Malware can turn off UAC, claim bloggers; Microsoft says ‘not a vulnerability’
February 2, 2009 (Computerworld) Microsoft Corp. insisted today that what outsiders have called a “security flaw” in Windows 7 is not a bug, but the way the new operating system is meant to work.
Last week, Rafael Rivera, a developer for a Virginia-based company that sells secure messaging software to the U.S. government, and Long Zheng, a well-known blogger who writes “I Started Something,” argued that a change to User Account Control (UAC) in Windows 7 could be exploited by attackers to secretly disable the feature.
UAC, which debuted in Windows Vista, is a security feature that prompts users for their consent before tasks such as program and device driver installation are allowed. The feature has been roundly criticized since Vista’s launch, primarily for too-frequent nagging. Even Microsoft acknowledged UAC’s problems last year, when it named it one of the five factors that contributed to Vista’s slow adoption pace.
In Windows 7, UAC has been modified to pop up alerts less often. It also has been changed so that by default, the feature is set to “Don’t notify me when I make changes to Windows settings,” said Rivera and Long,
“Windows 7 now ships with UAC configured to hide prompts when users change Windows settings,” noted Rivera in a post to his blog on Friday. “While this mode still ensures normal applications can’t overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.
“Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart,” Rivera continued.
The danger, Rivera and Long said, is that attackers can easily disable UAC without involving the user, and — since by default Windows 7 doesn’t warn when such changes are made — without the user’s knowledge.
The pair created a proof-of-concept script that disables UAC — one of Microsoft’s most heavily promoted security features in the past two years — and posted it online.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127153
