Whenever we talk about Windows 7 on OSNews, you’ll always hear me advise you to change the UAC settings by setting it to its highest level, since Windows 7’s default simply isn’t secure. You might wonder why you should deal with additional prompts – what is the security risk actually like? Well, it’s pretty big.
When you run Windows 7 with the default UAC level, a technique using code injection and several components in Windows 7 that can auto-elevate can totally own your system. Microsoft gave several components in Windows 7 special privileges (like notepad.exe and calc.exe) in order to reduce the amount of UAC prompts in Windows. The end result, however, is that these components can be used to bypass UAC completely, and basically get full access to your machine. This works even on the RC.
The proof-of-concept exploit works by injecting its own code into the memory of another process, a process with auto-elevation capabilities. This is done using standard and documented APIs. The first proof-of-concept just copied a file to a location, but further editions could do all sorts of nasty things – and ASLR doesn’t help either. This video should give you a good idea. Whiskey tango foxtrot, indeed.
As the writer of the proof-of-concept code explains, the UAC API is a good API, but code does require refactoring to provide a good user experience; to not flood users with prompts. Microsoft did not do this right in Vista, and instead of addressing this issue properly in Windows 7, they took the easy way out by creating UAC backdoors for their own code and programs (the UAC whitelist) as to reduce the number of prompts. This list isn’t configurable by the user.
This leads to this weird situation where even though Microsoft have stated that UAC is supposed to nudge developers to fix their code so that it works for limited users as well, Microsoft itself doesn’t seem to want to do that. So, to avoid having to fix their own code to work well with UAC, they cheated. This isn’t the kind of behaviour that befits an otherwise great release.
At this point in time, the default UAC level in Windows 7, and all levels below that, are insecure. You might as well turn UAC off completely, as it makes no difference to have it either off or at the default level. This entire flaw becomes null the moment you set UAC to its highest setting (as that disables auto-elevation). That’s why I always advise you to do so.
Microsoft needs to address this issue before the release, or else malware and virus writers are going to have a field day. It’s exactly this kind of braindead decision making that led to years of neglect of Windows NT’s advanced security features, creating an environment where malware and viruses could prosper. With Vista, it seemed as if Microsoft finally got their act together, and now, with Windows 7, they’re throwing it all away again.
They never learn.