Malware turns off Windows' UAC, warns Microsoft

By Marshall
in Back Page News

 Share

Recommended Posts

Grand Master

Marshall Veteran

Posted
  • Veteran
Posted
Computerworld - Microsoft this week urged users to keep an oft-criticized Windows security feature turned on, even as it said that more malware is disabling the tool.

User Account Control (UAC) is the feature that debuted in Vista and revised in Windows 7 that prompts users to approve certain actions, including software installation.

UAC was "universally hated" in Vista, and was a major complaint about the unsuccessful operating system, a Gartner security analyst said more than two years ago.

"From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get 'click fatigue,'" said John Pescatore of Gartner in the months before Windows 7's launch.

Microsoft took the complaints to heart, and downplayed UAC in Windows 7 after its data showed users got irritated when they faced more than two such prompts in a session at the computer.

This week, Microsoft's Malware Protection Center (MMPC) said that malware was increasingly turning off UAC as a way to disguise its presence on infected PCs.

To disable UAC, attack code must either exploit a bug that allows the hacker to gain administrative rights -- Microsoft calls those flaws "privilege elevation" vulnerabilities -- or trick the user into clicking "OK" on a UAC prompt.

Apparently, neither are difficult.

Some of the most-common threats now in circulation -- including the Sality virus family, Alureon rootkits, the Bancos banking Trojan and fake antivirus software -- have variants able to switch off UAC, said Joe Faulhaber of the MMPC team in a post to the group's blog.

One worm, dubbed "Rorpian" by Microsoft, is especially enamored with the anti-UAC tactic: In more than 90% of the cases involving Rorpian on a single day, MMPC observed the worm disabling UAC by exploiting a four-year-old Windows vulnerability.

Nearly one-in-four PCs that reported malware detections to Microsoft had UAC switched off, either because of malware antics, or because the user turned it off.

UAC has not been problem-free on the technical side, either. Months before Windows 7's debut, a pair of researchers revealed a bug in the feature that hackers could use to piggyback on preapproved Microsoft code to trick Windows 7 into granting malware full access rights.

Although Microsoft initially dismissed their reports, it later changed UAC.

Faulhaber provided a link to instructions for switching UAC on or off on Vista. They can also be used on Windows 7, but the final step is to pull the slider to "Never Notify" to turn off UAC.

Source

Grand Master

mad_onion

Posted
Posted

My understanding is that privilege escalation vulnerability are in fact pretty rare. But in regards to the news isn't it pretty obvious that malware might disable UAC. I mean if I was writing malware I would probably do that too....

Mentor

Jen Smith

Posted
Posted

Was never a fan of UAC myself.. always set my systems up the "proper" way with multiple accounts. One admin account, everything else runs as a standard user. Do it the old fashioned way requiring an admin username/password for elevation. UAC was always too easy to disregard and click through anyway, but I guess that's just what I'm used to growing up with Unix in the first place. Doubly so for my daughter's system... if its asking you for a password, chances are you're messing with something you shouldn't be.

Veteran

Kondrath

Posted
Posted

Was never a fan of UAC myself.. always set my systems up the "proper" way with multiple accounts. One admin account, everything else runs as a standard user. Do it the old fashioned way requiring an admin username/password for elevation. UAC was always too easy to disregard and click through anyway, but I guess that's just what I'm used to growing up with Unix in the first place. Doubly so for my daughter's system... if its asking you for a password, chances are you're messing with something you shouldn't be.

I have no idea why I never thought of that. I always disable UAC completely just because it's annoying and I'd probably click "Continue" without really caring, anyway. Maybe I'll set it up like that eventually.

Grand Master

jakem1

Posted
Posted

I've personally never had a problem with UAC and happily leave it running as a final safety check whenever I'm doing something. I quite like the fact that it makes me think twice if it pops when I wasn't expecting it.

In regards to the article, it seems like typical Computerworld flamebait. It's pretty much devoid of facts and spends most of it's time dredging up Vista-era hate. Here's the best bit:

Apparently, neither are difficult.

Why provide any evidence to back up your claims when you can just make an unsubstantiated assumption :rolleyes:

Lazy "journalism" at its best.

Grand Master

Denis W. Veteran

Posted
  • Veteran
Posted

The social engineering problem will never be solved, short of some real-time scanner catching culprits on the fly. The whole OS X fake antivirus scare from a few months ago was proof of that; users would willingly enter their credentials without thinking twice of what they're installing.

