Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Both Sides of the Windows 7 UAC Problem

Both Sides of the Windows 7 UAC Problem

  • Comments 6
  • Likes

I have to come back to the UAC problem again. I just read a good article from Larry Seltzer on eWeek.com:

Both Sides of the Win7 UAC Problem

I think it is one of the first one I read, which takes the emotions out of the discussion and tries to understand the real problem. He made actually an interesting comment: The whole issue is around running malware to change the UAC settings and he says:

The technique could be used for far worse things. Control panel has many important system-wide settings in it. You can set user passwords, uninstall software, disable the firewall, and so on. All of this is possible because of the default UAC setting, and you don't have to change that setting to "exploit" it.

So, let’s think about it: A lot of people wanted us to reduce the number of UAC prompts. We published a fairly good article October last year about User Account control and what we learned.

Now, let me get it straight (after all the pretty emotional comments I got on my last post): I definitely understand your view and your argumentation. What we need – however – is a balanced discussion about what makes sense and what does not.

All the discussions are assuming that the user is administrator on the machine – let’s keep that in mind. Is UAC really the only thing you are concerned about? I think it should be consistent throughout the Windows settings (including UAC) – protecting UAC alone probably does not cover the attack vectors you are mentioning. As an example: I can open the Device Manager without prompt. I can change all Windows Settings without a prompt (including all the security settings). This is what the UAC setting is for. From a Risk Management perspective: What would it really change if we would ask for a prompt if you change the UAC setting? So, the malware we are looking at could now not change the UAC settings but all the other Windows settings (if you are an Admin). How much would this really lower the risks – or would it reduce the risk at all?

So, should we change the default to “High” – which would mean that we are on the similar level as in Windows Vista, where we got a lot of complains?

In my opinion we all should do two things:

  1. Take the emotions out of the discussion
  2. Look at the broad picture from a risk management perspective

And one final thing: Yes, we are listening to you (otherwise I would not have allowed comments, have answered some of the comments and am now writing the second post) and the reason for publishing Beta versions is to have these discussions now, where changes are still possible rather than after the release. So, let’s have this discussion taking the points above in consideration.

Roger

P.S. Read Jon DeVaan's post on this issue

Comments
  • I have been appalled at what has taken place over the last week. And now that it is over, I want to talk

  • If you weren't at the TED conference this week, you might've missed Bill Gates' mosquito stunt as noted

  • The problem is, with the current settings the UAC prompts for third-party apps are security theater that only punish well-behaved software.

    Anything that wants to can bypass UAC completely, as I've shown here:

    http://leo.lss.com.au/W7E_VID_INT/W7E_VID_INT.htm

    http://leo.lss.com.au/W7E_VID_DRA/W7E_VID_DRA.htm

    Those videos made late night show an updated of my earlier proof-of-concept code-injection technique. It doesn't use RunDll32 or SendKeys. It can hijack any "blessed" Microsoft executable running at medium integrity (i.e. normal, elevated), including Explorer.exe, Calc.exe, Notepad.exe, MSPaint.exe... (Why on earth have you given all of those apps the ability to bypass UAC when creating COM objects? Why extend the attack surface to Calc.exe etc.?)

    Given that any process can use this fairly simple technique to elevate anything it wants, the UAC prompts in Windows 7 with default settings offer virtually no protection.

    Thus you should either remove them from *all* apps (i.e. the "elevate without prompting" option which was already in Vista's UAC) or you should make them secure again by default.

    I don't really care which you do so long as I can turn on "always prompt" but what you're doing right now is a) Security theater, since it offers only the illusion of protection which can be bypassed trivially; and b) Anti-competitive, since people who compete with your bundled administrative and/or file management software are forced to either show UAC prompts or use dodgy workarounds.

    And going back to it, there really is no excuse for apps like Calc, Notepad and Paint to have access to full UAC elevation without prompting.

  • when ever i try to use  google chrome user account dialog box appears asking for a permission.....can u tell me how to remove this!!!!

    hope u will reply soon......

  • Stange as Chrome circumvents UAC by installing into the user context - not really "best practice" but their choice. So I do not really see, where Chrome needs admin rights but this is more something to ask Goolge than Microsoft. An application needs elevation - the UAC prompt - if they are writing to a protected location where they need more privileges.

    Roger

  • I just tested it again. I really have no clue, why your machine behaves that way. On my machine it does not even prompt for installation.....

    Roger

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment