UAC security flaw in Windows 7 beta

A change to the User Account Control (UAC) in Windows 7 to make it "less annoying" allows a simple override that renders UAC disabled without user interaction, reports Long Zheng at iStartedSomething.Zheng describes the problem as follows:By default, Windows 7's UAC setting is set to "Notify me only when programs try to make changes to my computer" and "Don't notify me when I make changes to Windows settings.

A change to the User Account Control (UAC) in Windows 7 to make it "less annoying" allows a simple override that renders UAC disabled without user interaction, reports Long Zheng at iStartedSomething.

Zheng describes the problem as follows:

By default, Windows 7's UAC setting is set to "Notify me only when programs try to make changes to my computer" and "Don't notify me when I make changes to Windows settings." It distinguishes between a (third party) program and Windows settings is with a security certificate. The applications/applets which manage Windows settings are signed with a special Microsoft Windows 7 certificate. As such, control panel items are signed with this certificate so they don’t prompt UAC if you change any system settings.

The Achilles’ heel of this system is that changing UAC is also considered a "change to Windows settings," coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.

Zheng says he and a developer, Rafael Rivera, came up with a fully functional proof-of-concept in VBScript to emulate a few keyboard inputs without prompting UAC.

Zheng and Rivera's script is available for download here, but users should be aware that it will disable UAC.

The implications are grave, Zheng says: "You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

Zheng also says there's a simple solution to the problem: Force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state. It's not fool-proof because users can still inadvertently click "yes" but it reduces risk, he says.

Zheng also says users of Windows 7 beta can simply change the UAC policy to "Always Notify," which will force Windows 7 to notify you even if UAC settings change.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All