Malware can turn off UAC in Windows 7; “By design” says Microsoft

i now hear a wo-wo coming soon from Microsoft.

Security Fail.

The new “non-annoying” UAC settings in Windows 7 are definitely less annoying, but then I was never annoyed by UAC in Vista.

I’d rather it were the same as it is in Vista, than be less secure.

I was never annoyed by either Vista or W7 UAC, but it’s nice to know to be extra careful.

Hi Rafael,

my first action is allways to set UAC to Vista level. Thanks for showing all n00bs that the new UAC from Win7 is bad!

André

I agree that this needs to be fixed, because average Joe user these days is too stupid to differentiate between legit apps and malware it seems.

And yes, the fix is easy, remove the security certificate from the users control panel applet. Voila.

@Chris123NT, i dont think the average joe is too stoopid to differentiate between the too, i think that people are getting better at hiding malware anyway they can to trick people into installing things, only to find out that they “double clicked” more then what they bargained for, not that people shouldnt still be cautious, but sometimes it can be hard to tell the difference…

i agree that sumthin should be done though and if there is a simple fix for it, like what has been found, then it should be implemented in time for RTM..theres no reason it cant be done!

peas
cityboy

I think regardless of how many buttons and dialog screens a user has to go through they will still whatever they want. Until people learn the difference between legit apps and all the “free” junk there will be problems. UAC only annoys those of us who better understand what we are doing when we install something, it only suggests that the software might be harmful.

Over the course of a normal day I use XP Pro and Vista machines at school, but once I get home I use mostly a Mac OS X but there are also XP and Linux computers and I can honestly say I prefer XP over Vista and definitely Mac OS X over all of them.

Thanks for this post Rafael, I had a bad feeling about the new UAC slider in Win 7 as soon as I saw it. Security on the most popular OS in the world is a conundrum for Microsoft. The security (or lack there of) in XP is the main source of malware today, most regular users run XP as administrators and couldn’t tell you if their machine up to date with security patches. The Vista team decided that, that needed to change, and sacrificed convenience for security. It looks like the Win 7 team has decided to give in to pressure and give people an easy way to go backwards to alleviate the complaints about the annoyance UAC caused some Vista users.

“It looks like the Win 7 team has decided to give in to pressure and give people an easy way to go backwards to alleviate the complaints about the annoyance UAC caused ’some’ Vista users.”

If it would be ’some’ users i doubt strongly they’d change such a fundamental issue. They should just use the Vista style UAC for corporate environments and do away with it all together for home users.

Even my father (79) knows better now then to click on anything that passes by.

Rafael – Could you comment on this?

I saw this comment posted by “Master Guru” over at a website referencing this issue:

Windows 7’s UAC is now insecure ‘by design’ – TechBlog
http://blogs.chron.com/techblog/archives/2009/01/windows_7s_uac_is_now_insecure_by_design.html#c1226188

Quoting:

UAC suppresion is only allowed on admin accounts, unless of course the user enters the admin password from a user account.

A) The script will not run on my PC in a user account.
B) If it did, it would ask for an admin password.

Dwight,

Please create a user account and try to change UAC without entering an admin password.

I’m curious why anyone else would have any other results….

The article does say user, right?

As a user I also cannot change any items with a shield on them in any dialogue box, such as Windows Firewall or any program requiring admin priveleges.

—end-quote —

The blog author (Dwight) then comments that “by default, the Win7 beta install sets up as an admin account. In fact, during setup, you have no option to set up as a user account. So I suspect 99 percent of all beta users are running as admin, in which you don’t get prompted to change UAC settings.”

Any thoughts on these perspectives of the issue?

Thanks!

SendKeys aren’t dependable at all. If I had a program trying to access uac via sendkeys, all I could do is click on a random text box somewhere and throw it off.

I hate Vista for the UAC made the whole OS slow and cumbersome to use. I do not want a wall of popups after popups that are telling me if I’m sure that I want to install an app, watch a page in internet or change a setting. As a user all I want is speed and Vista no matter what run much slower than XP in a 50 times faster machine can you explain that. How about some code optimization please! I would have paid the same amount for the Vista OS than for a version of DirectX 10 that runs in XP. Too bad for Windows that soon it will be available not from them and it will be a free download. Unfortunately all I have seen so far is that Windows 7 is nothing more than Vista without the UAC. An improvement but a still slow OS. If Security is relevant when it comes to an OS then the whole Windows approached to it has been flawed from the design phase. If they would have been able to design the OS with a way to create restore points from which you can recover on the fly no matter what, then you would not have to worry about getting the OS so secure that is impossible to use, but instead you have a very powerful tool that allows you to recover from catastrophic loss of info. No matter how much security you put into something someone will defeat it. The real worst part here is that creating a ghost image every week in XP is cumbersome enough.

Don’t worry. I’m sure the beta team will listen to your concerns now that they’ve been made public :P

(I hope they do. Otherwise, they should all be fired)

@Renato

stop posting such nonsense. this is a discussion about an implementation bug in UAC in Windows 7 and not a place to troll.

Vista is not a slow OS and if you are annoyed by UAC you don’t understand how right management in NT systems works. Do the same things under a limited account in Windows XP and look at the access denied messageboxes you’ll see and compare it with Vista ;) What is better? an option to get elevated rights with the UAC or the stupid messageboxes ;) So learn how NT works

stop whining, if u install legal apps once , then u nevr see this ‘problem’ again.

I have read all of these posts. I have a couple of statements and questions.
I use AVG for Antivirus and Spybot Search and destroy for Spyware and malware protection.
Bare in mind I don’t go looking for trouble, however I have not had a problem with malware on my computer.
Education is the key here. If you are not installing a program on your computer nothing should be popping up trying to change your registry. If it does you deny the change and go on. Seems pretty simple to me.
One thing Microsoft should learn is they ‘can’t fix stupid’.
I am curious to know if Macintosh OS has these same of similar vulnerabilites in their OS?
Look out they will be next to get hit.
I am an IT Manager for a small family owned company and the key like I said earlier is education.
I have instructed my users and friends what to look for and installed the programs I have listed above (not at work) to home users and I have not had any repeat cleanups of computers to do.
Microsoft will never win this battle and will always be chasing its tail.
The answer is simple create and unsecure OS for people to use that know how to use the tools available to protect themselves and create a secure OS for the uneducated consumer to use. Let people make the choice and live with their decision and stop trying to solve every problem. They should learn from the government.
Sorry for the rant.

Education will help with most of the issues, but how can that be accomplished to such a wide audience? People would brush that off just like the EULA is.
Good anti-malware applications should be able to prevent most things but I think its a really good thing that Microsoft is doing, protecting the users in the best way that they can.
Microsoft will get it someday and thanks to Rafael they might get there quicker. Good post.

This seems really crazy. Basically Apple has forced MS to make their product less secure with their false, although witty, ads.

I have never been bothered by UAC in Vista. I think the only people who are bothered by it are the ones who have seen Apple ads and bought into that. They of course leave out that Mac OS has the same type of feature, except instead of just clicking continue you need to enter your password. In my experience it happens much more frequently on Mac OS than it does in Vista,

So, does Windows7 still encourage users to run as an Administrator? Until Microsoft gets serious about security and designs an OS that properly segregates between user appropriate functions and Admin-only functions and forces their software designers to respect this segregation, any use of Windows as an OS is a security work around.

Just my two cents.

Thanks for the Article Rafael!

The UAC whitelist is anti-competitive, as well as being badly designed/secured.

Users cannot add 3rd party components that they use & trust to the UAC whitelist. Only Microsoft’s own components can be on it. So, for example, third party file managers have to display at least one UAC prompt to get admin access while Microsoft’s Explorer does not. That isn’t an even playing field.

Similarly, users cannot remove Microsoft’s components from the UAC whitelist. So if you do not use Explorer but do want the whitelist (which is on by default), you are forced to leave the security hole open for Explorer even though it doesn’t benefit from you. Explorer’s UI isn’t isolated like an admin process is — its windows have “medium integrity” — so there doesn’t seem to be anything to stop it being remote-controlled via mouse & keyboard events. (As the VBScript in the root post proves!) Which is an okay trade-off if you use it but a stupid security hole if you don’t. (And it seems stupid for the UAC control panel itself to be on the whitelist.)

Sadly for me (a file manager nut), people don’t seem to care much about anti-competitive behaviour that affects anything other than web browsers, so nobody AFAIK has picked up this story, although I did mail a bunch of sites about it.

More details here, including a confirmation from Microsoft:

http://www.pretentiousname.com/misc/win7_uac_whitelist.html

an Admin can start an Admin-Script that does administrative issues. Who cares?

If the user has no Admin-proviledges the script will do nothing. So where’s the beef?

@Rafael:
Why do we even care. UAC is worthless and Microsoft should throw it out entirely.
After all, I have always ran Windows Vista and Windows 7 with UAC off and and I don’t see any virus on my computer

@Mark: UAC is virtually useless to people who are tech-literate. The UAC was meant for users who don’t necessarily grasp the concept of malware being downloaded and installed from popular programs (free P2P clients for exmaple).

Some people need UAC to make sure that they are safe and some people do not need it at all.

@Mark: UAC is not worthless. (It isn’t a magic bullet either.)

Even for tech-literate people, UAC helps to protect us against processes doing things which require admin access without us knowing that they are doing it. (Unless they do it at install time, which I mention below.)

Buffer-overflow exploits are perhaps the best example of why this protection is useful and important. If you are using a process that you trust (else you would not have installed it, right?) and you are doing something that seems innocent, like loading a data file or web page, a bug in that trusted program can allow malicious data to make it run arbitrary code. In the event that that happens it’s much better for that code not have admin access.

Even better if it’s running with “low” integrity (another part of UAC, though only really used by Internet Explorer so far) where it can’t even modify your personal documents (but can still read them, FWIW).

For me the biggest flaw in UAC is that installers still get full admin rights and thus you still have to trust any software you install with full admin access to your machine. I’d love to see that improved one day. (For example, I am annoyed that installers can add root CA certficates without my knowledge, potentially compromising my web and application security.) But it still doesn’t mean that UAC is useless as it’s still good to protect against trusted apps that go rogue via exploits.

(There’s also the very, very useful side of UAC that hardly anyone talks about: Allowing non-admin users to conveniently elevate to admin when required, via a password prompt. UAC has made running as a limited account a lot more usable.)

I think that windows 7 should have mach more less system requirements. Such as 64 Mb of VGA and 512 Mb of RAM. Becuase even the Windows Vista had more system requirements but it was not able to do much thing in performance except in the visual appearance. So if Windows 7 requires a RAM of 1Gb, it should be able handle more programs with high performance without affecting the speed.

Windows has a “feature” that’s more like a bug?

And it’s in there by design?

Is this news?

I’m just waiting for that company to try suing over that alleged 235 patents that they claim the penguin-flavoured OS violates. Including the one for UAC that seems to define a mechanism that’s *remarkably* like sudo. Only sudo works.

Hashan: 7 runs with 512mb RAM and 12mb Video Memory.

Reading this thread, it’s clear that NONE of you (except for one) undestand this issue AT ALL.

But Jochen NAILED it: “an Admin can start an Admin-Script that does administrative issues. Who cares? If the user has no Admin-proviledges the script will do nothing. So where’s the beef?”

