Windows 7 Testers Uncover Another UAC Flaw
Last week, Microsoft bloggers Long Zheng and Rafael Rivera published simple proof-of-concept code that automatically disables UAC in Windows 7 without any user interaction. On Wednesday, Zheng and Rivera published details on a second UAC flaw in the Windows 7 beta that stems from the OS being set up to automatically elevate Microsoft-signed applications and code in order to minimize UAC alerts.
The problem, according to Zheng, is that some of these trusted, Microsoft-signed applications are designed to execute third-party code for legitimate reasons, which allows attackers to create malware that exploits their trusted status.
"Unfortunately, this flaw is not just a single point of failure. The breadth of Windows executables is just too many and too diverse, and many are exploitable," Zheng wrote.
Microsoft denied that the first UAC flaw was actually a flaw, claiming that the only way UAC could be changed without the user's knowledge was if malicious code was already running on the box.
Microsoft is still investigating the second UAC flaw, said a spokesperson who declined to comment further. However, both Zheng and Rivera reported hearing rumors that the second UAC issue has been fixed in internal Windows 7 builds.
To illustrate the potential impact of the second UAC flaw, Rivera published a proof-of-concept that could let attackers use rundll32.exe -- one of the Microsoft-signed applications -- to execute malicious code on a PC with full administrative privileges.
Zheng recommended that Windows 7 beta users set their UAC settings to 'high' in order to minimize the danger for both flaws. However, that makes UAC in the Windows 7 beta behave in the same overly chatty fashion it did in Vista, which once again highlights the difficulty of balancing security and usability concerns.
While Windows 7 is expected to hew to the same high security standards as Vista, security experts are watching Microsoft's response to the UAC issues closely, and some are beginning to take issue with how the software giant is responding to the UAC reports.