Blogger digs up Windows 7 security hole

Changes to UAC open up can of mischief-making worms

The UAC in Windows 7

Blogger Long Zheng on I Started Something has highlighted a potential security problem with the Windows 7 beta, where Microsoft's decision to change the way UAC works could let an attacker disable UAC without the user's knowledge.

Windows 7's default UAC setting is set to notify the user when programs make changes but not to prompt when a user or Windows changes settings.

"How it distinguishes between a (third party) program and Windows is with a security certificate," Zheng explains. "The applications/applets which manage Windows settings are signed with a special Microsoft Windows 7 certificate. As such, control panel items are signed with this certificate so they don't prompt UAC if you change any system settings."

Zheng continues: "The Achilles' heel of this system is that changing UAC is also considered a 'change to Windows settings', which coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely."

Shortcut to exploit

"Of course it's not a security vulnerability if you have to coerce the user into disabling UAC themselves," says Zheng. "I had to think 'bad thoughts' to come up with a way to disable UAC without the user's interaction."

That didn't take long. "The solution was trivial, you could complete the whole process with just keyboard shortcuts so why not make an application that emulates a sequence of keyboard inputs."

Long Zheng and helper Rafael Rivera then came up with a proof-of-concept VBScript to emulate the keystrokes without prompting UAC.

It's a simple problem with a simple solution - set the UAC policy to Always Notify - but it raises the age old question about usability versus security.

User error

It's often said that the weakest security point of any computer is the user, and by bowing down to calls to quieten down the irritating UAC, Microsoft may have compromised security.

With the issue gaining notoriety, it seems likely that Microsoft will look again at the potential for mischief.

And that's what betas are for, right?