Battered by braggart hackers and a budding cybercrime industry, Microsoft changed paradigms when Bill Gates issued his “Trustworthy Computing” memo on Jan. 15, 2002. No longer would the world’s richest software company make functionality king. Security would be the new guidepost.
“Great features won’t matter unless customers trust our software,” Gates pronounced at the start of 2002.
Fast forward to the fall of 2009. While Microsoft has made great strides in security, the decision to add gradations to the User Account Control mechanism in Windows 7 — and set the default setting at medium -high — once again lays bare the company’s engrained features bias.
“Overall Windows 7 is a big improvement and a much more secure operating system,” says Eric Voskuil, CTO of security firm BeyondTrust. “However, UAC in its default configuration is a ticking time bomb.”
UAC is the feature introduced in Vista that finally made a distinction between user-level access, needed to open files and work with data, and administrator-level access, needed to install new applications on your harddrive. From a security standpoint, user-level control is restricted, and, therefore, good; while administrator-level access is wide open and thus can be very, very bad.
User-level vs. administrator-level access
In Windows XP, administrator-level access was enabled by default, a big reason cybercriminals have been able to install malicious applications on tens of millions of Internet-connected Windows PCs and amass them into botnets to carry out Internet-enabled criminal activities.
Microsoft designed UAC to put users in control of when to grant administrator-level access to the harddrive. But UAC frequently prompts Vista users for permission to do something, sometimes more than once. Apple ridicules Vista’s UAC, portraying it as an overbearing secret service agent in this TV commercial, even though the Mac OSX operating system has a very similar security feature, albeit more elegantly executed.
Because many annoyed Vista users simply turned UAC off — in effect reverting to XP-level exposure with wide-open administrator-level access — Microsoft created a slider bar , shown below, for Windows 7 that enables users to set two intermediate levels of access, medium-low and medium-high.
To enable these gradations Microsoft created a mechanism called “auto-elevate” that automatically grants permission for administrator-level access for certain routine functions. This feature increases usability by reducing the number of permission requests the user sees.
In early July 2009, a programmer name Leo Davidson published proof-of-concept code showing how any program, good or bad, could tap into the Windows 7 auto-elevate feature when UAC was set at off, medium-low or medium-high. The upshot: setting the UAC default at medium-high would reduce the number of annoying prompts users see — but also leave a door wide open for cyber criminals to access the harddrive.
Davidson’s discovery and disclosure was very much in the same vein as the work of vulnerability researchers who’ve discovered and disclosed thousands of Windows operating system vulnerabilities, some that have subsequently led to infamous cyber attacks — from CodeRed to Conficker.
Framing the debate
In fact, Microsoft quickly listed Davidson’s proof of concept exploit as malware.
But then a debate ensued that underscores Microsoft’s ongoing struggle to balance features and profits against security and the risk of losing the public’s trust.
On one side of the debate, security researchers like Voskuil and a 21-year-old Melbourne college student and security blogger, named Long Zheng, argued that Microsoft was obligated to somehow mitigate the auto-elevate vulnerability. However, the only way to do that was to get rid of the medium and medium-high UAC gradations, in effect dump auto-elevate, says Voskuil.
On the other side, two of Microsoft’s best and brightest — Dr. Mark Russinovich, one of only 22 Microsoft Technical Fellows, and Jon DeVaan, Senior Vice President, Windows Core Operating System Division — dug their heels in to defend the auto-elevate feature.
To Russinovich’s and DeVaan’s credit, each engaged fully in the debate and laid out their positions in detail.
Russinovich argues in this blog post that, while the auto-elevate exploit disclosed by Leo Davidson is viable, it would require deliberate intent and a non-trivial effort to put into action. “The follow-up observation is that malware could gain administrative rights using the same techniques,” writes Russinovich. “Again, this is true . . . from the perspective of malware, Windows 7’s default mode is no more or less secure than the Always Notify mode (“Vista mode”).”
DeVaan in this blog post acknowledges that UAC “is one of those features that has a broad spectrum of viewpoints with viewpoints and advocates staking out both ends of the spectrum…security on one end and usability on the other.”
DeVaan then goes on to argue that UAC is “not a security boundary.” Therefore, he asserts that auto-elevate flaw exposed by Leo Davidson does not “constitute a vulnerability.”
Thus when Windows 7 launched on Thursday, 22Oct2009, it shipped with a UAC default setting of medium-high.
“This is the decision they felt they had to make to sell Windows 7,” says Voskuil. “From a security standpoint, they should at least be honest about it.”
Voskuil says cybercriminals have already begun to tweak their attacks to slip through the medium-high setting. “It defeats the purpose of the whole system,” he says. “Anybody can do whatever they want; all they need to do is get the user to launch code.”
Playing to cyber criminals’ strengths
The medium-high UAC default setting plays directly to the strength of cyber gangs adept at tricking PC users into clicking on corrupted Web links arriving in email spam, Twitter microblog postings, Facebook messages and Google search results as LastWatchdog reported here. The bad guys are also planting infectious launch code hidden in online advertisements displayed by popular Web sites, such as the New York Times. The prime criminal directive: infect as many PCs as possible to turn them into bots and align them into botnets, the engines driving cyber crime.
Cybercrime has come along way since Bill Gates issued his Trustworthy Computing memo in 2002. Hardly anyone, save for raw newbies or political activists, launch attacks for bragging rights. Cybercrime has emerged as a centi-billion dollar, smooth-running, steadily-expanding global industry.
Malicious software tool kits, like MPack, Turk-o-jan and ZueS can be readily purchased and easily customized. This malware is being churned out by professional programmers, like A-Z, the young and rich author of ZueS, whom I wrote about in this investigative cover story.
“They will take Leo’s code, or write their own, because it’s not difficult to do, and integrate it into their own malware, and when it launches on your Windows 7 machine, through whatever mechanism, it will get past the medium-high setting on UAC,” predicts Voskuil.
Cyber criminals are counting on most Windows 7 purchasers to stick with Microsoft’s default settings. Voskuil recommends immediately elevating your Windows 7 UAC default setting from “notify me only when programs try to make changes to my computer,” to the “always notify” setting.
You will see more annoying prompts. But you will be better protected.
Expert commentary encouraged.
by Byron Acohido
Discuss this Article
8 Comments on "Windows 7’s security ‘time bomb’"
Is this bug the one that will lower (or turn off) UAC without prompting the user at all? The change level setting bug, I mean?
If so, then I would ask how hard it would be to make changing the level into an item that requires you to be prompted? The OK button already has a UAC shield, so it obviously falls into the UAC realm. It shouldn’t be an issue to require that prompt regardless of whether I do it, or a program does it.
Have a great day:)
Patrick.
Patrick:
I don’t believe it is. Microsoft did fix a couple of UAC bugs, including that one, I believe, in response to feedback from the security community. This issue has to do with the auto-elevate function itself. Instead of UAC on vs. off, as per the Vista mode, Windows 7 has a medium and medium-high setting, that automatically elevates some functions to administrator level access. Leo’s exploit shows how auto-elevate can be accessed an injection attack. That’s my non-technical understanding. Hopefully, Leo himself will comment here.
Thanks,
Byron
UAC’s goal was to finally wean Windows software developers off of requiring administrative access for every day applications. For that goal, it was very effective….and whatever issues happen to be found, have no impact on whether well-behaved Windows applications are written one way or another. UAC makes well behaved applications require fewer privileges to operate.
Russ:
Thanks for laying out your strong stance. Realistically, though, the horse is out of the barn, don’t you think? Can you — or anyone — conceive of a plausible scenario by which Microsoft would reverse its rationale defending the current Win7 UAC default setting and move to configure the world’s dominant client OS along the lines you suggest?
Russ Cooper is absolutely right but there is a problem. The first account (admin in aproval mode) in Vista/W7 is VISIBLE. As a systembuilder/retailer i know most users – even if they are the only user – they won’t create a second user that’s defaults as a standard user. It’s all coming down to user-skill i think.