It takes Admin rights to run a VBScript (or install malware). Unless those rights are explicitly granted, nothing bad happens. And, if those rights are granted — ie. to install malware, in the first place — then the machine was ALREADY compromised AND UAC ISN’T THE ISSUE! You’re complaining about an already-compromised machine doing FURTHER damage by turning UAC off.

Microsoft did the right thing here. Too bad that so few of you understand the issues involved but, nonetheless, feel compelled to complain. Sheeez…

@Tom

You’ve also failed to understand the issue.

1. ALL USERS ARE ADMINISTRATORS. By default, a user is an administrator, thanks to the installer. And users can be assumed to not change the default, because that involves knowledge and work, and users are uninformed and lazy.
(This has been true since Windows 2000, but for a different reason: Electronic Arts and other game publishers use coding techniques and security systems that assume the user has the same level of access as on Windows 98, i.e. Administrator.)

User Account Control was designed to make 1. less security-problematic by distinguishing program action from user intent. Administrator users are prompted before programs do anything potentially sensitive, like install malware, to make sure the user understands what’s going on and approves. Essentially it adds an invisible fence with sirens and klaxons on it.

2. ADMINISTRATIVE USERS CAN HAVE UAC TURNED OFF WITHOUT BEING ASKED, OR EVEN TOLD. The invisible fence, which was designed specifically to prevent things like this from happening, now no longer protects its own power switch. This is a privilege escalation issue, as malware can do things undetected that would normally trigger UAC prompts. This makes UAC utterly worthless. In fact, it makes it worse than worthless because it gives users a false sense of security.

Once malware has compromised the machine, it should be trapped in UAC’s sandbox, just as it would normally be trapped in a limited user’s sandbox. Obviously, that’s not going to happen. Users shouldn’t run with administrative rights. Obviously, that’s not going to happen. I’m sorry you run your machine the way it’s supposed to be run — or do you? why don’t you run Raf’s script and see what happens? — but the vast majority of users don’t, and won’t.

Maybe a solution using captcha with UAC! LOL

This happened because of a handful of idiots that cried out loud about the UAC popups initially. Microsoft should not have tampered UAC – users should learn that you have to authenticate when you do something dangerous (none complains when they have to show ID when withdrawing fund from a bank account) and programmers should learn that to calculate 5+3 you don’t need access to the kernel.

Dude you have found nothing here… What a joke. LOL…. loser

Often the cure is worse than the disease.

I have turned UAC off mainly because it continued to ask permission for same action I was repeating over and over, as an Admin, during configuration and installation of software within the same login session. In addition, some processes running through DCOM using a “secure” non-interactive user were not working if I had UAC on. I do admit that a different software design -based on what XP’s security permitted, over which I have obviously no control- and some extra configuration on Vista would have helped the latter, it was the constant UAC prompts that finally made me decide to turn it off.

If UAC does protect my computer (according to MS it does) why should it continue to bother me (Administrator, not a user with Admin priviliges) on the same issue over and over again. If it was a ‘Allow’ the first time why wouldn’t it be a ‘Cancel’ next time. Maybe a checkbox with “Don’t ask me again” would have solved the problem with very little effort. The actual solution in W7 looks more an overshoot to me.

Dutch, the problem is if you authorize something once, the next time maybe it could be adware or malware trying to get something done, so since there is the possibility you authorized something once, but in an hour from now someone else might be on your computer or malware might be trying to install, you have to confirm once again.

I think the easy fix is for Microsoft to request Admin rights ALWAYS, even if you have UAC turned off, in order to change the UAC security level and settings. As long as the highest security mode does not ask you to confirm things twice like Vista did sometimes, it is all fine. Windows Vista’s UAC didn’t annoy me much, what annoyed me was having to click first on one pop up and then another one to confirm… Seven doesn’t have this duplicate popup issue. All they need is to lock UAC settings from being modified always.

