Windows 7 UAC flaw: "Pandora's box of all vulnerabilities"

Windows 7 UAC flaw: "Pandora's box of all vulnerabilities"

Summary: The UAC flaw, a serious issue bubbling away underneath the surface of Microsoft's next operating system, has been described as the "Pandora's box of security vulnerabilities". But what is it exactly?


The UAC flaw, a serious issue bubbling away underneath the surface of Microsoft's next operating system, has been described as the "Pandora's box of security vulnerabilities". But what is it exactly? Where did it all start from, what is the vulnerability and where do we go from here? Hopefully this will explain it a bit better.

The background

UAC, or User Account Controls, made its first appearance in Windows Vista as a precautionary measure to ensure the user doesn't modify something which would change a setting which would effect the overall stability or usage of the computer. It also served as a preventative control to make sure programs and applications wouldn't run without your express permission, or an application changing your settings without you being fully aware of it. This came in the form of an annoying popup box, I'm sure you won't have any problem in remembering:

Standard users would be able to modify "user settings", such as the wallpaper, screensavers, how things look on screen and suchlike. If standard users wanted to modify "global settings", settings which affected the experience of other users such as screen resolution or installing applications, they would be prompted to do so by UAC. To enable standard users to modify global settings, they would need to be "elevated" to temporary administrator status to do this. Afterwards, the user would revert back to standard user status.

Turning UAC off in Vista had a bit of a trick behind it. It wasn't a case of simply ticking a box, rather having to go through a hidden Windows utility and launching a command process; it wasn't deemed necessary for an ordinary end-user to disable it.

However, through much complaining, hissy fits and multiple workarounds being circumvented across the web, Microsoft buckled and tamed down UAC in an effort to be less intrusive, less annoying but more secure.

Instead of taming the system, they've blown its bloody head off.

The vulnerability

In Windows 7, the settings have changed for UAC, allowing the system to be more malleable and flexible for users. Certain applications which are digitally signed are fast-tracked through UAC by default to reduce the unnecessary user interaction. The vulnerability shows itself when this third-party application calls on malicious code "by proxy" through an existing Windows application, which never invokes the UAC prompt.

To put it simply, through application piggybacking, it allows malware to be automatically elevated to administrator user status which in turn allows it full, unrestricted access to the computer and global settings.

Long Zheng, Windows enthusiast, evangelist, student and campaigner of this flaw, spoke to me earlier today. He has written many times on this, along with his friend and colleague Rafael Rivera, who created a proof-of-concept behind this flaw. This video, available on Zheng's website, details how the proof-of-concept works in a Windows 7 environment.

The consequences

Microsoft have since stated they will not be fixing this flaw as it is "by design", and Zheng's reply:

"I'm not saying this is the end of the line for Windows 7, it's an amazing operating system. But for Microsoft to simply ignore this seems irresponsible to me. There are so many people I'd like to evangelise Windows 7 to once it ships, and I'd hate this to be one thing I'd also have to mention."

More details of how malware can silently elevate with Windows 7's default UAC policy is available in a post he wrote earlier this year.

It would be far easier to explain what the consequences weren't. If the US defence systems were running Windows 7, at this rate, all-out nuclear war could be a possibility if someone was determined enough and the end-user was unlucky enough.

The fact of the matter is, this vulnerability opens up Windows 7 like a cracked nut; exposing the possibility of a malware attack instigated unknowingly by the end user at any given time. But for the reasoning behind Microsoft's decision not to fix this unholy flaw not only shows their arrogance, but also their inability to listen to some of the most influential and experienced people on the web.

[poll id="24"]

Topics: Windows, Malware, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not that big an issue....

    Not that big an issue since the defalt in Windows 7 RC is to allways notify... so as long as you don't tamper with the default you should be ok. And hopefully 90% of users will leave it as it is. The other 10% well... let's just hope they are too few for the bad guys to go after the ...
    • sorry, but you're wrong

      sorry, you are wrong. Win7 default setting is to bypass the UAC prompts for MS applications which are part of Windows 7.
      • can you change the default settings?

        So that it mirrors Vista? If not, then that really is poor.
        • Yes you can

          There is an option in UAC to set it to "always prompt", which makes it act like is is now in Vista. Here's a site that shows the range of Win7 UAC settings:

          I think having this option would be fine if the Vista-esque "Always Notify" setting were the default, & the autoelevate option had to be user-selected. I don't like that being the default setting.

