At OSNews, we usually do not report on individual security breaches, because there are websites specifically tailored to that sort of thing. Still, every now and then, an interesting security issue pops up that deserves some attention. How about this one: through a simple VBScript, you can completely disable UAC in Windows 7. The reason for this might surprise you. Update: Microsoft’s response.
When Windows Vista was first released, it came with User Account Control, and right about that time, the world ended in flames and we were all doomed, we died, and that was it. At least, that’s how some described the advent of UAC. Others saw it as a necessary evil to fix developers’ attitudes towards writing applications for Windows, an attitude fostered by Microsoft’s own inadequacy; it succeeded wonderfully at that. The number of prompts lessened anyway after first setting up your machine.
Sadly, when it came to developing Windows 7’s UAC, Microsoft decided to listen to the hissy fit group, and they implemented a slider control where you could set which events would trigger a User Account Control prompt. A classic case of sacrificing security for the sake of perceived usability, if you ask me.
In any case, the default setting in Windows 7 is “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. That second one is the root of the very simple security breach described by Long Zheng (of IStartedSomething) and Rafael Rivera (of WithinWindows.com). Since changing a Windows setting does not trigger UAC – changing UAC settings does not trigger UAC. In other words, you can completely disable UAC without the user ever having to give any consent. Put a few keyboard shortcuts in a little VBScript, and there you have it, UAC disabled completely (proof of concept).
Funnily enough, there is a very easy fix for this flaw: enable to the full-blown, Vista-esque UAC in Windows 7 (move the slider all the way up). This setting makes sure that if anyone tries to change you UAC settings, you’d see a UAC dialog. As Zheng accurately remarks, “Having UAC on at the policy as it is currently implemented in Windows 7 is as good as not having it on at all.”
While this exposes the boneheaded implementation of UAC’s settings slider in Windows 7, it also has its roots in sacrificing security for usability’s sake. Let this be a lesson for you: it’s simply not wise to disable UAC, or cripple it just because you don’t like dialogs. I always run my Windows Vista and Windows 7 machines with the full-blown UAC for this very reason.