Now-now, what’s this talk about “less secure”?!
If we’re talking about security as a trait inherent to the OS, the UAC has nothing to do with it. Security in this case depends on how easy it is to defeat policies set by the administrator, like steal or damage data from a restricted account or without access to an account whatsoever. Administrator is absolute. That’s the way it was through all the years of multi-user computing.
If Microsoft wants to help the world of computing by reducing the “human factor”, I think a two-login model for new installations would be far more appropriate: az administrator user for installing software and changing system-wide settings, and a RESTRICTED user for everything else – work, surfing the web, games, etc.
That’s the way I’m using my Windows XP account, without any antivirus software, and yet I haven’t had ANY malware or virus problems, EVER.

The UAC is great for the fact that it prevents idiots from doing bad things to their machines, but it delays far too many normal operations, and a scale-back for those of use who know how to manage our systems is welcome, in my book. I don’t need to be hand-held through my job, especially when it costs me time and causes me aggravation. That modifying the UAC does not *itself* prompt you is a very, very bad idea, however: this security chasm should be reviewed and revised.

Forcing users to remember the Admin acct user pw but making the default acct be of limited access might go a long way towards fixing the root cause of the need for the UAC, but users would doubtless lock themselves out en masse. Sigh.

@ MagicAndre1981

I’m not sure what you are using for comparison, but I have observed that Vista boxes tend to stutter and hang until I shut off nearly every one of the OS’s shiny new features, even when the units have 4G of RAM. I have been told that Vista 32 is faster than Vista 64, which makes sense, but the pretty much uniformly lower speed on Vista boxes I have observed, compared to XP boxes with far older/lower capacity hardware , is striking.

@ Israel Lopez

That the UAC prompts repeatedly without offering an “do not prompt again” checkbox is, as Dutch said, an annoyance. No amount of rationalization is going to change the fact that an Admin user should not have to “plant the flag” repeatedly for the same app. Period. Try working in a production environment where you are constantly making system changes and having to deal with the UAC repeatedly: it sucks. Mac OS has this repetitive prompt (with a password requirement and *occasional* case-sensitivity on the *user name*, to boot!) and it is one of the many reasons that I will not buy a Mac, despite having been an Apple Certified Desktop Technician.

I recall Mark Minasi commenting that if compatibility is 9-o-clock and security is 3-o-clock, MS set it to about 10-o-clock with Vista’s UAC and integrity levels and so on. Me? I’d have slammed that sucker all the way over to 2-o-clock as a minimum!

It isn’t that it’s annoying or any kind of a problem after you do initial setup and it’s much better than using XP with Limited User Access, though I implemented that enterprise-wide a few years back. Even then (with XP) I never reinstalled anything from scratch but used a fully-configured image backup if I had to flatten the machine and rebuild it.

The real issue is “drive-by” web sites…a few times, not often in the last 2.5 years I’ve been running Vista, but a few times I’ve been Googling things and researching and…Whoa!…what’s this? A UAC prompt? Deny!!! Normally I ‘right-click’ on multiple topics in my Google searches and select ‘Open in New Tab’ before I start reading on topic.

Best illustration I’ve heard for UAC I’ve heard: when you’re done with your car, you have to take the key-fob and press the lock button…the car doesn’t ‘just know’ that you’re done with it when you get out and walk away. Similarly, you have to press the unlock button because the car also doesn’t ‘just know’ that you are the right person to allow to drive it/get inside it.

I welcome UAC and wish they’d made secure ’stiffer’ – even as an option. When I upgrade to Windows 7 I will most definitely set UAC to behave as in Vista. If I can’t do that…I won’t change.

Извините, как можно добавить свой материал на сайт?

{Читаю {ваш|этот|} блог, и понимаю, что {ничего|нифига} не понимаю. Все так запутано. :)

The UAC Settings page does not accept the sendkeys input

seems like UIPI prevents the sendkeys, or other equivalents

Looks like this issue has been fixed in Windows 7 RTM. I’m running Windows 7 Home Premium since October 22, 2009.