The Windows 7 UAC “Vulnerability”


It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.


Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:


2009,02,03%20-%20UAC%201[1]


And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!


However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different:
2009,02,03%20-%20UAC%202[1] And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.


So, basically to give you my view:



  • We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings

  • We do what the prompt tells you we are doing

In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.


BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista


Roger

Comments (24)

  1. Anonymous says:

    As I said: I got it. But I cannot change it right now

    Roger

  2. Anonymous says:

    The only I idea I have is to run it as Adminitrator (right-click "Run as Adminsitrator") if you trust the applicaiton…

    Roger

  3. Anonymous says:

    Got what you mean. Now, give me some time

    Roger

  4. spike says:

    It’s not that much a vulnerability, than it renders UAC completly useless. There is no use for it anymore since any program with standard rights can change it’s setting to get admin rights.

    It’s just going back to XP level of security !

    It’s the same as "Safari carpet bombing issue" : http://www.theregister.co.uk/2008/05/31/microsoft_warns_against_apple_safari/

    It will transform any "little security breach" into a full admin security breach !

  5. xiphi says:

    It’s pathetic that MS isn’t taking this issue seriously. Just as spike said, this design flaw renders UAC USELESS. Everyone else can see the problem with this. Why can’t MS?

  6. Jason Cartwright says:

    I don’t see the problem with added a simply check box to allow the user to notify users if UAC level is changed.

    It’d put this whole conversation to bed.

  7. RingbearerNZ says:

    WTH? Following this, I think you missed the point completely of the argument…. the vulnerability is that you are not prompted when changing UAC at any level which should be done as with the proven examples given by such sites like Long Zheng which allow it to control UAC without knowledge… If UAC is changed without knowledge, programs could install all kinds of malware onto the computer!

  8. RingbearerNZ says:

    WTH? Following this, I think you missed the point completely of the argument…. the vulnerability is that you are not prompted when changing UAC at any level which should be done as with the proven examples given by such sites like Long Zheng which allow it to control UAC without knowledge… If UAC is changed without knowledge, programs could install all kinds of malware onto the computer!

  9. Susan says:

    To start off with, I zipped up the zipper in Win7 because it felt so weird without the UAC prompts I expected.  Asking for prompts on the zipper is not asking for all the prompts back.

    The prompts I receive are expected.  

    What I do hear a lot of complaints about as well is WGA notifications but that feedback appears to not have been acted on.

    I was afraid that the swing of the pendulum would go too far in response to Vista.  I was right.

    Some asked for this change.  I did not.

  10. ups says:

    I’m totally appalled after reading this! It looks like we are talking with a 5 year old with twisted arguments of the "but you said" kind.

    One thing is reduce the prompts in windows settings, another is to leave a hole open that allows malware to be installed.

    I didn’t see anywhere in Zheng’s arguments that the prompts should be totally removed and that any windows settings should be hidden behind a UAC prompt.

    Yes, UAC is a valuable tool, so why not make it work like it should? Should we just wait for a truly bad exploit for Microsoft to patch it later after being showed in night news?

  11. GTRoberts says:

    Roger… the problem is you apply the same "do not notify" to UAC changes ITSELF.  If you didn’t do this, there wouldn’t be so much of an issue.

    This is Microsoft, surely its not an issue to enable notification for UAC status changes.

    Thats all we are asking for!!!!!!

  12. Leo Davidson says:

    An even more serious flaw has been uncovered.

    You’re not checking where the calling code comes from, only that the calling process’s exe is a Microsoft/Windows one. So any 3rd party code loaded into Explorer.exe or, worse, RunDll32.exe can elevate without any UAC prompts.

    At default settings this renders UAC absolutely useless at defending against exploits that target Windows 7. All it will stop is exploits that don’t care about Win7 and non-malicious code that goes bad by mistake.

    http://www.withinwindows.com/2009/02/04/windows-7-auto-elevation-mistake-lets-malware-elevate-freely-easily/

    On top of that, your whitelist cannot be controlled by the user. This is both anti-competitive — why shouldn’t my 3rd party file manager be able to offer the same experience as Microsoft’s one? — and a needless sacrifice of security. If I don’t use Explorer but I want to use the whitelist, why should I be forced to leave Explorer on the whitelist? I gain *nothing* from that as I’m not using it, yet it leaves a gaping security hole open.

    http://www.pretentiousname.com/misc/win7_uac_whitelist.html

    And saying "you asked for it" is a strawman argument. Nobody asked for *this*. That there were too many UAC prompts in Vista for some people didn’t mean they wanted a terribly designed system in Windows 7. There were things you could have done without completely crippling security, if only you spent longer on the design and were not rushing Win7 out:

    – Have apps cache their elevated objects through logical operations, instead of dropping them the moment they are used and causing another prompt 3 seconds later.

    – Remove Explorer’s ridiculous prompts which only exist to show you a UAC shield and tell you it is about to prompt you. (Yes, a prompt that you’re about to be prompted. WTF?)

    – Add more context to the UAC dialog so that it can tell people why they are being prompted, not just which program is prompting them. Obviously an exploit could lie in the text string it passes, but then it could already in a message box before the prompt. Forcing programs to explain why they are prompting (the prompts-about-prompts) only encourages people to turn UAC off.

    – If a whitelist is deemed a good idea then give users control over which applications — both 3rd party and Microsoft — are on the list.

    People shouldn’t be forced to whitelist programs they don’t use or don’t use often.

    And if a whitelist is a good idea, because it stops people getting fed up and turning off UAC entirely, then it’s a good idea for ALL applications. Let the user decide which apps should prompt them and which should not. It not like the user, if they trust an app, can’t already grant it admin access.

    – Before allowing silent elevation, do better validation of the calling code.

    It seems that you don’t do anything like check that the calling function is from within the signed exe so any signed exe which loads 3rd party DLLs is a gaping security hole. That includes Explorer and every shell extension DLL as well as, more seriously, RunDll32 which can run any code you want with trivial effort. UAC is blown wide open by that!

    Since you don’t even validate the module calling code comes from I assume you also don’t protect against code/thread injection into whitelisted processes via the debug APIs. The debug APIs are enabled by default and do not require elevation so, again, they are a trivial way for a non-elevated process to run elevated code on a default Win7 install.

    It honestly feels like Microsoft took all the criticism of UAC — some of it justified but much of it based on misunderstandings and the first impressions of setting up a new machine rather than day-to-day usage — and threw their hands up in the air saying, "I give up." You shouldn’t have given up. You should have thought long and hard about how to make UAC better without virtually turning it off.

    I am amazed that the same people who thought about user interface isolation in Vista then allowed this mess to happen.

    "Now, give me some time"

    I really, honestly hope you can fix these issues but I am worried because MS have said there won’t be another Win7 beta and MS (and many other vendors, to be fair) have traditionally done a terrible job at fixing issues found this late.

  13. asf says:

    I don’t get how this can be so hard. I have not tried Win7 myself but from what I understand, the no prompting only happens for things signed by a special MS Win7 cert, if so, just sign the .cpl that controls UAC with a normal MS cert

  14. Ged says:

    UAC prompt should always appear when changes to UAC settings are made. *Always*.

    Nobody asked for this kind of behavior.

  15. AndyC says:

    On the lower (default) setting it should, of course, be possible to change settings without a UAC prompt. That is, after all, the point of the lower setting.

    HOWEVER, the one setting that shouldn’t be changeable is the UAC level. That might not seem "logical" or "consistent", but it’s the behaviour people expect.

    Is it really so hard for anyone working on Windows to get this? I’m beginning to think it is.

  16. I don’t know what’s so hard about treating the control panel applet responsible for UAC differently from other cpl applets.

    Microsoft is acting like not-prompting for control panel changes is an all or nothing approach, e.g. they can only make changes that affect all control panel applets.

    If, to not prompt for control panel applets, you absolutely must do this to every control panel applet, and can’t exempt UAC itself from this "no prompt" behavior, then I truly feel Microsoft seriously needs to reexamine their coding practices.

  17. Rick Kingslan says:

    It’s interesting the reaction that this has gotten.  As I said when this all started – I can’t wait to monitor the blogosphere over the next few days.  And, it’s been interesting.

    One thing that I haven’t seen mentioned HERE or in any of the comments:

    You need to have a split-token for this to work.

    Microsoft’s guidance has ALWAYS been – have two accounts if you manage your own system – one Administrator account, and one Standard User.  (Wayback Machine time – this was recommended practice in every version of NT to date, and 2000 Professional through Vista)

    If you are running as Std. User, this exploit or trickery is negated.

    Leo, you make some good points.  However, code validation isn’t that easy given that you’re not always sure what you’re looking for. And, Day 0 exploits are too common these days to react in a realistic timeframe.  As to a white list – the other extereme is a black list.  And, who would maintain that?  Of course, the fan boys, M$ haters and technorati would balk and scream foul if Microsoft were to do it.  Hence, there is no good solution here.  Businesses would buy into it, but that still leaves the poor consumer out in the cold.

    Craig – What’s so hard about treating the UAC applet differently from the rest of the applets?  Explained above – you have a split-token.  It’s not possible to make the UAC applet Admin-only, because you already are.  And, no – there really isn’t any way to make the UAC applet only changeable by super-admins.  Basically, because there isn’t one.

    Like Roger – I like (and have from Day 1) the way Vista deals with UAC.  I don’t mind getting prompted.  It’s a normal part of life, and I do feel safer.  I take a small amount of time to recall what I just did – and if this is something I expect, I click "Continue", "Allow", whatever.  If I don’t expect it – I click "Cancel" and go back to try again to see if this is truly expected behavior.

    Someone said "Damned if you do, Damned if you don’t".  Yeah – it feels that way.  Regardless of what the Windows PG does, there is going to be a segment out there that doesn’t like it.

    My advice?  If this bothers you, create a Std. User account.  Run as the Std. User. Know what you’re clicking on. And, don’t confuse UAC and IE Protected Mode.  They are not even remotely the same thing – even though UAC may prompt you during an action that you allowed IE to do.  Or, is it OK with you that IE just be allowed to do whatever it wants, bypassing UAC completely?

    Nah, that wouldn’t be very good at all….

  18. Peter van Dam says:

    Just another blog by Microsoft where the team completely pretends to ignore the issue, and try to bring in words from "high" that makes people think we are just overreacting. It’s a shame really.

    I’ve been a MSFT fanboy for years now, and there isn’t one day that my boss doesn’t hear anything on Vista or Windows 7, how much that could improve my speed at work. I love the improvements MSFT makes to every Windows, including 7. But there is just one mistake…. Correction, a disaster happening right now.

    What we talk about is what the end user (read: noob) gets when he purchases a computer/laptop with Windows 7. It just visits some websites and BANG a virus has been installed, uac turned off and their computer no longer works.

    Since the recovery files can easily be removed, the repair disc also becomes useless. It doesn’t fix it, or at least makes it work, but where are your files?

    This is how you call it a bad OUT OF THE BOX experience. The experience that will say "Can you please install Windows XP back on this machine". (i’m not saying xp is secure, but that’s what noobs think)

    The Out of the box settings are unsecure for those who don’t understand, or want to understand the settings of windows, or it’s neccisary security. Now your bringing those at risk, not only with sendkeys, but also with that rundll32.exe issue.

    And yes, it’s by design. You tell exactly that malware can do everything in the UAC prompt, but how many people that need it will actually see this / understand this? Right, not that many. So in that case your making Windows insecure, and leave a security threat open. Malware changes with the Windows, even I as noob are able to write my own malware these days. What an improvement.

    We also didn’t ask for this. The media bugged about it because they all use mac’s, and some professional people that simply wanted more levels of security. Real security. So no, we didn’t ask for it, just a few noicy people that blog it around.

    And even if you don’t want to change the way UAC works, then simply put UAC on HIGH by default? Then your design is completly by design, except that HIGH will be the default settings.

    For those who think it’s annoying (reed:pro’s) they can turn it lower or off. Let them deal with malware and other possible risks, it’s their decision.