          Of course, so many people complained about that UAC behaviour - now it's a different group (including me) that's complaining about the new default.

  • It all boils down to the fact that Windows is

    flawed in its basic architecture. It has never been a true
    multi-user operating system. Multi-user functionality has
    just been patched on with duct tape, and it shows.
    • No

      This is not a basic architecture flaw. This is a details flaw. If Linux's sudo (or kdesu or gksu or whatever) allowed digitally signed programs to bypass its security system it would be just as flawed.
      Michael Kelly
      • . . . and . . .

        Linux doesn't. That's significant.
        • Linux doesn't what? (nt)

        • Agreed, but

          that does not make it a flaw in Windows' basic architecture.
          Michael Kelly
      • Compare windoze to Linux?

        You can't compare Linux to windoze. That's like comparing a large piece of swiss cheese to a real operating system. Windoze is a real FFM,(fragment of fecal material).
        • Swiss-Cheese Linux

          Study after study shows Linux has more security flaws than Windows and they take longer to fix. If you want a secure OS run UNIX or Mainframe.

          To bad all the apps are written for Windows.
    • Evidence?

      Fascinating. Anything to support your assertion?

      Of course, if you knew what you were talking about you'd realize that all versions of Windows since 2000 are NT. NT was a multi-user system from the beginning.
      • Oh don't worry...he has no clue about what he is talking about. (nt)

      • To be specific:

        Windows NT 3.1 (the very first version that was released, so called because Windows 3.1 was the dominant version then) was based on IBM’s OS/2. In fact, it was originally code-named OS/2 3.0 or some such and was a joint IBM/Microsoft project until the two had a falling out. Earlier verions worked with OS/2's HPFS (High Performance Filing System) partitions (and indeed NTFS is warmed-over HPFS, right down to sharing the same partition identifier number — in fact, the only way for partitioning utilities to tell an NTFS partition from an HPFS one is to look further, past the partition table itself, into the boot sector of the partition, which, for NTFS, would contain the letters “NTFS” at a specific offset!).

        OS/2 was indeed multi-user from the beginning.

        Non-NT Windows (1.0, 2.0, 2.0/286, 2.0/386, 3.0, 3.1, 3.11, 3.1 for Workgroups, 3.11 for Workgroups, 95, 95A, 95B/OSR2, 95C/OSR2.5, 98, 98SE, and ME) were layered on MS-DOS, so that criticism would apply to them. But even end-of-life support has ended for them quite some time ago now.
        Joel R
      • MULTI USER???

        Never in a million years. Do you actually know what a multi user interface means? If you are a user in windows you have control over all users main features, screen res, sound, login options etc etc. In any flavour of Linux you only have control of YOUR work space, any changes you make only happen to you and your user, so one user could have 1024x768 whilst another could be running 1650x1280, Oh! and both could be working at the same time on the same PC !!!MULTI-USER!!!
        Go on tell me how to set that up in Windows? The only good thing about windows is it got people into the PC universe, but this does not mean it is still worth using without a full shake up from the ground up. Windows is flawed from the Kernel up, memory leaks, fragmentation of file, backward incompatibility, multiple vulnerabilities and most of all out of date and over priced. Linux will win through in the end but it is taking longer than it should but with the introduction of Cloud Linux will show it's full strength and security features.

        Windows multi user my bum fluff pastry. Take care of you and yours.
        • RE: MULTI USER???

          Yes, Linux is great, and better than Windows in many ways. However, it won't win out because it still requires too much user interaction to do simple things such as play audio and video files and CDs, and too much playtime software won't run on it.
    • You should not be wasting your time with this

      Lord knows that the most heavilly patched operating system on the market today (that would be OSX) needs your support more then we need your words here.
      • In the immortal words of Wikipedia:

        “[citation needed]”
        Joel R
        • LOL!!

    • what is exactly is a " true multiuser OS"

      I am not sure what your point is, windows pretty much runs multi programs at the same, some what different in approach from linux, but it does.
      the truth is the standard users of windows do not care sure stuff ( only the experts) and microsoft is into selling as much software as possible