(Update: official statement appended to the end of the post)

I’m going to open this post by kindly asking you, the user, to go into the Windows 7 Action Center (Control Panel, System and Security, Action Center), clicking “Change User Account Control settings” and setting it to the maximum setting (“Always notify me when…”).

The reason for why I’m asking you to do this shouldn’t be a surprise. You may have seen the UAC posts by Rafael Rivera and Long Zheng (I’m giving more of the credit to Rafael since he actually brewed the proof of concept code). People saw their posts and immediately assumed that this issue is only relevant for users who download malware. Thus, you hear lots of users saying out loud with no apparent fear of embarrassment:

“La di da, so long as I’m not stupid with what I download, I should be fine!”

Right. Well, Microsoft basically recommends for users to install an antivirus because they don’t actually consider User Account Control to be a security feature. Anyone who knows the purpose of privilege management knows that any system which actively manages privileges is a security feature.

With this in mind, let’s take a look at why the UAC security flaw actually is a security flaw.

Update 2: Steven and Jon posted a second post about UAC today specifically addressing this flaw. Catch their response below the break.

The goal of security engineers is to minimize the number of attack vectors. That way, the likelihood of a path of attack opening up is slim. This also allows for security engineers to kill the attack vector until a patch is released for the vulnerable application or component.

So, before actually continuing this post, lets quickly answer this question: What’s a silent attack vector? Basically, if there exists a path for malicious code to quietly hijack a computer (to hijack a computer without the user’s knowledge), it’s a silent vector of attack.

In Windows Vista, attacking a user-mode app isn’t going to completely fry your system. At the most, that one user account might be roasted, and this is easily fixed by logging into the default Administrator account and creating a new account from there. Any attacks which try to slam kernel-mode resources trigger an immediate UAC prompt as a last minute defense, which a user can simply deny, thus blocking the attack.

Mind you, if a malicious bit is determined, it can keep spamming you with UAC prompts if you click No, and you’ll have a hard time bailing out of them to resume your work, but even then, it’s only isolated to one account so long as you keep denying it. Just kill the power to the computer, reboot into the default Administrator account and create a new account for yourself.

Now that we’ve discussed why UAC is actually useful in Windows Vista, here’s the problem with Windows 7’s default UAC setting:

If a security hole is found in any user-mode application, that application can be infected and used to silently attack the system through keystrokes used to disable UAC when the user is away from the computer. This is, of course, why I call this security flaw an Exponential Silent Attack Vector Multiplier.

No matter what the application is, since keystrokes can be faked on explorer due to its “medium integrity” level of trust, any attack vector available through any application, process, what have you, can now be used to deliver a malicious payload which can completely take over the entire computer as opposed to just one user account.

It’s not just about what a user clicks anymore. All of a sudden, Windows 7 is now at risk from drive-by downloads in any browser, buffer overflow bugs in any application, or any other way of seamlessly delivering and executing a simple script to emulate keystrokes. Quite literally, the number of attack vectors increases with the number of applications installed.

• Got a .psd file which takes advantage of a flaw in Photoshop? There goes Windows.
• Got an .odf file which takes advantage of a flaw in WordPad? (Yes, WordPad, since it can also open ODF files) There goes Windows.
• Got an IM client which renders jpegs improperly and someone’s display icon contains an exploit? There goes Windows.
• Got a browser which is susceptible to drive-by downloads? There goes Windows.
• Got an mp3 which exploits a hole in Windows Media Player? How about a stream with malicious content which exploits a hole in QuickTime? What about a malicious podcast feed which can bust through the Zune Software or iTunes? There goes Windows.

The list of examples isn’t limited to the list above. Prior to this new “non-invasive” UAC, the number of silent attack vectors was limited to any flaws in elevated Windows components. Thanks to this flaw in UAC, the number of attack vectors is now effectively limited only to the number of vulnerabilities in applications available for Windows. (read: way more than in Windows alone)

What’s the important thing to learn from this? If it can be executed and has a exploitable hole, thanks to this flaw in UAC, it can serve as a vector of attack.

This flaw is so ridiculously and utterly bad that it brings us right back to the times that people used XP with an unprotected administrative account. This essentially negates any benefit that UAC gives to the user.

Solution for the end user? Well, like I stated when I opened this post, max out UAC on Windows 7 the immediate second you finish installing it and do not connect Windows 7 to the internet until you do. Yes, you should be that paranoid; this flaw needs to be resolved immediately. If this really is by design, Microsoft screwed up.

I can’t wait to hear the explanation for this one. I love Windows 7, but when a team closes a report on a critical demonstrated security bug as “by design,” I don’t know what to think.

Update: For now, an official Microsoft spokesperson gave the following exact statement regarding the issue: “We’re investigating and continue to thank everyone who provides feedback on the Windows 7 beta.”
Look out for an update to this issue… hopefully soon. I know Charles Torre of Channel 9 fame had a UAC interview planned, but I don’t know where that went.

Update 2:

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

Source: E7

Slashdot readers, thanks for visiting. Feel free to chime in here or on the forums.

Mike Nash, former Security Guru and current Client Guru over at Microsoft, has just announced on the Windows Vista Blog that the new name for Windows “7” will be:

Windows 6.1 7

…which makes me wonder why it’s going to be NT 6.1.

It also means that Windows Strata will likely be the codename for the new Cloud OS discussed by Ballmer earlier this month. We’ll carry more about all of this from PDC in two weeks.

Update: Brandon followed up with me on twitter saying it’s the 7th release of Windows, which is ridiculous:

1. Windows
2. Windows 2
3. Windows 3.0
4. Windows NT (NT 4)
5. Windows 2000 (NT 5)
6. Windows XP (NT 5.1)
7. Windows Vista (NT 6)

That’s 7 releases right there, including XP. If XP isn’t counted because it’s Kernel 5.1 (which would bring the total with Windows 7 back down to seven), then why is Windows 7 being counted as the “seventh” release if it’s kernel 6.1? I hope I’m not the only one seeing the naming problem here.

Kernel increments are used mostly for application compatibility purposes, but still, the logic is lost upon us as most people would count XP as a semi-major release in comparison to 2000. I hope the guys at the Blog have an update, because this is weird.

More potential views of how this could have worked (Update 2: as well as Mike’s clarification) after the break.

So let’s take a look at client releases which may have targeted consumers outside a business environment:

1. Windows
2. Windows 2
3. Windows 3.0
4. Windows 95
5. Windows 98
6. Windows ME
7. Windows XP
8. Windows Vista

Those would be the versions of Windows targeted towards a more “homey” audience, and even then, the total hits seven before Windows 7 comes into the picture without including the incremental versions that came between Windows 3.0 (1990) and Windows 95 (1995).

How about business releases?

1. Windows 3.1
2. Windows 3.5
3. Windows NT 4
4. Windows 2000
5. Windows XP
6. Windows Vista
7. Windows 7

Aha! Some success! But how confusing would it be to know that Windows 7 is the seventh Windows based on a list of client operating systems for businesses, and that that list starts at 3.1?

The only approach I see which could possibly work is based on counting kernel revisions, which would only make sense if they did not count XP and also decided to increment the NT kernel to 7, which might just be the biggest piece of news here: enough changes may have been made to the kernel itself to warrant Windows 7’s consideration as an all-around major release.

I adore Microsoft’s quest for simplicity here, but thanks mostly to this attempt, my mind is blown.

“Simply put, this is the seventh release of Windows, so therefore ‘Windows 7′ just makes sense.”
-Mike Nash

Right. Except it doesn’t.

Update 2: Thanks, Mike! Here’s the answer we were looking for:

We learned a lot about using 5.1 for XP and how that helped developers with version checking for API compatibility.  We also had the lesson reinforced when we applied the version number in the Windows Vista code as Windows 6.0– that changing basic version numbers can cause application compatibility issues.

So we decided to ship the Windows 7 code as Windows 6.1 – which is what you will see in the actual version of the product in cmd.exe or computer properties.

There’s been some fodder about whether using 6.1 in the code is an indicator of the relevance of Windows 7.  It is not.

Windows 7 is a significant and evolutionary advancement of the client operating system.  It is in every way a major effort in design, engineering and innovation.  The only thing to read into the code versioning is that we are absolutely committed to making sure application compatibility is optimized for our customers.

So, basically, Windows 7 will be 6.1 for appcompat reasons, but they’ll still count it as the seventh release of Windows (XP and 2000 were thrown in one net as release 5)

Mike, I hope no poor bloke sees a winver dialog and decides to sue, thinking he was ripped off.