Should "Standard User" be the default in Windows 7?
It seems clear to me that combining an Admin accounts with Windows 7's "low nag" User Account Control (UAC) setting is a bad idea. Problem is, Admin accounts and "low nag" UAC settings will be the default for millions of people buying Windows 7-based PCs.
Several people have observed that it's possible for third-party software running in a PA account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer, which is a Windows executable, it can leverage the COM objects that auto-elevate, like the Copy/Move/Rename/Delete/Link Object, to modify system registry keys or directories and give the software administrative rights. While true, these steps require deliberate intent, aren't trivial, and therefore are not something we believe legitimate developers would opt for versus fixing their software to run with standard user rights. In fact, we recommend against any application developer taking a dependency on the elevation behavior in the system and that application developers test their software running in standard user mode.
The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true, but as I pointed out earlier, malware can compromise the system via prompted elevations as well. From the perspective of malware, Windows 7's default mode is no more or less secure than the Always Notify mode ("Vista mode"), and malware that assumes administrative rights will still break when run in Windows 7's default mode.
[poll id="469"]
So, a problem exists, and not only is it something that malware authors could use but we could even see software developers using the trick to make their product less naggy than the competition. The solution is to change default settings, something that most people out there in Computer Land won't even know is possible.
Another flaw is to assume that just because someone is running Admin account, they would accept all prompts thrown their way anyway. The problem with this is that the current settings allow a behind-the-scenes code injection to stealthily mess around with a system.
It seems to me that Microsoft has backed itself into a corner. It tried to make UAC less naggy, but by doing so introduced some serious vulnerabilities. The only advice it can offer to counter these vulnerabilities is that users should change default settings. Why not just make these more secure settings the default? Because it would break stuff. Like I said, Microsoft is backed into a corner.
My view is that Microsoft should make Standard user the default user on systems. Sure, it would break some stuff, but eventually something has to change because the current situation can't last forever. It's clear that Admin accounts are a security vulnerability in the hands of those who don't understand what it means to be running Admin accounts.
[UPDATE: Here's a video of the code-injection vulnerability in action:
Bottom line is that this tweaking to the UAC make Windows 7 less safe than Vista. If you think anything else, you are wrong.]