BetaArchive Logo
Navigation Home Screenshots Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 24d, 0h, 32m | CPU: 4% | MEM: 6070MB of 11305MB used
{The community for beta collectors}

Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
 PostPost subject: Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved        Posted: Sat Jan 31, 2009 12:20 am 
Administrator
User avatar
Offline

Joined
Fri Aug 18, 2006 11:47 am

Posts
12473

Location
Merseyside, United Kingdom

Favourite OS
Microsoft Windows 7 Ultimate x64
Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved

Quote:
Security researchers have unearthed a potentially serious flaw in User Account Control (UAC) features in Windows 7. Microsoft is aware of the issue but is currently unconvinced it needs to make changes to the pre-release code.

UAC is a security feature introduced in Windows Vista that's designed to prompt users for permission before allowing applications to proceed. The technology is designed to put a guard against malware. However, many have found it intrusive and annoying.

Microsoft has modified the technology in beta versions of Windows 7, the next version of its operating system, to make it more palatable. Four different levels with the enhanced version of UAC mean that, among other things, routine tasks no longer ask for permission to run.

However, in making these changes Microsoft has inadvertently introduced a gaping security hole. Disabling UAC no longer generates a prompt. This means, security researchers warn, that future strains of malware might be able to silently shut down UAC, leaving users with the misleading impression the controls are still active. Security blogger Long Zheng explains:

By default, Windows 7’s UAC setting is set to 'Notify me only when programs try to make changes to my computer' and 'Don't notify me when I make changes to Windows settings'. How it distinguishes between a (third party) program and Windows settings is with a security certificate. The applications or applets which manage Windows settings are signed with a special Microsoft Windows 7 certificate. As such, control panel items are signed with this certificate so they don’t prompt UAC if you change any system settings.

The Achilles' heel of this system is that changing UAC is also considered a 'change to Windows settings', coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.


To underline his concern, Zheng has developed proof of concept code that surreptitiously disables UAC without social engineering trickery or user interaction. The code he and colleague Rafael Rivera developed emulates a sequence of keyboard inputs to turn off the guard-dog feature or reactivate it after loading up booby-trapped code.

"We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user's startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc," Zheng warns.

This override flaw would be easy to fix, without forgoing the benefits of the enhanced version of UAC, by forcing a prompt in Secure Desktop mode whenever UAC is changed. "This is not a fool-proof solution (users can still inadvertently click 'yes') but a simple one I would encourage Microsoft to implement," Zheng argues.

Other security blogs, such as WindowsConnected.com (here), have also picked up on the issue.

Microsoft is reportedly unconvinced the issue highlighted by Zheng is serious, responding to feedback by suggesting that the behaviour is "by design" and therefore isn't on the company's to-do list.

In the absence of a built-in modification from Microsoft, users can act themselves by changing the UAC policy to "Always Notify" if UAC settings change. "Annoying, but safe," Zheng concludes. ®


Source: http://www.theregister.co.uk/2009/01/30/win7_uac_security/

_________________
Image

BetaArchive Discord: https://discord.gg/epK3r6A


Top  Profile  WWW
 PostPost subject: Re: Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved        Posted: Sat Jan 31, 2009 12:27 am 
Donator
Offline

Joined
Mon Dec 31, 2007 4:09 am

Posts
368

Location
Sweden
I know the guy who brought this to MS attention like six weeks ago and the responses have been insanely mixed. On one hand we have the "By design/Won't fix" people and on the other we have MS employees who have been working closely with us trying to gain momentum and traction. Looks like MS finally got tired of changing all the reports on this issue from public to private. There's also another pretty major security issue that renders your computer unbootable with pretty much zero effort without ever touching the system settings or prompting the user. The responses on this has been mixed as well but it looks like some people are listening and if they close those reports as "Won't fix" or "By design" I'll be leaking that one myself. :)


Top  Profile
 PostPost subject: Re: Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved        Posted: Sat Jan 31, 2009 1:58 am 
FTP Access
Offline

Joined
Mon Jun 16, 2008 4:32 am

Posts
263

Favourite OS
Windows 8 7955
I have to say, I've been following this in the 7 beta newsgroups, all I have to say is that we've known about this for weeks I'm surprised it took this long for news about this to leak out.

I hope they fix this kind of thing (that definitely should not be "by design") before public backlash turns this into another Vista press s**t storm.

@ddew: do you have to feedback ID for the other bug so i can check it out?


Top  Profile
 PostPost subject: Re: Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved        Posted: Sat Jan 31, 2009 2:30 am 
Donator
Offline

Joined
Mon Dec 31, 2007 4:09 am

Posts
368

Location
Sweden
Luthian wrote:
@ddew: do you have to feedback ID for the other bug so i can check it out?


Unfortunatly not, it's marked as private to minimize the risk of leaks. Way too many idiots around in the techbeta who'd love to find something interesting and either write an exploit or use it for a massive FUD campaign. There's a lot of communication going on with the teams involved though so I'm positive it's stirring things up. With any luck it'll be fixed in the next interim or a subsequent build.


Top  Profile
 PostPost subject: Re: Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved        Posted: Sat Jan 31, 2009 6:40 am 
FTP Access
User avatar
Offline

Joined
Wed Jun 11, 2008 11:19 am

Posts
276

Location
Denmark
It is a natural occurence through all Microsoft new releases.
There is a strong interest in the computing world, to explore and exploit Microsoft's security claims. the "sect" are now regrouping to have an attach on Windows 7. With the increasing prowess of hackers, nothing is safe. It is like locking your car door, or fitting a burglar alarm to the car. The best you can achieve is to, hopefully, get the perpetrators to take the easy way out and move on to the next car.
The UAC, since it's introduction in Vista, has not been such a deterrent. A decent hacker could, from those days, circumvent it or even disable it. There is nothing new on this, in Windows 7 - only a new attack.


Top  Profile
 PostPost subject: Re: Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved        Posted: Sat Jan 31, 2009 6:45 am 
Donator
Offline

Joined
Sat May 24, 2008 10:05 am

Posts
2045
Couldn't this be easily fixed by writing in a UAC prompt for changing the level of UAC?


Top  Profile
 PostPost subject: Re: Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved        Posted: Sat Jan 31, 2009 5:43 pm 
Donator
Offline

Joined
Mon Dec 31, 2007 4:09 am

Posts
368

Location
Sweden
jabster wrote:
Couldn't this be easily fixed by writing in a UAC prompt for changing the level of UAC?


Changing UAC isn't a special event, it's "just" a matter of changing a system setting. And in Vista changing the system meant getting a UAC prompt which they got tons of flack for. So in a sense this is what people asked for and now got, something that's easily fixed by upping the UAC slider a few notches and upping the security to Vista levels. Of course MS could add a prompt for changing UAC but that would require them adding a special event for it and rewriting parts of the security model and that's not very likely to happen.


Top  Profile
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 




Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2018

 

Sitemap | XML | RSS