    Then you simply get:

    Knowledged people: not annoyed by that many prompts

    Novice: Protected against malware

    So before you give us another, "well it’s our design" reply, think about those millions of people that Microsoft just puts on risk, and get them to deal with the security threats these days. Or was that the idea? More support more income, or better reason to upgrade to Windows 8? Because it’s kinda going to look like that.

  19. "Microsoft’s guidance has ALWAYS been – have two accounts if you manage your own system – one Administrator account, and one Standard User.  (Wayback Machine time – this was recommended practice in every version of NT to date, and 2000 Professional through Vista)"

    Except that the very first thing that Windows setup walks you through doing is creating an Administrator level account.  How many typical end-users who just bought their machine from HP do you really think is going to head into control panel first thing and create a non-admin account?  Be honest.

    And did you really just say that it is impossible to reduce the prompting for all control panel applets *except* the UAC control panel?  It really is all or nothing?  

    Fine, if it really is so monumentally impossible to write some conditional code (like, hey if it’s the UAC control panel that the user launches, let’s be a little bit more cautious than say, the font control panel), and people should not run as administrator (which I agree with), how about making it so Windows doesn’t actively encourage the use of an Administrator account right out of the box?

    Because, *out of the box, right now* Windows 7 is less secure than Windows Vista.

    UAC should protect itself, regardless of level of verbosity, especially when Windows setup creates the situation of end-users running as admin in the first place.  

    And before you respond with UAC never being meant to be a security system, think long and hard about the fact that IE sandboxing is directly tied to UAC and can be completely disabled, bringing IE security back to XP levels, by an application installer, out of the box.  We weren’t all on Peyote when Microsoft specifically described UAC’s "secure desktop" as a way to *mitigate dialog spoofing*.

  20. Peter van Dam says:

    UAC was a security feautere, just check the Windows Vista site:

    "User Account Control in Windows Vista improves the safety and security of your computer by preventing potentially dangerous software from making changes to your computer without your explicit consent"

    This is no longer the case in Windows 7, and tells the complete different then what Microsoft tells in it’s latest E7 blog post.

    All they do right now is say, the media asked for it, now you have to deal with security yourself. MS no longer cares about security or out-of-the-box experience, cause like with xp, a out of the box computer is infected within 30 minutes as researches say. And thats what we get out of the box in Windows 7. So yeah, nice improvement Microsoft.

  21. Rick Kingslan says:

    Craig – thanks for hte feedback.  Want to make sure that we’re both talking about the same complaints.

    "Except that the very first thing that Windows setup walks you through doing is creating an Administrator level account.  How many typical end-users who just bought their machine from HP do you really think is going to head into control panel first thing and create a non-admin account?  Be honest."

    Agreed.  Someone should fix that, too.  But, be honest with yourself – can you set up the OS WITHOUT an Admin account?  Can you run Word as a Std. User?

    "Fine, if it really is so monumentally impossible to write some conditional code (like, hey if it’s the UAC control panel that the user launches, let’s be a little bit more cautious than say, the font control panel)"

    All I can say is that it’s not non-trivial to implement.

    "how about making it so Windows doesn’t actively encourage the use of an Administrator account right out of the box?"

    I’ll be right there with you on THAT fight – as I have been for nigh over 14 years….. At least XP gave you an opportunity to create multiple users during setup. So, we agree.  Again. :o)

    "Because, *out of the box, right now* Windows 7 is less secure than Windows Vista"

    Did I disagree with this?  Eh…No.

    "UAC should protect itself, regardless of level of verbosity, especially when Windows setup creates the situation of end-users running as admin in the first place."

    If this is about creating another user – who will be a Standard User instead of a split-token user…  Well, I’m not the righ person to tell.  Unless of course, Roger is actually READING these.  Then, they are getting to the right eyes.  Remember – I CONCUR with you on this.

    "And before you respond with UAC never being meant to be a security system, think long and hard about the fact that IE sandboxing is directly tied to UAC and can be completely disabled, bringing IE security back to XP levels, by an application installer, out of the box.  We weren’t all on Peyote when Microsoft specifically described UAC’s "secure desktop" as a way to *mitigate dialog spoofing*."

    Would you explain that one in detail?  You lost me at "think long and hard…"  UAC != IEPM or UAC !=LorIE  Two different systems….  Two different technologies, two different effects and two different outcomes.

    Craig – you’re making good points. I’m big enough to admit when you’re right and I agree.  I’m interested in the dialog.  So, keep it coming.

  22. Rick Kingslan says:

    "UAC was a security feautere, just check the Windows Vista site:

    "User Account Control in Windows Vista improves the safety and security of your computer by preventing potentially dangerous software from making changes to your computer without your explicit consent""

    I see that it says that it IMPROVES the security….  That’s pretty much the same thing as saying that the Police drive within 5 miles of my house instead of 10. Does that now make your house more a security boundary? No, but you might feel like it improves your security….

    "All they do right now is say, the media asked for it, now you have to deal with security yourself."

    Well, I’d hardly say that it was JUST the media.  Go back and take a look at blog posts from 11/2006.  The fanboy and M$ hater storm had already kicked into high gear.  Unless, of course, you consider anything and everything that you see and hear that is not first person as ‘the media’.  Me, I consider the media a newspaper, a magazine, news agency.  With all due respect, there is not a blog on the planet that I consider ‘the media’ unless they are owned and run by the likes of Hearst-Argyle, Associated Press, etc.  It was customer feedback that indicated that Microsoft needed to make a change in this area.  They responded.  Damned if they do – damned if they don’t.

    No, t’was the average user, a good percentage who simply heard or read that Vista sucked that caused Vista to suck.  Did it get better with SP1?  Sure.  But, then so did XP.  I remember all of the whining, moaning and complaining over RTM XP as well.  And RTM Windows 2000.  Windows ME….?  OK – that one was deserved.

    " And thats what we get out of the box in Windows 7. So yeah, nice improvement Microsoft."

    So, you toss the entire Win 7 out the window (no pun intended) with one thing that YOU control?  When you KNOW what you have to do (Take UAC level to 4 or run as Std. User), but you’ve now concluded that Win 7 sucks?

    OK.  Rock on.

  23. Peter van Dam says:

    Ok, accourding to the e7 blog, this issue is going to be fixed in Release Candidate. Wich is amazing!!!!

    @Rick: Sorry for my frustration, but UAC still was designed to help people to protect a computer from malware and other security risks. You can say it’s not, but it was doing that. I don’t say it’s a perfect protection, it’s not a police on my doorstep making sure nothing happends, but it’s at least an doorbell that allows me to let the person walk in or not.

    Maybe UAC was designed with some others words then what I’m using, but this was the way UAC worked for me, and for the people I know using Windows Vista. Looking to security reports everywhere you almost sees that even if UAC is no security thing (if I need to believe you) it protectst very well, and stops like almost every thing.

    UAC was in my opinion great in Vista, but I have to say I luckely didn’t have a program I used all day that required a prompt. Well, that scenario hasn’t been fixed wich makes UAC still annoying to many people. (but they can turn it off, or should update).  Before Win7 started, I hoped that more things could be performed without admin privileges but that doesn’t seem to happen. In stead of going to fix that, they made a white list allowing to autoelevate.

    Well, looking for the end-user I think that is an improvement. Looking at Windows develpment point, I think it was the most easy solution to perform. I just HOPE that those autoelevations cannot be abused by malware.

    I’ve did some POC testing yesterday, and noticed that for example, task sheduler and task manager can autoelevate by a other program, but after that not controlled. Meaning that it’s probably fixed. Or at least protected against people like me that know a bit of Visual Basic.

    Accourding to e7, this same thing gets moved to the UAC control panel window, meaning that I won’t be able to write any code anymore, wich makes the world alot more safer. So thanks for that!!!!!!

    Now, if only that run32dll.exe issue can be fixed, I believe that Windows 7 is more secure then Windows Vista.

    And yes, with all the great functions in 7, I might consider trowing it out when my OS isn’t protected like the previous os was. You might see it as a ONE thing, but I believe it’s a very big one. Howeevr, thanks again for the fix!!!!

  24. art snowden says:

    I have movavi vidio converter it won,t run with uac on in windows 7 what should I do

    Art

    Email asnow04@sbcglobal.net