UW Computer Security Research and Course Blog

Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127392

The User Account Control (UAC) in Microsoft’s Windows 7 has already been compromised. Two programmers have written code, which can alter UAC settings and upon restart of the machine execute arbitrary code with administrative privileges.

The basis of this problem stems from Windows 7’s new UAC default settings. UAC is Windows’ primary security feature, designed to alert the user of changes happening within the system and to request consent before proceeding with certain tasks such as, for example, installing programs. This feature, which was added with the deployment of Vista, has met considerable criticism, particularly in that most users consider it an annoyance. In an effort to alleviate this and reduce such disruptions, Windows 7 has headed down the opposite path. The Windows 7 UAC defaults to a greatly reduced number of pop-ups and allows you to change user permission levels (from regular to administrator) without notification. This becomes a real problem, when the operating system cannot distinguish between the change made by a user and the change made by a program. And therein lies the vulnerability; all a malicious script has to do is enter the system, either in convincing the user to click on (consent to) it, or through some other breach. Once in, the script can silently change its permission level, force a restart, and begin executing whatever code it wants with administrator privileges. As is the case with most security vulnerabilities, this requires the user to consent to this script by downloading or running it, however numerous phishing exploits show the frightening success attackers have had in accomplishing this.

Security is a difficult art to perfect mostly because its importance is often easily forgotten by the one that matters the most – the end user. The threat of exploits is most heavily felt when it is too late and is all too easy to ignore by uninformed users. It really can become a hindarence having to repeatedly approve actions you initiated, such as the installation of a popular program. Users are often exposed solely to the obstruction which security measures present and less so with the protection that they offer, as (hopefully) most users don’t have to deal with attacks. This is the problem with which Microsoft is faced. They need to strike a balance, in which they protect the user without taking away from experience (due to frustration with security barriers). Cutting back on UAC pop-ups is perhaps favorable, however should not go so far, as to defeat the purpose of the entire security system, in favor of usability. Changes to a central security setting, such as the user permission level should not go unnoticed. It is certainly an important enough change, which merits user attention in all cases, and furthermore is likely to be performed infrequently enough as to not cause any significant annoyance. It is important that security features be carefully integrated into the system, with the user in mind, such that they are not rendered useless when the user disables them, however at the end of the day their job is to protect, not appease the user.