If you haven’t read it yet, go over and read Long Zheng’s article about the security flaw in UAC for Windows 7.
Wow, just wow.
For those of you too busy to read the article, or scratching your heads and asking “what,” here is the quick and dirty for you…
- By default, Windows 7 allows Control Panel programs or Administrative Tasks to make changes to “Windows Settings” (such as registry entries), without using the UAC window to notify you of the change
- Changes to UAC’s settings, such as setting it to never ask you for anything, is considered a “Windows Setting” change, and if done from a Control Panel program, you are not notified
- Windows 7 can not tell if it is really you opening a Control Panel program and making a change to UAC’s settings, or if it is a program pretending to be keyboard actions which open the Control Panel and then change the UAC settings to never notify
- Microsoft is OK with this
Long did contact Microsoft about this, and their response was to say that users should be using Windows 7 as a “Standard User” and that any code to do this would have either “breached” security already, or “the user has explicitly consented.”
Well, that is not fully true. The basic concept is for a program to simulate keystrokes to open an existing Control Panel program, change settings in it, and then continue on like nothing had happened. Nothing in these steps even remotely qualify as breached security or user consented action. However, UAC does nothing to alert the user to what happened.
The Admin mode gotcha
You have to be running as an administrator for this to work, but since Microsoft admits that over 70% of all computers have only 1 user, which is the administrator, this is a problem (see Figure 2 on the linked page).
The real problem
The real problem is that the security system (UAC) is treated with the same level of security as the rest of the Windows Settings. This is a horrendous screw-up. If you are making the system with only 2 levels of security settings, the control system for those settings should be the only thing in the highest security setting! Everything else should be in the other setting. If you are going to try and divide settings security levels based on whether the program has a special signed certificate (Control Panel, Administrative Tasks, etc) or not (all other applications), then go ahead and make UAC’s settings it’s own category that ALWAYS throws up a prompt to enable the changes, no matter who you are.
Can they fix this
Long’s advice is “to force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state.” However, I doubt this can be done. The code that controls the UAC interface would have to be completely rewritten.
I started to diagram it, but it’s a bit complicated. Actually, after 6 yes/no flowchart branches, 5 prompt windows of 3 different “flavors,” I decided that it was a little too much for me to do right now. Needless to say, I don’t think Microsoft can make such a change and hope to rush Windows 7 out the door.
This is because this is more than a simple piece of code. This is code that is supposed to hold the security of the entire platform in the palm of it’s ‘hand.’ So, changing the code that runs it would change the API that Windows interfaces with, and, at the very least, affecting every security-aware program that runs, including Control Panel and Administrative Task programs. While they did pull off adding this Windows Settings level to UAC after Vista, we have no idea how many things that ‘broke’ and worse yet, this would add another level of complexity to the Control Panel items and their API.
This could be fixed, but I don’t see Microsoft willing to risk the delay. Hopefully, this is something fairly simple to fix, this can be out the door quickly, and all of the ‘this is how it is supposed to work’ line is just stalling on Microsoft’s part.
Filed under: Tech |