Contributor

bugsbungee

Posted
Posted

The social engineering problem will never be solved, short of some real-time scanner catching culprits on the fly. The whole OS X fake antivirus scare from a few months ago was proof of that; users would willingly enter their credentials without thinking twice of what they're installing.

+1. Idiots will be idiots. We can't protect people from themselves in real life nevermind on their own computers - and the sooner this is realised the better.

Mentor

etempest

Posted
Posted

I remember when MS initially decided to not have UAC prompt when turning UAC off and was resistant to the outcry about this until it became so bad, MS eventually reversed it's decision so turning off UAC would prompt you.

Vista UAC frequency was annoying, Win7 seems to get it right (for me).

Grand Master

Rigby

Posted
Posted

I don't use it. My account is set up as a standard user and I have Windows firewall configured to block everything outbound except for the programs I specifically allow. The problem with UAC is that it popped up for too many things (especially in Vista where it was in your face constantly). People got used to just clicking the UAC notice away without even reading it because it was so annoying. If I need admin access for a program or something I just click Run As Administrator and put in my password, and these days I rarely have to do that since people are finally learning to write their programs properly.

Grand Master

Growled Member

Posted
  • Member
Posted

Was never a fan of UAC myself.. always set my systems up the "proper" way with multiple accounts. One admin account, everything else runs as a standard user. Do it the old fashioned way requiring an admin username/password for elevation. UAC was always too easy to disregard and click through anyway, but I guess that's just what I'm used to growing up with Unix in the first place. Doubly so for my daughter's system... if its asking you for a password, chances are you're messing with something you shouldn't be.

That's the exact same way I set up all my systems. My wife use to get annoyed with me and ask for the password, but after almost making a couple of bad boo-boos she has sense learned the value in the system. She would have a ton of malware installed left to her own devices.

Mentor

dvb2000

Posted
Posted

UAC was implemented in Windows mostly because a lot of looney linux fanatics constantly harangued the media and Microsoft and kicked up a scare campaign saying Windows NEEDED this type of protection to make it secure, "like linux" - lol

Unfortunately Microsoft took the "easy" path and implemented it, rather than stand up for themselves and their users and stuffed up Windows usability as a result.

+1 for the linux fanboys. Didn't do them any good though. Even though they bought down Windows, no one took up linux as a result!

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft releases major feature updates for stock Windows 11 apps

      By PurSpyk · Posted

      Anyway to download these versions without being on the Experimental builds?
    • Microsoft about to radically change how often your Edge browser updates

      By testman · Posted

      Nothing is stopping you from continuing with your testing cadence. If updates are released every 2 weeks instead of 4, and you test once every 4 weeks, the exact same amount of patches will still be available for you in those 4 weeks. For example: Before 4th week - patch 1, 2, 3, 4 After 2nd week - patch 1 and 2 4th week - patch 3 and 4 Still the same amount after 4.
    • Microsoft about to radically change how often your Edge browser updates

      By testman · Posted

      Everyone else has said it. I'm gonna say it - you don't know what you're talking about. I do. I have two laptops. One work, one personal. I have access to two more laptops - both personal. At home I manually update my personal laptop when I see on Neowin that there is an update - I carry on and only apply the updates when I am ready. My work one only updates when my workplace decides to send it - I carry on and only apply the updates (when they actually arrive, which is usually days after the release) when I switch off the laptop at the end of the day as usual. The two other personal laptops only get updated when I get to it which is rarely - the people who own them carry on using them until I get to it and update them. All of the browsers on all laptops are configured to restore the tabs when launched. Google and Microsoft have changed from 6 weeks to 4, and it looks like it's going to move to 2. None of these changes affect how any of these browsers on the laptops are used. Not one jot. My advice to you is stop panicking whenever you see an update. Just carry on with what you're doing. This even benefits you in a way - from your comment you sound like you don't like the changes or the frivolous new features - great - then carry on as before!
    • Lethal fake phone chargers are still being sold on Amazon and eBay, UK watchdog warns

      By Brian Miller · Posted

      AMAZON needs to take total accountability for this.
    • Windows Server gets DNS over HTTPS (DoH) support

      By binaryzero · Posted

      Server Summit had a heap of announcements, ADCS changes are baller.

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      508
    2. 2
      +Edouard
      197
    3. 3
      PsYcHoKiLLa
      138
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      80
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!