UAC in Windows 7 still broken


Recommended Posts

I admit, as a non-programmer, I have very little knowledge about the inner-workings of Windows. However, as an enthusiast, I thought I had a basic but firm understanding of what User Account Control is, how it works, and why it exists. That?s no longer true. After reading reading an article by Windows-god Mark Russinovich, ?Inside Windows 7 User Account Control?, I?m bewildered by the changes to UAC in Windows 7.

At first, Mark provides this logical explanation for UAC elevation prompts.

Elevation prompts also provide the benefit that they ?notify? the user when software wants to make changes to the system, and it gives the user an opportunity to prevent it. For example, if a software package that the user doesn?t trust or want to allow to modify the system asks for administrative rights, they can decline the prompt.

Bearing this in mind, you?re probably familiar with the commotion raised months ago over a concern over how applications can silently turn off UAC prompts in Windows 7 which Microsoft addressed (after a fair dose of community effort), but what you might not know is that there is another and more serious ?exploitative? UAC vulnerability breaking exactly what Mark described.

Source:

http://www.istartedsomething.com/20090611/...ility/#comments

Link to comment
Share on other sites

Not this again... They can't fix a broken user that insists on running an application after they're warned not to.

That's not the issue though. The issue is that the program he runs can elevate itself without user interaction, which is a security hole and makes 7 on the default settings equivalent to running XP with an admin user.

Link to comment
Share on other sites

That's not the issue though. The issue is that the program he runs can elevate itself without user interaction, which is a security hole and makes 7 on the default settings equivalent to running XP with an admin user.

It can't do that. The exploit injection code can only be put on the affected machine when running in administrator mode. Windows 7 still runs user accounts as a standard user and goes through UAC for admin elevation, meaning you would have to approve the exploit for it to inject any code.

Link to comment
Share on other sites

I believe you are wrong. It claims it can elevate programs with the exploit running as standard user (or at least it did when I watched his video ages ago). If it had to run elevated, it could just execute whatever it wanted as administrator without all the work.

Link to comment
Share on other sites

This frankly seems to be more of a conceptual problem than it is an actual one.

In actual use, I've found Win7's UAC much more manageable than Vista's.

We need to look at the big picture here. UAC tries to address a crucial security issue: that it's unsafe to run as an Admin in a user account. There's a very simple solution to this, and that's to run limited accounts. Trouble is, users don't like limits.

So what do you do? Allowing unfettered accounts was probably what made XP as insecure as it was. UAC may be a bit irritating, but I'll take it over totally hosed systems.

Link to comment
Share on other sites

So what do you do? Allowing unfettered accounts was probably what made XP as insecure as it was. UAC may be a bit irritating, but I'll take it over totally hosed systems.

But, uhm, if this exploit can elevate any arbitrary program then UAC in its default configuration is rendered useless, which means you end up with the exact same thing as XP.

Link to comment
Share on other sites

It cannot elevate arbitrary code with the default security configuration. I've read the guy's blog post about it. Making changes to UAC, including the app whitelist in Windows 7 RC+ will always result in a secure desktop prompt. An app may be able to silently approve its own UAC requests, but it cannot approve a system one. Therefore, you would have to either download the malicious code somehow, run it, and approve a security dialog, or you would go to a web site that has an malicious ActiveX control, you would be prompted that it may be untrustworthy, and it would still be running in Protected Mode.

Link to comment
Share on other sites

It cannot elevate arbitrary code with the default security configuration.

The guy has a video that shows that he can elevate a Medium Integrity Level program to full admin without the user getting a UAC prompt. This is done with the default account created, which runs in admin-approve mode. In this mode, you click on the "Continue" button for UAC prompt rather than typing in password (that is Standard User). This exploit doesn't work with Low Integrity Level program such as Internet Explorer, so that drive-by attack cannot happen.

As is right now, any third-party software run in Windows 7 with the default UAC configuration can get FULL ADMIN WITHOUT the UAC notifying the user. The program can install services without the user knowing. This is a huge security risk. A "Standard User" account is not exploitable, since the user is forced to type in the password regardless.

Link to comment
Share on other sites

As is right now, any third-party software run in Windows 7 with the default UAC configuration can get FULL ADMIN WITHOUT the UAC notifying the user. The program can install services without the user knowing. This is a huge security risk. A "Standard User" account is not exploitable, since the user is forced to type in the password regardless.

I think that's only true when the user chose "Do not dim the Desktop", which disables the Secure Desktop.

With the Secure Desktop enabled (which is the default setting), apps can't interact with the approval dialog and thus only the user can confirm it, if a password is asked or not.

Link to comment
Share on other sites

It cannot elevate arbitrary code with the default security configuration. I've read the guy's blog post about it. Making changes to UAC, including the app whitelist in Windows 7 RC+ will always result in a secure desktop prompt. An app may be able to silently approve its own UAC requests, but it cannot approve a system one. Therefore, you would have to either download the malicious code somehow, run it, and approve a security dialog, or you would go to a web site that has an malicious ActiveX control, you would be prompted that it may be untrustworthy, and it would still be running in Protected Mode.

It can and does elevate arbitrary code with the default security configuration.

Malware can run at adminstrative level without UAC prompts.

Rootkits can run at administrative level without UAC prompts.

Remote code execution exploits can run at administrative level without UAC prompts.

Legitimate applications can run at administrative level without UAC prompts.

Link to comment
Share on other sites

It can and does elevate arbitrary code with the default security configuration.

Malware can run at adminstrative level without UAC prompts.

Rootkits can run at administrative level without UAC prompts.

Remote code execution exploits can run at administrative level without UAC prompts.

Legitimate applications can run at administrative level without UAC prompts.

+1. As Long pointed out in his article, since MS has certain files in Windows "white-listed" by default (which means they are automatically elevated for the purpose of convenience for the user), all a person has to do is write some software to inject a piece of code into a white-listed file which can be executed at an administrative level (because the OS is allowing that process to execute, unrestricted), bypassing UAC entirely.

This IS a flaw because it really isn't that difficult to do and really makes UAC pointless because malware authors will catch on and implement this method into their apps. That is, unless a person changes the UAC settings to be on the highest level of security/prompts (which ignores the white-list).

Link to comment
Share on other sites

Seems to do what it says... The question is, if it's really an exploit, why has nobody exploited it? There must be tons of copies of Windows 7 installed around the world.

Why exploit a beta product with technical users whose numbers are relatively few (and risk being caught) when you can wait a couple month for the product to be on millions of desks around the world?

Link to comment
Share on other sites

i think action center must alert the user at default UAC policy with a warning message & have the ability to raise the UAC level to ?Always Alert? from within action center. this would serve all the purposes. a) microsoft could leave UAC setting unchanged. b). End user at the same time know security implication of it.

Link to comment
Share on other sites

Well at least in Windows 7 it takes some effort to get a privilege escalation, on OSX it's done with one simple command.

What does UAC have to do with Apple?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.