Windows 7’s security ‘time bomb’

windows7_uac_prompt300pxBattered by braggart hackers and a budding cybercrime industry, Microsoft changed paradigms when Bill Gates issued his “Trustworthy Computing” memo on Jan. 15, 2002. No longer would the world’s richest software company make functionality king. Security would be the new guidepost.

“Great features won’t matter unless customers trust our software,” Gates pronounced at the start of 2002.

Fast forward to the fall of 2009. While Microsoft has made great strides in security, the decision to add gradations to the User Account Control mechanism in Windows 7 — and set the default setting at medium -high — once again lays bare the company’s engrained features bias.

eric-voskuil_crop88pxg“Overall Windows 7 is a big improvement and a much more secure operating system,” says Eric Voskuil, CTO of security firm BeyondTrust. “However, UAC in its default configuration is a ticking time bomb.”

UAC is the feature introduced in Vista that finally made a distinction between user-level access, needed to open files and work with data, and administrator-level access, needed to install new applications on your harddrive. From a security standpoint, user-level control is restricted, and, therefore, good; while administrator-level access is wide open and thus can be very, very bad.

User-level vs. administrator-level access

In Windows XP, administrator-level access was enabled by default, a big reason cybercriminals have been able to install malicious applications on tens of millions of Internet-connected Windows PCs and amass them into botnets to carry out Internet-enabled criminal activities.

Microsoft designed UAC to put users in control of when to grant administrator-level access to the harddrive. But UAC frequently prompts Vista users for permission to do something, sometimes more than once. Apple ridicules Vista’s UAC, portraying it as an overbearing secret service agent in this TV commercial, even though the Mac OSX operating system has a very similar security feature, albeit more elegantly executed.

Because many annoyed Vista users simply turned UAC off — in effect reverting to XP-level exposure with wide-open administrator-level access — Microsoft created a slider bar ,  shown below, for Windows 7 that enables users to set two intermediate levels of access, medium-low and medium-high.

windows7_uac_slider2_450pxTo enable these gradations Microsoft created a mechanism called “auto-elevate” that automatically grants permission for administrator-level access for certain routine functions. This feature increases usability by reducing the number of permission requests the user sees.

In early July 2009, a programmer name Leo Davidson published proof-of-concept code showing how any program, good or bad, could tap into the Windows 7 auto-elevate feature when UAC was set at off, medium-low or medium-high. The upshot: setting the UAC default at medium-high would reduce the number of annoying prompts users see — but also leave a door wide open for cyber criminals to access the harddrive.

Davidson’s discovery and disclosure was very much in the same vein as the work of vulnerability researchers who’ve discovered and disclosed thousands of Windows operating system vulnerabilities, some that have subsequently led to infamous cyber attacks — from CodeRed to Conficker.

Framing the debate

In fact, Microsoft quickly listed Davidson’s proof of concept exploit as malware.

But then a debate ensued that underscores Microsoft’s ongoing struggle to balance features and profits against security and the risk of losing the public’s trust.

long_zheng_crop50px1On one side of the debate, security researchers like Voskuil and a 21-year-old Melbourne college student and security blogger, named Long Zheng, argued that Microsoft was obligated to somehow mitigate the auto-elevate vulnerability. However, the only way to do that was to get rid of the medium and medium-high UAC gradations, in effect dump auto-elevate, says Voskuil.

On the other side, two of Microsoft’s best and brightest — Dr. Mark Russinovich, one of only 22 Microsoft Technical Fellows, and Jon DeVaan, Senior Vice President, Windows Core Operating System Division — dug their heels in to defend the auto-elevate feature.

To Russinovich’s and DeVaan’s credit, each engaged fully in the debate and laid out their positions in detail.

mark-russinovich_crop50pxRussinovich argues in this blog post that, while the auto-elevate exploit disclosed by Leo Davidson is viable, it would require deliberate intent and a non-trivial effort to put into action. “The follow-up observation is that malware could gain administrative rights using the same techniques,” writes Russinovich. “Again, this is true . . . from the perspective of malware, Windows 7’s default mode is no more or less secure than the Always Notify mode (“Vista mode”).”

DeVaan in this blog post acknowledges that UAC “is one of those features that has a broad spectrum of viewpoints with viewpoints and advocates staking out both ends of the spectrum…security on one end and usability on the other.”

jon_devaan_crop50pxDeVaan then goes on to argue that UAC is “not a security boundary.” Therefore, he asserts that auto-elevate flaw exposed by Leo Davidson does not “constitute a vulnerability.”

Thus when Windows 7 launched on Thursday, 22Oct2009, it shipped with a UAC default setting of medium-high.

“This is the decision they felt they had to make to sell Windows 7,” says Voskuil. “From a security standpoint, they should at least be honest about it.”

Voskuil says cybercriminals have already begun to tweak their attacks to slip through the medium-high setting. “It defeats the purpose of the whole system,” he says. “Anybody can do whatever they want; all they need to do is get the user to launch code.”

Playing to cyber criminals’ strengths

The medium-high UAC default setting plays directly to the strength of cyber gangs adept at tricking PC users into clicking on corrupted Web links arriving in email spam, Twitter microblog postings, Facebook messages and Google search results as LastWatchdog reported here. The bad guys are also planting infectious launch code hidden in online advertisements displayed by popular Web sites, such as the New York Times. The prime criminal directive: infect as many PCs as possible to turn them into bots and align them into botnets, the engines driving cyber crime.

Cybercrime has come along way since Bill Gates issued his Trustworthy Computing memo in 2002. Hardly anyone, save for raw newbies or political activists, launch attacks for bragging rights. Cybercrime has emerged as a centi-billion dollar, smooth-running, steadily-expanding  global industry.

Malicious software tool kits, like MPack, Turk-o-jan and ZueS can be readily purchased and easily customized. This malware is being churned out by professional programmers, like A-Z, the young and rich author of ZueS, whom I wrote about in this investigative cover story.

“They will take Leo’s code, or write their own, because it’s not difficult to do, and integrate it into their own malware, and when it launches on your Windows 7 machine, through whatever mechanism, it will get past the medium-high setting on UAC,” predicts Voskuil.

Cyber criminals are counting on most Windows 7 purchasers to stick with Microsoft’s default settings. Voskuil recommends immediately elevating your Windows 7 UAC default setting from “notify me only when programs try to make changes to my computer,” to the “always notify” setting.

You will see more annoying prompts. But you will be better protected.

Expert commentary encouraged.

by Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone