(Update: official statement appended to the end of the post)
I’m going to open this post by kindly asking you, the user, to go into the Windows 7 Action Center (Control Panel, System and Security, Action Center), clicking “Change User Account Control settings” and setting it to the maximum setting (“Always notify me when…”).
The reason for why I’m asking you to do this shouldn’t be a surprise. You may have seen the UAC posts by Rafael Rivera and Long Zheng (I’m giving more of the credit to Rafael since he actually brewed the proof of concept code). People saw their posts and immediately assumed that this issue is only relevant for users who download malware. Thus, you hear lots of users saying out loud with no apparent fear of embarrassment:
“La di da, so long as I’m not stupid with what I download, I should be fine!”
Right. Well, Microsoft basically recommends for users to install an antivirus because they don’t actually consider User Account Control to be a security feature. Anyone who knows the purpose of privilege management knows that any system which actively manages privileges is a security feature.
With this in mind, let’s take a look at why the UAC security flaw actually is a security flaw.
Update 2: Steven and Jon posted a second post about UAC today specifically addressing this flaw. Catch their response below the break.
The goal of security engineers is to minimize the number of attack vectors. That way, the likelihood of a path of attack opening up is slim. This also allows for security engineers to kill the attack vector until a patch is released for the vulnerable application or component.
So, before actually continuing this post, lets quickly answer this question: What’s a silent attack vector? Basically, if there exists a path for malicious code to quietly hijack a computer (to hijack a computer without the user’s knowledge), it’s a silent vector of attack.
In Windows Vista, attacking a user-mode app isn’t going to completely fry your system. At the most, that one user account might be roasted, and this is easily fixed by logging into the default Administrator account and creating a new account from there. Any attacks which try to slam kernel-mode resources trigger an immediate UAC prompt as a last minute defense, which a user can simply deny, thus blocking the attack.
Mind you, if a malicious bit is determined, it can keep spamming you with UAC prompts if you click No, and you’ll have a hard time bailing out of them to resume your work, but even then, it’s only isolated to one account so long as you keep denying it. Just kill the power to the computer, reboot into the default Administrator account and create a new account for yourself.
Now that we’ve discussed why UAC is actually useful in Windows Vista, here’s the problem with Windows 7’s default UAC setting:
If a security hole is found in any user-mode application, that application can be infected and used to silently attack the system through keystrokes used to disable UAC when the user is away from the computer. This is, of course, why I call this security flaw an Exponential Silent Attack Vector Multiplier.
No matter what the application is, since keystrokes can be faked on explorer due to its “medium integrity” level of trust, any attack vector available through any application, process, what have you, can now be used to deliver a malicious payload which can completely take over the entire computer as opposed to just one user account.
It’s not just about what a user clicks anymore. All of a sudden, Windows 7 is now at risk from drive-by downloads in any browser, buffer overflow bugs in any application, or any other way of seamlessly delivering and executing a simple script to emulate keystrokes. Quite literally, the number of attack vectors increases with the number of applications installed.
- Got a .psd file which takes advantage of a flaw in Photoshop? There goes Windows.
- Got an .odf file which takes advantage of a flaw in WordPad? (Yes, WordPad, since it can also open ODF files) There goes Windows.
- Got an IM client which renders jpegs improperly and someone’s display icon contains an exploit? There goes Windows.
- Got a browser which is susceptible to drive-by downloads? There goes Windows.
- Got an mp3 which exploits a hole in Windows Media Player? How about a stream with malicious content which exploits a hole in QuickTime? What about a malicious podcast feed which can bust through the Zune Software or iTunes? There goes Windows.
The list of examples isn’t limited to the list above. Prior to this new “non-invasive” UAC, the number of silent attack vectors was limited to any flaws in elevated Windows components. Thanks to this flaw in UAC, the number of attack vectors is now effectively limited only to the number of vulnerabilities in applications available for Windows. (read: way more than in Windows alone)
What’s the important thing to learn from this? If it can be executed and has a exploitable hole, thanks to this flaw in UAC, it can serve as a vector of attack.
This flaw is so ridiculously and utterly bad that it brings us right back to the times that people used XP with an unprotected administrative account. This essentially negates any benefit that UAC gives to the user.
Solution for the end user? Well, like I stated when I opened this post, max out UAC on Windows 7 the immediate second you finish installing it and do not connect Windows 7 to the internet until you do. Yes, you should be that paranoid; this flaw needs to be resolved immediately. If this really is by design, Microsoft screwed up.
I can’t wait to hear the explanation for this one. I love Windows 7, but when a team closes a report on a critical demonstrated security bug as “by design,” I don’t know what to think.
Update: For now, an official Microsoft spokesperson gave the following exact statement regarding the issue: “We’re investigating and continue to thank everyone who provides feedback on the Windows 7 beta.”
Look out for an update to this issue… hopefully soon. I know Charles Torre of Channel 9 fame had a UAC interview planned, but I don’t know where that went.
Update 2:
With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.
Source: E7
Follow Bryant on Twitter! 
[...] adds more food for thought to the UAC discussion, concluding: “I love Windows 7, but when a team closes a report on a critical demonstrated security bug as ‘by design,’ I don’t know what to think.” posted by Mary Jo Foley February 4, 2009 @ 6:27 [...]
Mary Jo,
I agree 110%! Bryant, great article. I took the liberty of posting on the Engineering Windows 7 blog, to let Sinofsky and company know that this kind of potential vulnerability shouldn’t be tolerated in Windows 7. There should be a Zero Tolerance for potential vulnerabilities that can be taken care of. Granted, nothing is bulletproof. However, If we have some sort of additional defense to prevent anything except a user authorizing the UAC to shutdown, that would be significant progress. I learned VB in high school. Imagine how many kids that if through their studies and playing around with script could compromise Windows 7? It really does beg the question as to what can be added to seemingly legit programs. The incidents with trojans hiding in pirated but working copies of iWork and Photoshop CS4 should be a red-alert for Mac users. This incident should be a yellow alert for Windows 7 Beta testers and potential customers until resolved.
“max out UAC on Windows 7 the immediate second you finish installing it and do not connect Windows 7 to the internet until you do. Yes, you should be that paranoid”
Paranoia is useful under critical cases where there is statistically significant chance of getting caught with your proverbial pants down. Realistically, however, the chance of this happening immediately after an install is probably less than being struck by lightning. The first thing you’d have to do with your browser would be to immediately browse to some non-mainstream untrusted site (www.pleaseinfectme.com?) WITH a version of IE8 (which is what will presumably ship with W7) that happens to have some severe security flaw. The chance of each of those events happening independently are already relatively low. I run my Vista in administrator mode with UAC completely off, no A/V, *and* I use IE7.. I’ve yet to get malware, and I click on pretty much any link I’m given… seriously, I think you’re exaggerating the issue.
I’d be fine with recommending that users max out their UAC settings, but really, being connected to the internet for a few seconds won’t kill you; the FUD is not necessary. You remind me of my system security professor, who notably said, “if you want to be secure, unplug your computer.”
@Jon, you’re right about the FUD. That closing statement was more intended for if Windows 7 went RTM with that flaw still in existence, but now that it has been cleared up, life should be good.
The only reason Microsoft is doing any of this with Windows 7 is because of the mass of ignorant users who complained about Vista’s UAC being intrusive. MS needs to ignore them. UAC is as intrusive as threats are numerous and persistent. Chew on that for a minute.
[...] I covered the latter in an older post of mine where I explain how this flaw essentially raises the vectors of attack [...]