" security setting. I'm no expert, but I'm not terribly surprised that it's more secure than a lower setting...

That's not the issue; the issue is with UAC being unable to protect itself when a less paranoid security level is used. :P

Everybody says Windows should offer more options, so now it does. You can have the option to have UAC be a major hurdle for medium -> high IL elevations if that's what you want.

The thing is, malware running even with standard user privileges is plenty bad. It can still add itself to run at start-up (for that user), and can still read / write / delete data in any locations that user can access.

So the most important boundary is the Low IL -> Medium IL one, used by IE in Protected Mode and some other processes, which is still protected just as much as in Vista (or moreso) in this default state.