Whenever we talk about Windows 7 on OSNews, you’ll always hear me advise you to change the UAC settings by setting it to its highest level, since Windows 7’s default simply isn’t secure. You might wonder why you should deal with additional prompts – what is the security risk actually like? Well, it’s pretty big.
When you run Windows 7 with the default UAC level, a technique using code injection and several components in Windows 7 that can auto-elevate can totally own your system. Microsoft gave several components in Windows 7 special privileges (like notepad.exe and calc.exe) in order to reduce the amount of UAC prompts in Windows. The end result, however, is that these components can be used to bypass UAC completely, and basically get full access to your machine. This works even on the RC.
The proof-of-concept exploit works by injecting its own code into the memory of another process, a process with auto-elevation capabilities. This is done using standard and documented APIs. The first proof-of-concept just copied a file to a location, but further editions could do all sorts of nasty things – and ASLR doesn’t help either. This video should give you a good idea. Whiskey tango foxtrot, indeed.
As the writer of the proof-of-concept code explains, the UAC API is a good API, but code does require refactoring to provide a good user experience; to not flood users with prompts. Microsoft did not do this right in Vista, and instead of addressing this issue properly in Windows 7, they took the easy way out by creating UAC backdoors for their own code and programs (the UAC whitelist) as to reduce the number of prompts. This list isn’t configurable by the user.
This leads to this weird situation where even though Microsoft have stated that UAC is supposed to nudge developers to fix their code so that it works for limited users as well, Microsoft itself doesn’t seem to want to do that. So, to avoid having to fix their own code to work well with UAC, they cheated. This isn’t the kind of behaviour that befits an otherwise great release.
At this point in time, the default UAC level in Windows 7, and all levels below that, are insecure. You might as well turn UAC off completely, as it makes no difference to have it either off or at the default level. This entire flaw becomes null the moment you set UAC to its highest setting (as that disables auto-elevation). That’s why I always advise you to do so.
Microsoft needs to address this issue before the release, or else malware and virus writers are going to have a field day. It’s exactly this kind of braindead decision making that led to years of neglect of Windows NT’s advanced security features, creating an environment where malware and viruses could prosper. With Vista, it seemed as if Microsoft finally got their act together, and now, with Windows 7, they’re throwing it all away again.
They never learn.
The linked video is incredible. The ease in which UAC is bypassed is impressive. What is more impressive is the outright incompetence of Microsoft to not update freaking Calc and Notepad to work with privileges correctly. Why does Notepad need to auto-elevate? If I was trying to save a text file to a system location, a UAC prompt wouldnâ€™t be shocking to see.
This only confirms factually what I understood philosophically already: that UAC is just a ‘patch’ trying to add security on top of a system thatâ€”for backwards-compatibilityâ€™s sakeâ€”is totally insecure by design. The Windows user-space is one giant insecure mess. The NT kernal has all the features to implement a really, really tight and secure user-space, and Microsoft are still waving the Windows 95 flag.
Until Microsoft ditch all backwards-compatibility and move it into a VM, Windows security is never going to be properly secure, and we will always see inane, short-sighted and ineffective security systems tacked on top like UAC.
P.S. Also love how Flash can auto-install itself in IE8/Win7. You get a UAC-prompt, but none of the normal Active-X warnings. Cute. Whatâ€™s your normal reaction when a web-page upon loading suddenly, out of nowhere, fires off a UAC-prompt??
Edited 2009-05-15 07:45 UTC