Chat directly with me if you want. Go to my
Chat page to find a web messenger!
It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.
Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:
And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!
However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different: And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.
So, basically to give you my view:
In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.
BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista
It's interesting the reaction that this has gotten. As I said when this all started - I can't wait to monitor the blogosphere over the next few days. And, it's been interesting.
One thing that I haven't seen mentioned HERE or in any of the comments:
You need to have a split-token for this to work.
Microsoft's guidance has ALWAYS been - have two accounts if you manage your own system - one Administrator account, and one Standard User. (Wayback Machine time - this was recommended practice in every version of NT to date, and 2000 Professional through Vista)
If you are running as Std. User, this exploit or trickery is negated.
Leo, you make some good points. However, code validation isn't that easy given that you're not always sure what you're looking for. And, Day 0 exploits are too common these days to react in a realistic timeframe. As to a white list - the other extereme is a black list. And, who would maintain that? Of course, the fan boys, M$ haters and technorati would balk and scream foul if Microsoft were to do it. Hence, there is no good solution here. Businesses would buy into it, but that still leaves the poor consumer out in the cold.
Craig - What's so hard about treating the UAC applet differently from the rest of the applets? Explained above - you have a split-token. It's not possible to make the UAC applet Admin-only, because you already are. And, no - there really isn't any way to make the UAC applet only changeable by super-admins. Basically, because there isn't one.
Like Roger - I like (and have from Day 1) the way Vista deals with UAC. I don't mind getting prompted. It's a normal part of life, and I do feel safer. I take a small amount of time to recall what I just did - and if this is something I expect, I click "Continue", "Allow", whatever. If I don't expect it - I click "Cancel" and go back to try again to see if this is truly expected behavior.
Someone said "Damned if you do, Damned if you don't". Yeah - it feels that way. Regardless of what the Windows PG does, there is going to be a segment out there that doesn't like it.
My advice? If this bothers you, create a Std. User account. Run as the Std. User. Know what you're clicking on. And, don't confuse UAC and IE Protected Mode. They are not even remotely the same thing - even though UAC may prompt you during an action that you allowed IE to do. Or, is it OK with you that IE just be allowed to do whatever it wants, bypassing UAC completely?
Nah, that wouldn't be very good at all....
Just another blog by Microsoft where the team completely pretends to ignore the issue, and try to bring in words from "high" that makes people think we are just overreacting. It's a shame really.
I've been a MSFT fanboy for years now, and there isn't one day that my boss doesn't hear anything on Vista or Windows 7, how much that could improve my speed at work. I love the improvements MSFT makes to every Windows, including 7. But there is just one mistake.... Correction, a disaster happening right now.
What we talk about is what the end user (read: noob) gets when he purchases a computer/laptop with Windows 7. It just visits some websites and BANG a virus has been installed, uac turned off and their computer no longer works.
Since the recovery files can easily be removed, the repair disc also becomes useless. It doesn't fix it, or at least makes it work, but where are your files?
This is how you call it a bad OUT OF THE BOX experience. The experience that will say "Can you please install Windows XP back on this machine". (i'm not saying xp is secure, but that's what noobs think)
The Out of the box settings are unsecure for those who don't understand, or want to understand the settings of windows, or it's neccisary security. Now your bringing those at risk, not only with sendkeys, but also with that rundll32.exe issue.
And yes, it's by design. You tell exactly that malware can do everything in the UAC prompt, but how many people that need it will actually see this / understand this? Right, not that many. So in that case your making Windows insecure, and leave a security threat open. Malware changes with the Windows, even I as noob are able to write my own malware these days. What an improvement.
We also didn't ask for this. The media bugged about it because they all use mac's, and some professional people that simply wanted more levels of security. Real security. So no, we didn't ask for it, just a few noicy people that blog it around.
And even if you don't want to change the way UAC works, then simply put UAC on HIGH by default? Then your design is completly by design, except that HIGH will be the default settings.
For those who think it's annoying (reed:pro's) they can turn it lower or off. Let them deal with malware and other possible risks, it's their decision.
