Microsoft: Windows 7 UAC Issue Not A Flaw

Introduced with Windows Vista, UAC boosts security by reducing application privileges from administrative to standard levels in order to limit the impact of malicious code, but many users ended up disabling UAC because it generated far too many alerts. Microsoft responded by adding a new UAC Control Panel in Windows 7 that gives users more control over the alerts.

But last week, Microsoft bloggers Long Zheng and Rafael Rivera published simple proof-of-concept code that automatically disables UAC in Windows 7 without any user interaction, paving the way for attackers to load malware onto PCs without users' knowledge. Windows 7's default UAC setting is to alert users only when third-party programs try to make changes to a PC, and not when users make changes to Windows settings.

Zheng and Rivera noted that many other Windows 7 testers had reported the same issue to Microsoft through its beta portal, Connect, but Microsoft didn't seem to consider it an issue that needed fixing.

On Tuesday, a Microsoft spokesperson reiterated this position. "This is not a vulnerability," said the spokesperson in an e-mail to Channelweb.com. "The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level."

"The only way this could be changed without the user's knowledge is by malicious code already running on the box," added the spokesperson. "In order for malicious code to have gotten onto the box, something else has to have already been breached -- or the user has to have explicitly consented."

The UAC issue highlights the thin line Microsoft and security vendors must tread between convenience and security, and it can also be seen as an example of how Microsoft gets bashed no matter what it does to improve the security of Windows.

However, several security solution providers aren't buying Microsoft's explanation for the UAC issue.

"This is clearly a threat," said Bill Calderwood, president of The Root Group, a Boulder, Colo.-based security solution provider. "With the volume of security issues Microsoft has had to deal with over the years, I'd be surprised if they don't act on this one quickly."

"I do believe this qualifies as a vulnerability," said Eric Anderson, CTO of Netanium Network Security, a Chelmsford, Mass.-based solution provider. "With this exploit, a moderately skilled script kiddie could easily disable UAC as a precursor to other activities, essentially shutting off the alarm -- and even unlocking the door."

Ken Phelan, CTO of Gotham Technology Partners, a solution provider based in Montvale, N.J., said Microsoft had to change the way UAC works to make it more user-friendly, but striking the proper security balance without annoying users remains one of the security industry's most difficult challenges.

"We know from experience that users will begin simply answering yes by rote if they are continually pestered with 'Are you sure?' questions," said Phelan. "In the end, UAC is an immature answer to end-point security."

Phelan believes Microsoft would have been wise to replace UAC with more innovative security technology. "Many companies have put forth technologies that manage this mobile code in more intelligent ways. Code can be sandboxed, and code can be measured by its behavior," he said.

The Windows 7 UAC dust-up is an example of the challenge Microsoft faces in terms of making its software easy to use but secure enough for the lowest common denominator of user, according to Daniel Duffy, CEO of Valley Network Solutions, a Microsoft Gold partner in Fresno, Calif.

"UAC was a great idea that was poorly implemented in Vista, and Microsoft has to do something about uncontrolled access to certain settings," said Duffy. "But people should also remember that [Windows 7] is still beta code, so it's got time to bake."