Security researcher Long Zheng has posted notification (along with a proof of concept) of an issue in the beta version of Windows 7. He’s shown how an attacker could bypass the User Account Control (UAC), although he’s also shown how it can be remedied quite simply.
The UAC has been a bane of Vista users, as it notifies the user every time a program tries to alter the system. Many have disabled UAC because of its frequent dialog boxes. In Windows 7, though, Microsoft has granted new rules that allow changes to Windows settings without notification, although other alterations still requite notifying the user.
But, as Zheng pointed out:
“The Achilles’ heel of this system is that changing UAC is also considered a ‘change to Windows settings’, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.”
“We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc.”
He noted that Microsoft could implement a fix “without sacrificing any of the benefits the new UAC model provides, and that is to force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state. This is not a fool-proof solution (users can still inadvertently click ‘yes’) but a simple one I would encourage Microsoft to implement seeing how they’re on a tight deadline to ship this.”
Zheng said he has informed Microsoft of the problem, but the company has insisted that “the functionality is ‘by design’, dismisses the security concerns and again leans towards they will not be addressing the issue for the final release of Windows 7.”
