Follow Bryant on Twitter! 
UAC in 7: Silent Attack Vector Multiplier (redux)
Update: added a link to the original exploit
I really, really hate having to interrupt a good series bashing Apple, but this has to be said.
Long has resumed his crusade on fixing UAC, and normally, I would tell him to give it up for the sake of saving his own time. However, even though Mark Russinovich might not see UAC as a security boundary, the original UAC team sure as hell did, which makes me want Long to see this all the way through. (check the sidebar on the left)
“User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn.” –UAC Blog
Guys, just fix it. I don’t see why things have to be made so hard; the UAC team clearly calls it a security feature, so do them a favor, don’t make them feel like they’ve wasted their time, and fix the problem. Thanks, Long, for telling me that this can’t actually be fixed as it’s a design issue, so here’s a better solution: give the user the ability to chose which UAC setting he/she wants upon first run. Here are three good options:
- Always On
- Notify when programs try to change settings (give a warning with this option about the potential risk of compromise)
- Always Off (give a bigger warning with this option)
You’ll notice that I didn’t actually suggest the option which gets rid of the secure desktop: I personally believe that that particular option offers absolutely no benefit over having UAC off altogether.
I figured it had to be said.
(If you want to take this for a test run yourself, check Leo Davidson’s site for the original source code and binaries for the proof of concept exploit)
Mark & friends, I love you guys dearly, but I’ll be taking the original team’s word on this one. If you guys try editing it out, keep in mind the Internet Archive has a copy of the original statement.
Tags: denial, justfixitplease, redux, Russinovich, security feature, UAC
June 12th, 2009 at 2:56 pm
You forget that they can change their robot.txt file to have the Internet Archive delete the archived pages. Keep a local copy.
And I find it interesting that Russinovich won’t even call it a security feature. Elevation is first and foremost about security, and users who were actually concerned about the concept of LUA, not having to go with XP’s Run As when on a Limited Account was a godsend. Thankfully you can still turn on UAC if you want the security; the issue now is that the default is branded as safe when perhaps it should not be.
June 12th, 2009 at 3:20 pm
Crap. Good point about robots.txt. /saves page
June 12th, 2009 at 4:03 pm
So much for ‘less annoying to be secure’ as a selling point. This is definitely not okay and I cannot believe Microsoft will not change it; they did well fixing the other issue earlier this year.
June 13th, 2009 at 12:17 am
Since day one, when I first touched build 6801, I always set UAC to the “always notify” setting… my reasons for doing so should be apparent. Through what is basically a marketing gimmick, Windows 7 is less secure than Vista. MSFT should of have left the settings as they were in Vista, set to “always notify”. Under normal circumstances, when set to the highest level the UAC dialogue rarely pops up.
June 15th, 2009 at 3:44 am
I don’t think Microsoft will try to deny anything that they’ve said, they just won’t comment on it. Inofficially, I suppose they’re simply changing why UAC is there, as I fail to believe they have already forgot why they added UAC…
June 19th, 2009 at 6:31 am
This is the one issue where Microsoft is definitely stuck between a rock and the hard place. A too aggressive UAC like in Vista is highly unpopular. However, to us enthusiasts/techno saavy crowd, a towned down UAC isn’t secure enough. Do you please the masses or do you “dumb it down to double your dollars” as rapper Jay Z once rhymed. In many cases, if you want success, the original intention is going to get toned down. That has been and always will be the price for success. Essentially and just on principle, I agree with you guys that a strong UAC should be win Windows 7, I completely understand why Microsoft HAS no choice but to dumb it down. It gives way too much ammunition for the anti-Microsoft/hard core Mac fans/hard core Linux fan crowd to bash away and let it stick.
I think Microsoft’s counter attack should be working with other background and otherwise silent defenses within Windows. If the internal defense, stronger firewalls, whitelist/blacklist defense, and other methods should be part of the solution, the hardware layers of security also have to be strengthened too. Microsoft has to keep attacking security in ways that are invisible but still very relevant to protecting users from themselves. Howerver, a lot of the reason why Windows has so many problems is that the vast majority of the userbase is very ignorant in how PC’s work and how to browse safely. Many of Windows issues wouldn’t be as much of an issue if PC fundamentals, PC ethics, intermediate PC education, and advanced PC skills were taught to our children in Elementary, Middle School, and High School as part of the mandatory curriculum.
However, there are some people saying that the x64 version of Windows 7, that this RCE doesn’t even work. That this might be limited to just 32 bit versions of Windows 7. While I do appreciate the war being waged, this is a very fine line we have to walk here.
July 30th, 2009 at 3:26 pm
[...] those involved in the Windows 7 community may know, Microsoft has failed to fix a crucial flaw in the User Account Control feature of the operating system which allows a specific whitelist of [...]