Then you simply get:
Knowledged people: not annoyed by that many prompts
Novice: Protected against malware
So before you give us another, "well it's our design" reply, think about those millions of people that Microsoft just puts on risk, and get them to deal with the security threats these days. Or was that the idea? More support more income, or better reason to upgrade to Windows 8? Because it's kinda going to look like that.
"Microsoft's guidance has ALWAYS been - have two accounts if you manage your own system - one Administrator account, and one Standard User. (Wayback Machine time - this was recommended practice in every version of NT to date, and 2000 Professional through Vista)"
Except that the very first thing that Windows setup walks you through doing is creating an Administrator level account. How many typical end-users who just bought their machine from HP do you really think is going to head into control panel first thing and create a non-admin account? Be honest.
And did you really just say that it is impossible to reduce the prompting for all control panel applets *except* the UAC control panel? It really is all or nothing?
Fine, if it really is so monumentally impossible to write some conditional code (like, hey if it's the UAC control panel that the user launches, let's be a little bit more cautious than say, the font control panel), and people should not run as administrator (which I agree with), how about making it so Windows doesn't actively encourage the use of an Administrator account right out of the box?
Because, *out of the box, right now* Windows 7 is less secure than Windows Vista.
UAC should protect itself, regardless of level of verbosity, especially when Windows setup creates the situation of end-users running as admin in the first place.
And before you respond with UAC never being meant to be a security system, think long and hard about the fact that IE sandboxing is directly tied to UAC and can be completely disabled, bringing IE security back to XP levels, by an application installer, out of the box. We weren't all on Peyote when Microsoft specifically described UAC's "secure desktop" as a way to *mitigate dialog spoofing*.
UAC was a security feautere, just check the Windows Vista site:
"User Account Control in Windows Vista improves the safety and security of your computer by preventing potentially dangerous software from making changes to your computer without your explicit consent"
This is no longer the case in Windows 7, and tells the complete different then what Microsoft tells in it's latest E7 blog post.
All they do right now is say, the media asked for it, now you have to deal with security yourself. MS no longer cares about security or out-of-the-box experience, cause like with xp, a out of the box computer is infected within 30 minutes as researches say. And thats what we get out of the box in Windows 7. So yeah, nice improvement Microsoft.
Craig - thanks for hte feedback. Want to make sure that we're both talking about the same complaints.
"Except that the very first thing that Windows setup walks you through doing is creating an Administrator level account. How many typical end-users who just bought their machine from HP do you really think is going to head into control panel first thing and create a non-admin account? Be honest."
Agreed. Someone should fix that, too. But, be honest with yourself - can you set up the OS WITHOUT an Admin account? Can you run Word as a Std. User?
"Fine, if it really is so monumentally impossible to write some conditional code (like, hey if it's the UAC control panel that the user launches, let's be a little bit more cautious than say, the font control panel)"
All I can say is that it's not non-trivial to implement.
"how about making it so Windows doesn't actively encourage the use of an Administrator account right out of the box?"
I'll be right there with you on THAT fight - as I have been for nigh over 14 years..... At least XP gave you an opportunity to create multiple users during setup. So, we agree. Again. :o)
"Because, *out of the box, right now* Windows 7 is less secure than Windows Vista"
Did I disagree with this? Eh...No.
"UAC should protect itself, regardless of level of verbosity, especially when Windows setup creates the situation of end-users running as admin in the first place."
If this is about creating another user - who will be a Standard User instead of a split-token user... Well, I'm not the righ person to tell. Unless of course, Roger is actually READING these. Then, they are getting to the right eyes. Remember - I CONCUR with you on this.
"And before you respond with UAC never being meant to be a security system, think long and hard about the fact that IE sandboxing is directly tied to UAC and can be completely disabled, bringing IE security back to XP levels, by an application installer, out of the box. We weren't all on Peyote when Microsoft specifically described UAC's "secure desktop" as a way to *mitigate dialog spoofing*."
