Windows 7's default UAC bypassed by 8 out of 10 malware samples

Windows 7's default UAC bypassed by 8 out of 10 malware samples

Summary: 8 out of 10 malware samples tested on Windows 7 with default UAC (user access control) settings don't trigger a warning.

SHARE:

A recently conducted test by malware researchers reveals that eight out of ten malware samples used in the test, successfully bypassed Windows 7's default UAC (user access control) settings. The findings were also confirmed by a separate test done by another company, with an emphasis on how one of the most popular scareware variants bypassed Windows 7's default UAC's settings as well.

More info:

On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software.

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

The findings are in fact not surprising, since the main problem with Windows 7's UAC lies in the over-expectation of the average end user. Just like free antivirus software relying entirely on signatures based scanning only, the over-expectation of Windows 7's UAC may in fact fool a large number of users that third-party security software is not a necessity.

Just like end users, enterprises already migrating to Windows 7 face the same security issues. Eric Voskuil, CTO, BeyondTrust -- the company that issued a report earlier this year, claiming that 92% of critical Microsoft vulnerabilities are mitigated by Least Privilege accounts --  believes that the required administrator privileges for using the feature may in fact pose new security challenges:

In response to feedback that users were forced to respond to too many prompts in Windows Vista, the new operating system introduces a new approach to User Account Control (UAC), providing a four-position “slider” feature to control how often UAC pop-ups occur. While these changes to Windows 7’s UAC benefit the home user market, enterprises must recognize that the new slider feature can only be applied to users logged in as administrators and may increase security risks.

Further, Windows 7 introduces no new features to solve the application compatibility issues experienced by standard users in previous versions of the operating system. “The most secure configuration option for enterprises that deploy Windows 7 remains running end-users as standard users, with administrator rights removed,” said Eric Voskuil, CTO, BeyondTrust.

What do you think about Windows 7's user access control slider? Is it a step in the right direction, or does it have the potential to provide a lot of users with a false feeling of security, making them believe that a stand-alone HIPS (host based intrusion prevention/behavior blocking) solution isn't necessary?

TalkBack.

Topics: Windows, Malware, Microsoft, Operating Systems, Security, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

416 comments
Log in or register to join the discussion
  • Who can I trust *now*....

    Even Ed Bott said '7' was more secure!

    The Windows Infect Season is not over yet.. Nothing's changed....

    That people even USE Windows these days is quite remarkable.... It must be the power of habit and familiarity.
    CounterEthicsCommissioner-23034636492738337469105860790963
    • @CounterEthicsCommissioner

      They use it because they are computer illiterate and it's shoved down
      there throats at work and/or it's the default OS installed on computers at
      Wal-Mart, Best Buy, etc...
      Axsimulate
      • Yeah, I feel sad for mom & pop.

        Poor people. The sales drones are feeding them low-quality crap. Sadly, that's what you get with a near-monopoly. No innovation. No choice. Higher prices.
        CounterEthicsCommissioner-23034636492738337469105860790963
        • I certainly feel sad for your mom and pop.

          NT
          Sleeper Service
          • Wow that's one seriously sparse post.

            So let me ask the obvious. Why?
            CounterEthicsCommissioner-23034636492738337469105860790963
          • simple first

            your from alberta
            2 your canadian
            3 you take no BS
            4 you have argument
            5 your province produce oil

            so your parent are so sorry about you ..:)

            ps moose nose soupe is well a acquired taste
            at best



            Quebec-french
          • Addendum:

            and we all have rifles here :)

            (no, seriously)
            CounterEthicsCommissioner-23034636492738337469105860790963
        • I feel sad for your mom & pop, too

          Because their kid (that would be you) thinks that Windows + Mac OS + Linux = No choice.

          And because you think (evidently, by your claim of "No innovation") that computer OSs are exactly the same as they've been for, what, 25 years?

          And because you have NO IDEA what the word monopoly means. It means that one company or entity has such control over a market that there's no opportunity for competition.

          Again, I'd like to mention Windows, Mac OS and Linux. Which one do you feel has the monopoly? And if there's a monopoly here, why are there are least two other CHOICES on that list?

          The problem is that people are either too lazy or too apathetic to take it upon themselves to learn enough about using their computer to make smart choices about things that could lead to security issues.

          Finally, if you're so adverse to higher prices, why don't you personally offer tech support to all computer users for free so that the companies that develop OSs don't have to raise their prices?

