Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

The Windows 7 UAC “Vulnerability”

The Windows 7 UAC “Vulnerability”

  • Comments 24
  • Likes

It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.

Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:

2009,02,03%20-%20UAC%201[1]

And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!

However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different:
2009,02,03%20-%20UAC%202[1] And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.

So, basically to give you my view:

  • We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings
  • We do what the prompt tells you we are doing

In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.

BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista

Roger

Comments
  • It's not that much a vulnerability, than it renders UAC completly useless. There is no use for it anymore since any program with standard rights can change it's setting to get admin rights.

    It's just going back to XP level of security !

    It's the same as "Safari carpet bombing issue" : http://www.theregister.co.uk/2008/05/31/microsoft_warns_against_apple_safari/

    It will transform any "little security breach" into a full admin security breach !

  • It's pathetic that MS isn't taking this issue seriously. Just as spike said, this design flaw renders UAC USELESS. Everyone else can see the problem with this. Why can't MS?

  • I don't see the problem with added a simply check box to allow the user to notify users if UAC level is changed.

    It'd put this whole conversation to bed.

  • WTH? Following this, I think you missed the point completely of the argument.... the vulnerability is that you are not prompted when changing UAC at any level which should be done as with the proven examples given by such sites like Long Zheng which allow it to control UAC without knowledge... If UAC is changed without knowledge, programs could install all kinds of malware onto the computer!

  • WTH? Following this, I think you missed the point completely of the argument.... the vulnerability is that you are not prompted when changing UAC at any level which should be done as with the proven examples given by such sites like Long Zheng which allow it to control UAC without knowledge... If UAC is changed without knowledge, programs could install all kinds of malware onto the computer!

  • To start off with, I zipped up the zipper in Win7 because it felt so weird without the UAC prompts I expected.  Asking for prompts on the zipper is not asking for all the prompts back.

    The prompts I receive are expected.  

    What I do hear a lot of complaints about as well is WGA notifications but that feedback appears to not have been acted on.

    I was afraid that the swing of the pendulum would go too far in response to Vista.  I was right.

    Some asked for this change.  I did not.

  • I'm totally appalled after reading this! It looks like we are talking with a 5 year old with twisted arguments of the "but you said" kind.

    One thing is reduce the prompts in windows settings, another is to leave a hole open that allows malware to be installed.

    I didn't see anywhere in Zheng's arguments that the prompts should be totally removed and that any windows settings should be hidden behind a UAC prompt.

    Yes, UAC is a valuable tool, so why not make it work like it should? Should we just wait for a truly bad exploit for Microsoft to patch it later after being showed in night news?

  • Roger... the problem is you apply the same "do not notify" to UAC changes ITSELF.  If you didn't do this, there wouldn't be so much of an issue.

    This is Microsoft, surely its not an issue to enable notification for UAC status changes.

    Thats all we are asking for!!!!!!

  • Got what you mean. Now, give me some time

    Roger

  • An even more serious flaw has been uncovered.

    You're not checking where the calling code comes from, only that the calling process's exe is a Microsoft/Windows one. So any 3rd party code loaded into Explorer.exe or, worse, RunDll32.exe can elevate without any UAC prompts.

    At default settings this renders UAC absolutely useless at defending against exploits that target Windows 7. All it will stop is exploits that don't care about Win7 and non-malicious code that goes bad by mistake.

    http://www.withinwindows.com/2009/02/04/windows-7-auto-elevation-mistake-lets-malware-elevate-freely-easily/

    On top of that, your whitelist cannot be controlled by the user. This is both anti-competitive -- why shouldn't my 3rd party file manager be able to offer the same experience as Microsoft's one? -- and a needless sacrifice of security. If I don't use Explorer but I want to use the whitelist, why should I be forced to leave Explorer on the whitelist? I gain *nothing* from that as I'm not using it, yet it leaves a gaping security hole open.

    http://www.pretentiousname.com/misc/win7_uac_whitelist.html

    And saying "you asked for it" is a strawman argument. Nobody asked for *this*. That there were too many UAC prompts in Vista for some people didn't mean they wanted a terribly designed system in Windows 7. There were things you could have done without completely crippling security, if only you spent longer on the design and were not rushing Win7 out:

    - Have apps cache their elevated objects through logical operations, instead of dropping them the moment they are used and causing another prompt 3 seconds later.

    - Remove Explorer's ridiculous prompts which only exist to show you a UAC shield and tell you it is about to prompt you. (Yes, a prompt that you're about to be prompted. WTF?)

    - Add more context to the UAC dialog so that it can tell people why they are being prompted, not just which program is prompting them. Obviously an exploit could lie in the text string it passes, but then it could already in a message box before the prompt. Forcing programs to explain why they are prompting (the prompts-about-prompts) only encourages people to turn UAC off.

    - If a whitelist is deemed a good idea then give users control over which applications -- both 3rd party and Microsoft -- are on the list.

    People shouldn't be forced to whitelist programs they don't use or don't use often.

    And if a whitelist is a good idea, because it stops people getting fed up and turning off UAC entirely, then it's a good idea for ALL applications. Let the user decide which apps should prompt them and which should not. It not like the user, if they trust an app, can't already grant it admin access.

    - Before allowing silent elevation, do better validation of the calling code.

    It seems that you don't do anything like check that the calling function is from within the signed exe so any signed exe which loads 3rd party DLLs is a gaping security hole. That includes Explorer and every shell extension DLL as well as, more seriously, RunDll32 which can run any code you want with trivial effort. UAC is blown wide open by that!

    Since you don't even validate the module calling code comes from I assume you also don't protect against code/thread injection into whitelisted processes via the debug APIs. The debug APIs are enabled by default and do not require elevation so, again, they are a trivial way for a non-elevated process to run elevated code on a default Win7 install.

    It honestly feels like Microsoft took all the criticism of UAC -- some of it justified but much of it based on misunderstandings and the first impressions of setting up a new machine rather than day-to-day usage -- and threw their hands up in the air saying, "I give up." You shouldn't have given up. You should have thought long and hard about how to make UAC better without virtually turning it off.

    I am amazed that the same people who thought about user interface isolation in Vista then allowed this mess to happen.

    "Now, give me some time"

    I really, honestly hope you can fix these issues but I am worried because MS have said there won't be another Win7 beta and MS (and many other vendors, to be fair) have traditionally done a terrible job at fixing issues found this late.

  • I don't get how this can be so hard. I have not tried Win7 myself but from what I understand, the no prompting only happens for things signed by a special MS Win7 cert, if so, just sign the .cpl that controls UAC with a normal MS cert

  • UAC prompt should always appear when changes to UAC settings are made. *Always*.

    Nobody asked for this kind of behavior.

  • On the lower (default) setting it should, of course, be possible to change settings without a UAC prompt. That is, after all, the point of the lower setting.

    HOWEVER, the one setting that shouldn't be changeable is the UAC level. That might not seem "logical" or "consistent", but it's the behaviour people expect.

    Is it really so hard for anyone working on Windows to get this? I'm beginning to think it is.

  • As I said: I got it. But I cannot change it right now

    Roger

  • I don't know what's so hard about treating the control panel applet responsible for UAC differently from other cpl applets.

    Microsoft is acting like not-prompting for control panel changes is an all or nothing approach, e.g. they can only make changes that affect all control panel applets.

    If, to not prompt for control panel applets, you absolutely must do this to every control panel applet, and can't exempt UAC itself from this "no prompt" behavior, then I truly feel Microsoft seriously needs to reexamine their coding practices.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment