Update: Microsoft have now updated that they are going to deliver two changes to the Windows 7 Release Candidate regarding this issue.
Before getting into the actual news, lets take a while to understand the current Windows 7 UAC dilemma
Windows 7 UAC Dilemma
As Windows 7 was receiving much positive feedback than expected from the beta testers, we had Long Zheng and Rafael, two Windows enthusiasts, come with a proof that malware can turn off UAC in Windows 7. Later Microsoft responded insisting that this is by design and actually not a bug. Later, again, we had Zheng and Rafael come out with a second flaw which showed Windows 7 UAC was still flawed. At this time, everybody thought Microsoft had done the right thing with Windows Vista UAC and compromised security over consumers" feedback in Windows 7.
UAC - A quick History
One of the highly criticized features in Windows Vista is the User Account Control(UAC) which prompts up a dialog box seeking users" permission to continue or stop whenever a system-level change is made. The problem with Vista is that even the default user account which is created during the install, who is a protected administrator (unlike in XP where the user is an Administrator), could not bypass the UAC until its tweaked. This created lots of criticism and the feature which was built to make Vista secure became the most hated feature amongst users. Of course, this was a drastic change for Microsoft and as well as end users who were very much inclined to a single user account (till Windows XP) who is an Administrator.
Based on the feedback Microsoft received on UAC, they decided to:
- Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified.
- Enable our customers to be more confident that they are in control of their systems.
- Make prompts informative such that people can make more confident choices.
- Provide better and more obvious control over the mechanism.
UAC in Windows 7
So, what has changed in Windows 7 in regard to UAC?
In Windows 7, User Account Control was created with the intention of putting you, the user, in control of your system and thus Microsoft came up with four different settings that a user can choose from:
- Always notify on every system change
- Notify me only when programs try to make changes to my computer
- Notify me only when programs try to make changes to my computer, without using the Secure Desktop
- Never notify
The default settings in Windows 7 is - Notify me only when programs try to make changes to my computer
This means that, you as a user when you do changes to your computer, the UAC would not prompt for consent, but will do so when other programs (like, third party applications) try to change system settings. This is strictly under the assumption that, you as a user know what you are doing with your system.
This would overall reduce the UAC prompts. Remember, this is the default UAC setting for the protected administrator in Windows 7.
UAC Issue 1
Long Zheng and Rafael discovered the first issue with UAC in Windows 7. The issue was that a malware could easily disable UAC if executed.
How could this happen?
As the default mode is set to - Notify me only when programs try to make changes to my computer - Windows 7 thinks that the change malware doing as a change that the user is doing and changes the UAC setting without any prompts for consent.
UAC Issue 2
Later again, Zheng and Rafael came up with another issue. The issue this time was that a malware can silently self-elevate with default UAC policy.
How could this happen?
Microsoft states that the change made in Windows 7 default UAC settings is that any operation that is necessary to manage windows will not require an elevation - which in technical terms translates into a white list of trusted action / binaries which the user can make perform without UAC prompting from an elevation.
For quite some time, Microsoft was silent and later came out with a response that this behavior of UAC was by design and denied the fact that this was a bug.
Why does Microsoft think this is by design and not a bug? Jon DeVaan from Microsoft has posted an update which explains it all.
It is agreed that whatever proof Zheng and Rafael came up with indeed disabled UAC in Windows 7, but not until the malware was running. It is clear that the malware does not by itself execute unless user agrees to run or without any consent.
I downloaded the script file which Rafael had created for the UAC Issue 1. I was able to download and save it without any problem. So, now, I have downloaded the malware in my system, but it is still not active. I executed the script and immediately I received this prompt:
This is what Microsoft is insisting - Malware making it onto a PC and being run Vs What it can do once it is running
I didnt click Run as I am aware that this is a program that I dont know and might be a malware or a virus or something else. Clearly, there is a difference and nothing was changed in my system.
Similarly, when we open a .vbs (script file) or any other .exe file via a browser, for example, Internet Explorer, we get prompted again:
Images Courtesy: E7 Blog
Jon said that the recent feedback on UAC is about the behavior of the - Notify me only when programs try to make changes to my computer settings. He also added that the feedback has been clear and it is not related to UAC set to Always Notify, which is the default behavior of UAC in Windows Vista and it becomes much easier to mischaracterize the feedback.
What do you think of Microsofts explanation? Are they right in what they say - Malware making it onto a PC and being run Vs What it can do once it is running ?
You as a user, do you think this is a big threat to Windows 7?