          If you think that support costs are nonexistent or trivial, or if you think that tech support is entirely a byproduct of poor product design, then I hate to inform you (again) that you have no idea what you're talking about.
          quasilou
          • Re: I feel sad for your mom & pop, too

            But after 25 years, shouldn't a computer be more like an automobile? That is, they may have different features and designs, but I can get into any Toyota, Honda, GM or Ford sedan and drive somewhere without reading an owner's manual or taking a class. After 25 years, aren't we well beyond "What is it?" to "What can I do with it?"(paraphrase of a Steve Jobs quote from the 80's.) Mom and Pop aren't lazy. They just have high expectations about the usability and reliability of what has become a common household appliance.
            pgripley@...
          • Yes & No

            While it's true that computers are essentially appliances, the similarities between them and toasters - or cars for that matter - pretty much end there.

            A toaster does a few things and they're all related. A computer is designed to BE ABLE to do nearly limitless things, and they're not necessarily related (insofar as playing games, writing a letter and analzying spectrograph data aren't related, etc.)

            People have unrealistic expectations as far as computers go. They want them to do everything. They don't want to have to learn anything new. And they want computers to be cheap.

            Huh? How is that supposed to work exactly?

            If you have a calculator app open on a Windows machine and a Mac, I'm pretty sure a user who can work one calc app can work the other one with no trouble.

            But how do you find the calc app in the first place? You have to have SOME knowledge of how modern OSs work, you have to understand how to use a mouse, etc. Neither the Windows or Mac way of organizing the computer's contents and programs is "right" or "wrong". They're just different.

            Do you really think that a person with absolutely zero (and I mean zero) computer experience is going to find either a Windows or Mac computer to be "easy" to use? Of course not...there's a ton of stuff you have to learn, both in concept and practice, to be able to use a computer.

            But the thing is, it's a LOT less that you have to learn these days than what you had to learn 25 years ago.

            Going back to your car analogy, sure IF YOU KNOW HOW TO DRIVE, then you can get into any car and probably figure out how to drive.

            Just like IF YOU KNOW HOW TO USE A COMPUTER you can probably go onto either a Windows machine or a Mac and get online and browse the web.

            But do you think the OP's mom & pop would be able to get into a BMW and use everything that's available in iDrive without reading a manual? Not likely unless they already know how it works.

            Sometimes even little things...the odometer reset, the trunk release, gas release or glove box release, the ignition lock...these things in different cars can cause people a serious amount of frustration (for instance when renting a car) if they work in ways that are different than their own car.

            So it's not really a fair or accurate analogy, and it's not even really valid.
            quasilou
          • Well put

            Well put quasilou!!
            Everytime you upgrade you need to learn the new features or functions no matter whether it's a car, toaster, washing machine or a computer OS.
            Learn the new stuff or keep using the old one!
            msharma117@...
          • Of course...

            there are many ways you can turn your computer into a toaster...
            TristanGrimaux
          • Windows 7 UAC malware problem

            How many intelligent Windows 7 users will not have a firewall and anti virus installed on their machines. They should do these kinds of test in the real world and show how these pieces of malware would fare in a machine that had proper protection. These kind of stories don't actually impart any useful information. Hopefully ZD net not put many more of these types of stories in their on line site. Why not have a real world situation that we might face. They could show how dangerous this malware is without protection, and then show how it has been stopped when firewalls and anti virus is implement.
            rgeiken@...
          • Amen, Quasilou!

            The analogy of a car to a PC is rediculous!
            Have you ever rented a car and try to figure out how to turn on the lights and end up activating the windshield wipers instead? It's the little nuances of anything unfamiliar that results in scourge of initial productive usability. It's a fact of life in just about anything.
            Some user's learning curve with be less than others simply because they've had more exposure to whatever it is that they are trying to re-learn.
            On my personal comp. @ home. Security is not much of an issue because imo, the brain is the best anti-virus. If something appears odd to me, I Alt+F4 right away. If it's too late and my PC gets infected, it's like a clogged drain. I don't b*tch and moan about it, I fix it! Do I blame the construction company that installed the pipes on my clogged drain? No, that's ridiculous. But, it would be nice if most folks had the knowledge and wherewithal to be able to avoid infections themselves and know how to research the problem and fix it. But I suppose most folks are too used to relying on others to fix their own probs.
            I've got Vista right now on my machine, I've also recently installed Ubuntu on it as well. I've applied for the Win7 upgrade and am expecting it shortly. I'm sure it's going to be fine on my machine because it won't be a resource hog like Vista has been. And I'm sure once I produce an image for recovery purposes and continually back up my files, that any unrecoverable infection will be a minor annoyance at best.
            the_fish_69@...
          • cars are good analogy

