Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole In Windows 7 UAC

Posted by kdawson on from the cancel-or-allow dept.

An anonymous reader writes "A prolific blogger is warning of a possible security hole in the latest beta version of Windows 7. Long Zheng has posted both a description and a proof of concept for an issue that could allow an attacker to skirt the User Account Control component in the new version of Windows. The problem, explains Zheng, is that UAC itself is controlled through system settings. This can allow an attacker to completely disable the protections without user notification. Zheng notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered."

12 of 388 comments (clear)

  1. Microsoft already replied by DavidR1991 · · Score: 5, Informative

    MS have already said that this flaw is "by design" to stop the appearance of too many UAC prompts when users alter their own system settings

    http://www.istartedsomething.com/20090131/microsoft-dismisses-windows-7-uac-security-flaw-insists-by-design/

    1. Re:Microsoft already replied by nstlgc · · Score: 3, Informative

      Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".

      Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM.

      It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".

      There's no good reason for writing there, and doing so is exactly what messed up "running as an administrator" in XP and below. Ask the author of your application to make it less retarded.

      It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.

      Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC. It's almost like you're being proud of being an idiot.

      YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.

      Yes, I'd prefer that they would install like normal drivers (not at system startup) and that they go through the effort of getting signed. And if you're still on 32bit Windows, this is not even a problem.

      But it kinda confirms my thought that you were running vague software written by Linux people for Windows.

      --
      I'm Rocco. I'm the +5 Funny man.
  2. Re:Short: Don't work as Administrator by Anonymous Coward · · Score: 5, Informative

    if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning"

    That's completely wrong. The entire point of the UAC prompt is that it can't be automatically dismissed by simulated user input. The UAC prompt runs on a separate virtual desktop from everything else (which is why it flickers), and the kernel enforces that only real user input can touch it, and you can't run your own code in the kernel without going through a UAC prompt, so it's secure.

    If this guy is right and UAC can be disabled without user input, then the entire UAC system instantly becomes pointless. Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts. If you can't do that, then UAC has failed. Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.

  3. Long Zheng seems like a nice bloke by amirulbahr · · Score: 3, Informative

    but is certainly no security expert.

  4. Re:Anonymous submitters by MichaelSmith · · Score: 4, Informative

    What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?

    That would certainly be something.

    --
    http://michaelsmith.id.au
  5. Re:Short: Don't work as Administrator by Anonymous Coward · · Score: 4, Informative

    I'm afraid you're wrong. When UAC is on programs you execute are run under your user account which is normally (by default) a member of the Administrators group. However, the programs are run in a special mode where they are prevented from actually using most of the administrative rights granted to your account. (You can read all about it in Wikipedia.) When a UAC prompt comes up you don't have to type a password because you're not logging in to a different account; you're just granting permission to use the full administrative rights your account already has.

    It is also possible to use UAC from a non-administrator account. In this mode you must type a password every time a UAC prompt comes up, instead of just clicking "continue". Few people do this because it is not the default setup and it's even more annoying than regular UAC.

  6. Re:Short: Don't work as Administrator by drsmithy · · Score: 3, Informative

    No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.

    "Administrator" in Vista is not the same as "Administrator" in earlier versions. It is akin to be being an 'admin' in OS X or Ubuntu - it just means you can elevate your privileges if required, not that you can do whatever you please.

  7. Re:Short: Don't work as Administrator by Jeremy+Visser · · Score: 4, Informative

    You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?

    Right on the money.

    I use Synergy 2, which lets me control my keyboard and mouse from another computer over the network. It's functionally no different to a keypress simulator like the G.P. mentioned.

    When using Synergy, I cannot use the remote mouse and keyboard to accept UAC prompts. I have to move to the local machine and physically click the button locally for it to work. Same goes for administrative apps -- if an app is running with administrative privileges, Synergy cannot register clicks on the privileged window. Unless I run Synergy itself as an administrator.

  8. Re:Short: Don't work as Administrator by Anonymous Coward · · Score: 3, Informative

    The short answer: Because you're not really running as an admin. On OS X, the "admin" accounts are not really admins. They are allowed to authenticate to use root privileges however. To put it simplified... for *nix, regular user accounts are a member of the "users" group. If you decided that user account should have access to the sudo command, you add them to the "wheel" group (at least that's how it's setup on my distro).

    Now, let's compare to Windows Vista/Windows 7: Your "regular" user account is actually a member of the administrators group. The application in question is asking permission to use your full administrative permissions. You are not inputting a password to authenticate higher privileges. You already have them, you just saying "sure, go ahead" to the application/installer/whathaveyou.

  9. Re:Short: Don't work as Administrator by mario_grgic · · Score: 3, Informative

    Well it's not that simple. On OS X for example you can be an administrator and you still can't delete system files. You need to be root to do that. Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do. On Linux you can.

    So for that hypothetical admin user to delete everything he would have to first become root (either by doing sudo, or starting a root shell, being authenticated first) and then executing rm -rf /

    So, to recap, being an Administrator and just executing rm -rf / will not delete system files.

    --
    As the island of our knowledge grows, so does the shore of our ignorance.
  10. Re:Short: Don't work as Administrator by drsmithy · · Score: 4, Informative

    Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do.

    sudo su -

    Congratulations, you're logged in as root.

    sudo passwd

    Even more congratulations are due, you now have the ability to login from the login window as root.

    So, to recap, being an Administrator and just executing rm -rf / will not delete system files.

    Actually, on an OS X system there are (or were, I haven't looked for a while) a lot of system-level files (including a lot of stuff in /Applications, like Installer.app) that are writable by any 'admin' user. So even without elevating, an 'admin' user could do a lot of damage to an OS X machine.

  11. This is completely false. by coryking · · Score: 4, Informative

    That is 100% not true. Your user account *is running as a regular user* no matter what group it is in. It doesn't matter if you are in the admin group (unless you stupidly disable UAC, in which case you basically run as root).


    "UAC" = "sudo [program name]"
    "Vista, Administrator Group" = "your account is in /etc/sudoers with 'username = NOPASSWD: [your program]'"
    "Vista, non admin group" = "sudo [program name] with password, but that depends on the group policy... "

    Your highly moderated post is 100% mis-information and is *not true*. YOU ARE NOT RUNNING AS ROOT UNTIL YOU ELEVATE VIA UAC!!