While Microsoft officials won't say it (at least not publicly), one of Windos 7's main selling points is likely to be that it's the "anti-Vista." It will be faster, smaller, more reliable and... less secure?
If Microsoft continues on its current path regarding one of Windows 7's components -- the User Account Control (UAC) feature -- the company might find itself in the regrettable place where Windows 7 could be less secure than Vista, according to some testers.
Two Windows enthusiast bloggers, Long Zheng and Rafael Rivera, have now discovered not one, but two, seemingly severe exploit channels in the UAC setting that is currently set as the default for Windows 7. The first exploit they publicized (after talking to Microsoft privately about it) allows malware to turn off UAC; the other allows malware to auto-elevate without notifying the user. To date, Microsoft's response is that the new UAC default is set the way it is "by design" and isn't problematic.
I asked Microsoft again on February 3 if it was still standing by its statement that the UAC default setting for Windows 7 is fine as is. Microsoft declined to let me speak to anyone directly and instead provided this statement (in the form of these bullet points):
- "This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
- Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
- UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
- The only way this could be changed without the user's knowledge is by malicious code already running on the box.
- In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)"
I am not a security or a Windows internal expert. But I asked someone who knows a thing or two about how Windows works. He asked to remain anonymous. He said the current Windows 7 UAC setting is flawed in its design. It should not prompt only for non-Windows binaries (which is the default Windows 7 setting).
"The issue is that things, like the WSH (Windows Script Host), are part of windows and if a scripting host or other 'Windows' component, like WSH or Power Shell, can be used by malicious software to drive the UI, it is trivial to pull off an exploit like this. This is a major problem though as in its current form, Win 7 is potentially far less capable in its default configuration, at stopping drive-by malware when compared with Vista."
In other words, if the UAC setting is allowed to stay as is, Windows 7 could be deemed less secure than Vista. Ouch.
If Microsoft's current, wide-scale Windows 7 beta is a real beta (and not just one in name only, as I've argued in the past), it would follow that Microsoft is still planning to use tester feedback to alter Windows 7 in ways that will make it a better product. Yes, there is a risk that by having to go in and fix or change a feature could derail the well-finessed Windows 7 ship schedule. But isn't the point of having outside testers look at your code to find potential problems? And isn't improving the security of Windows still an overriding goal for the Windows team?
What's your take? Does Microsoft need to rethink what it has done to UAC to make it less hated than it was in Vista?
Update: Bryant Zadegan of AeroXperience.org. adds more food for thought to the UAC discussion, concluding: "I love Windows 7, but when a team closes a report on a critical demonstrated security bug as 'by design,' I don’t know what to think."