            When the issue is security, the analogy works fairly well. I often go places in my small home town and leave my car unlocked with the windows down. I feel safe that everything will be there when I come out. If I drive to the neighboring town the windows go up; the locks come down. If I venture to the big city 20 miles away, the television in the back seat gets covered up as well as the car being locked and if I had an alarm.....
            The point being, If mom & pop never hook up internet to their computer(any OS) there really is no need for security measures beyond password protection and lock the front door when you go to the market. If it gets connected to a local net, but not the internet some precautions need to be made depending on the nature of that network. Getting on the internet is like parking a BMW in front of a chop shop with the windows down; key in the ignition; engine running. Mom & pop are with 95% of the population in that they have no idea what is going on behind the screen in front of them.

            Last weak my 24 year old neighbor was so proudly telling me how Tom, the creater of myspace, had personally sent her an email warning her that she needed to comfirm her id and password or her account would be deleated to make room for more users. " oh, and by the way what does phished mean?"
            stremin
          • You can't use windows?

            I'm sorry, but almost anyone can use Windows or OS X (*nix still has a way to go).

            I'm not even sure if it's that different from a car. For most owners, routine maintenance is performed by a mechanic. However, if the end user doesn't bring the car in for an oil change, doesn't wash and wax it fairly regularly and drives through high water and/or leaves the gas gap off during downpours, their car will have problems and will perform below expectations.

            My folks are in their 70's, and while they can't perform all the routine maintenance, they are quite capable of using their computers to perform the tasks of their choosing.

            notsofast
          • RE: I feel sad for your...

            OMG! I've lived in both the US and Canada. Every place that I've lived has licensing requirements for driving, mostly to prove that you know how to operate a motor vehicle and can obey the rules of the road. Furthermore, every vehicle is somewhat different and you do have to learn where some safety device controls (like the horn and the wipers) are located.
            MythicalMe
          • If we accept your premise

            that after 25 years, a computer should be more like the automobile ? i.e., drive one, drive them all, then it is useful to look where the automobile actually was 25 years after its invention.
            Karl Friedrich Benz (1844-1929) is credited with inventing the first gasoline powered machine in 1885 (http://www.loc.gov/rr/scitech/mysteries/auto.html).
            Twenty-five years later, the Stanly Steamer was introduced (http://americanhistory.si.edu/onthemove/themes/story_78_3.html).

            I seriously doubt you could easily switch between both cars as you suggest. Such was the state of automotive evolution. You cannot compare the similarities of cars built between 1984 and 2009 and suggest computers should be the same way. Cars have been around for well over 100 years. We will see what computers look like 75 years from now. Then your point may be valid.
            tnboren@...
          • As an automotive historian

            automobile actually was 25 years after its invention.
            Karl Friedrich Benz (1844-1929) is credited with inventing the first gasoline powered machine in 1885 (http://www.loc.gov/rr/scitech/mysteries/auto.html).
            Twenty-five years later, the Stanly Steamer was introduced (http://americanhistory.si.edu/onthemove/themes/story_78_3.html).

            Contray to popular belief! The auto industry is much older than most are aware of.

            The first discussion about a self propelled vehichle took place in the 1100's

            The first self propelled vehichle was built in the 1700's

            The first electric vehicle was built in the 1850's.
            ICUR12
          • Re: Re: I feel sad for your mom & pop, too

            Re: I feel sad for your mom & pop, too
            But after 25 years, shouldn't a computer be more like an automobile? That is, they may have different features and designs, but I can get into any Toyota, Honda, GM or Ford sedan and drive somewhere without reading an owner's manual or taking a class.

            I hate to burst your bubble but when the auto industry was 25 years old you COULD NOT jump in just any car and operate it like any of the others.

            Would you even know how to start a Model T. It required operating several foot pedals and several items on the steering column.

            I'd bet if given 30 minutes you wouldn't be able to get it started!!
            ICUR12