- Oct 9, 1999
- 31,516
- 167
- 106
For those of you that have tried the W7 beta, you have no doubt noticed that Microsoft has made some changes to the way UAC operates. It now has 3 different "tiers" of security instead of being a binary on/off system, with the highest tier being equivalent to how Vista works, and the lowest tier (that leaves UAC on, anyhow) does little more than allow the user to continue using sandboxes for Internet Explorer and Gadgets.
In the middle we have tier 2, the default tier. Tier 2 is more lax about security than tier 3/Vista is; it is more lax because it automatically escalates all of Microsoft's control panel programs to full administrative privileges if the user is a part of the admin group, so that they do not get a UAC prompt when adjusting Windows settings. The reasoning for this is pretty straightforward: most of the whining from users about UAC was because it prompted them when they wanted to make system changes, so Microsoft scaled back UAC on the control panel programs.
If at any point that little lightbulb lit up in your head exclaiming "hey, doesn't this open up potential security vulnerabilities?" give yourself a cookie, because you've earned it. The problem with letting control panel programs execute with admin privileges unchecked is that theoretically a piece of malware could exploit this. It's no longer theoretical.
There's an excellent blog up detailing a proof of concept VB scipt that does just this. The script when executed by an administrator, in spite of the fact that it's limited to low-privilege execution, disables UAC entirely without ever informing the user. If this were malware, it would be trivial to then set up a task to drop a malicious payload after the reboot to 0wn the system, as without UAC the user is never informed of any of this.
Worse yet, Microsoft has reiterated that this is by design. Their argument amounts to little more than "well, the user already executed the malware in the first place, so its their fault" which while not entirely untrue, is entirely unhelpful. Under Vista, they would be informed that this program they downloaded is making a system level change and given the opportunity to block it. Users are ultimately responsible for their own security and seldom do the right thing, but I'm not sure how it's good for anyone to make program execution entirely unsafe once again.
Anyhow, I'm rambled on for a bit too long, but I can't say I'm pleased that the potential flaws in W7's UAC implementation are becoming real. UAC under Vista was the best thing to happen to Windows security since NT, and now it seems we're going to throw it all away under pressure from people with brains too small to understand security, and mouths big enough to get whatever they want.
In the middle we have tier 2, the default tier. Tier 2 is more lax about security than tier 3/Vista is; it is more lax because it automatically escalates all of Microsoft's control panel programs to full administrative privileges if the user is a part of the admin group, so that they do not get a UAC prompt when adjusting Windows settings. The reasoning for this is pretty straightforward: most of the whining from users about UAC was because it prompted them when they wanted to make system changes, so Microsoft scaled back UAC on the control panel programs.
If at any point that little lightbulb lit up in your head exclaiming "hey, doesn't this open up potential security vulnerabilities?" give yourself a cookie, because you've earned it. The problem with letting control panel programs execute with admin privileges unchecked is that theoretically a piece of malware could exploit this. It's no longer theoretical.
There's an excellent blog up detailing a proof of concept VB scipt that does just this. The script when executed by an administrator, in spite of the fact that it's limited to low-privilege execution, disables UAC entirely without ever informing the user. If this were malware, it would be trivial to then set up a task to drop a malicious payload after the reboot to 0wn the system, as without UAC the user is never informed of any of this.
Worse yet, Microsoft has reiterated that this is by design. Their argument amounts to little more than "well, the user already executed the malware in the first place, so its their fault" which while not entirely untrue, is entirely unhelpful. Under Vista, they would be informed that this program they downloaded is making a system level change and given the opportunity to block it. Users are ultimately responsible for their own security and seldom do the right thing, but I'm not sure how it's good for anyone to make program execution entirely unsafe once again.
Anyhow, I'm rambled on for a bit too long, but I can't say I'm pleased that the potential flaws in W7's UAC implementation are becoming real. UAC under Vista was the best thing to happen to Windows security since NT, and now it seems we're going to throw it all away under pressure from people with brains too small to understand security, and mouths big enough to get whatever they want.
Facebook
Twitter