Would you explain that one in detail? You lost me at "think long and hard..." UAC != IEPM or UAC !=LorIE Two different systems.... Two different technologies, two different effects and two different outcomes.
Craig - you're making good points. I'm big enough to admit when you're right and I agree. I'm interested in the dialog. So, keep it coming.
"UAC was a security feautere, just check the Windows Vista site:
"User Account Control in Windows Vista improves the safety and security of your computer by preventing potentially dangerous software from making changes to your computer without your explicit consent""
I see that it says that it IMPROVES the security.... That's pretty much the same thing as saying that the Police drive within 5 miles of my house instead of 10. Does that now make your house more a security boundary? No, but you might feel like it improves your security....
"All they do right now is say, the media asked for it, now you have to deal with security yourself."
Well, I'd hardly say that it was JUST the media. Go back and take a look at blog posts from 11/2006. The fanboy and M$ hater storm had already kicked into high gear. Unless, of course, you consider anything and everything that you see and hear that is not first person as 'the media'. Me, I consider the media a newspaper, a magazine, news agency. With all due respect, there is not a blog on the planet that I consider 'the media' unless they are owned and run by the likes of Hearst-Argyle, Associated Press, etc. It was customer feedback that indicated that Microsoft needed to make a change in this area. They responded. Damned if they do - damned if they don't.
No, t'was the average user, a good percentage who simply heard or read that Vista sucked that caused Vista to suck. Did it get better with SP1? Sure. But, then so did XP. I remember all of the whining, moaning and complaining over RTM XP as well. And RTM Windows 2000. Windows ME....? OK - that one was deserved.
" And thats what we get out of the box in Windows 7. So yeah, nice improvement Microsoft."
So, you toss the entire Win 7 out the window (no pun intended) with one thing that YOU control? When you KNOW what you have to do (Take UAC level to 4 or run as Std. User), but you've now concluded that Win 7 sucks?
OK. Rock on.
Ok, accourding to the e7 blog, this issue is going to be fixed in Release Candidate. Wich is amazing!!!!
@Rick: Sorry for my frustration, but UAC still was designed to help people to protect a computer from malware and other security risks. You can say it's not, but it was doing that. I don't say it's a perfect protection, it's not a police on my doorstep making sure nothing happends, but it's at least an doorbell that allows me to let the person walk in or not.
Maybe UAC was designed with some others words then what I'm using, but this was the way UAC worked for me, and for the people I know using Windows Vista. Looking to security reports everywhere you almost sees that even if UAC is no security thing (if I need to believe you) it protectst very well, and stops like almost every thing.
UAC was in my opinion great in Vista, but I have to say I luckely didn't have a program I used all day that required a prompt. Well, that scenario hasn't been fixed wich makes UAC still annoying to many people. (but they can turn it off, or should update). Before Win7 started, I hoped that more things could be performed without admin privileges but that doesn't seem to happen. In stead of going to fix that, they made a white list allowing to autoelevate.
Well, looking for the end-user I think that is an improvement. Looking at Windows develpment point, I think it was the most easy solution to perform. I just HOPE that those autoelevations cannot be abused by malware.
I've did some POC testing yesterday, and noticed that for example, task sheduler and task manager can autoelevate by a other program, but after that not controlled. Meaning that it's probably fixed. Or at least protected against people like me that know a bit of Visual Basic.
Accourding to e7, this same thing gets moved to the UAC control panel window, meaning that I won't be able to write any code anymore, wich makes the world alot more safer. So thanks for that!!!!!!
Now, if only that run32dll.exe issue can be fixed, I believe that Windows 7 is more secure then Windows Vista.
And yes, with all the great functions in 7, I might consider trowing it out when my OS isn't protected like the previous os was. You might see it as a ONE thing, but I believe it's a very big one. Howeevr, thanks again for the fix!!!!
I have movavi vidio converter it won,t run with uac on in windows 7 what should I do
The only I idea I have is to run it as Adminitrator (right-click "Run as Adminsitrator") if you trust the applicaiton...