Windows 7’s security ‘time bomb’
Posted on | October 26, 2009 | 8 comments
Battered by braggart hackers and a budding cybercrime industry, Microsoft changed paradigms when Bill Gates issued his “Trustworthy Computing” memo on Jan. 15, 2002. No longer would the world’s richest software company make functionality king. Security would be the new guidepost.
“Great features won’t matter unless customers trust our software,” Gates pronounced at the start of 2002.
Fast forward to the fall of 2009. While Microsoft has made great strides in security, the decision to add gradations to the User Account Control mechanism in Windows 7 — and set the default setting at medium -high — once again lays bare the company’s engrained features bias.
“Overall Windows 7 is a big improvement and a much more secure operating system,” says Eric Voskuil, CTO of security firm BeyondTrust. “However, UAC in its default configuration is a ticking time bomb.”
UAC is the feature introduced in Vista that finally made a distinction between user-level access, needed to open files and work with data, and administrator-level access, needed to install new applications on your harddrive. From a security standpoint, user-level control is restricted, and, therefore, good; while administrator-level access is wide open and thus can be very, very bad.
User-level vs. administrator-level access
In Windows XP, administrator-level access was enabled by default, a big reason cybercriminals have been able to install malicious applications on tens of millions of Internet-connected Windows PCs and amass them into botnets to carry out Internet-enabled criminal activities.
Microsoft designed UAC to put users in control of when to grant administrator-level access to the harddrive. But UAC frequently prompts Vista users for permission to do something, sometimes more than once. Apple ridicules Vista’s UAC, portraying it as an overbearing secret service agent in this TV commercial, even though the Mac OSX operating system has a very similar security feature, albeit more elegantly executed.
Because many annoyed Vista users simply turned UAC off — in effect reverting to XP-level exposure with wide-open administrator-level access — Microsoft created a slider bar , shown below, for Windows 7 that enables users to set two intermediate levels of access, medium-low and medium-high.
To enable these gradations Microsoft created a mechanism called “auto-elevate” that automatically grants permission for administrator-level access for certain routine functions. This feature increases usability by reducing the number of permission requests the user sees.
In early July 2009, a programmer name Leo Davidson published proof-of-concept code showing how any program, good or bad, could tap into the Windows 7 auto-elevate feature when UAC was set at off, medium-low or medium-high. The upshot: setting the UAC default at medium-high would reduce the number of annoying prompts users see — but also leave a door wide open for cyber criminals to access the harddrive.
Davidson’s discovery and disclosure was very much in the same vein as the work of vulnerability researchers who’ve discovered and disclosed thousands of Windows operating system vulnerabilities, some that have subsequently led to infamous cyber attacks — from CodeRed to Conficker.
Framing the debate
In fact, Microsoft quickly listed Davidson’s proof of concept exploit as malware.
But then a debate ensued that underscores Microsoft’s ongoing struggle to balance features and profits against security and the risk of losing the public’s trust.
On one side of the debate, security researchers like Voskuil and a 21-year-old Melbourne college student and security blogger, named Long Zheng, argued that Microsoft was obligated to somehow mitigate the auto-elevate vulnerability. However, the only way to do that was to get rid of the medium and medium-high UAC gradations, in effect dump auto-elevate, says Voskuil.
On the other side, two of Microsoft’s best and brightest — Dr. Mark Russinovich, one of only 22 Microsoft Technical Fellows, and Jon DeVaan, Senior Vice President, Windows Core Operating System Division — dug their heels in to defend the auto-elevate feature.
To Russinovich’s and DeVaan’s credit, each engaged fully in the debate and laid out their positions in detail.
Russinovich argues in this blog post that, while the auto-elevate exploit disclosed by Leo Davidson is viable, it would require deliberate intent and a non-trivial effort to put into action. “The follow-up observation is that malware could gain administrative rights using the same techniques,” writes Russinovich. “Again, this is true . . . from the perspective of malware, Windows 7’s default mode is no more or less secure than the Always Notify mode (“Vista mode”).”
DeVaan in this blog post acknowledges that UAC “is one of those features that has a broad spectrum of viewpoints with viewpoints and advocates staking out both ends of the spectrum…security on one end and usability on the other.”
DeVaan then goes on to argue that UAC is “not a security boundary.” Therefore, he asserts that auto-elevate flaw exposed by Leo Davidson does not “constitute a vulnerability.”
Thus when Windows 7 launched on Thursday, 22Oct2009, it shipped with a UAC default setting of medium-high.
“This is the decision they felt they had to make to sell Windows 7,” says Voskuil. “From a security standpoint, they should at least be honest about it.”
Voskuil says cybercriminals have already begun to tweak their attacks to slip through the medium-high setting. “It defeats the purpose of the whole system,” he says. “Anybody can do whatever they want; all they need to do is get the user to launch code.”
Playing to cyber criminals’ strengths
The medium-high UAC default setting plays directly to the strength of cyber gangs adept at tricking PC users into clicking on corrupted Web links arriving in email spam, Twitter microblog postings, Facebook messages and Google search results as LastWatchdog reported here. The bad guys are also planting infectious launch code hidden in online advertisements displayed by popular Web sites, such as the New York Times. The prime criminal directive: infect as many PCs as possible to turn them into bots and align them into botnets, the engines driving cyber crime.
Cybercrime has come along way since Bill Gates issued his Trustworthy Computing memo in 2002. Hardly anyone, save for raw newbies or political activists, launch attacks for bragging rights. Cybercrime has emerged as a centi-billion dollar, smooth-running, steadily-expanding global industry.
Malicious software tool kits, like MPack, Turk-o-jan and ZueS can be readily purchased and easily customized. This malware is being churned out by professional programmers, like A-Z, the young and rich author of ZueS, whom I wrote about in this investigative cover story.
“They will take Leo’s code, or write their own, because it’s not difficult to do, and integrate it into their own malware, and when it launches on your Windows 7 machine, through whatever mechanism, it will get past the medium-high setting on UAC,” predicts Voskuil.
Cyber criminals are counting on most Windows 7 purchasers to stick with Microsoft’s default settings. Voskuil recommends immediately elevating your Windows 7 UAC default setting from “notify me only when programs try to make changes to my computer,” to the “always notify” setting.
You will see more annoying prompts. But you will be better protected.
Expert commentary encouraged.
by Byron Acohido
Comments
8 Comments »
RSS feed for comments on this post.
Is this bug the one that will lower (or turn off) UAC without prompting the user at all? The change level setting bug, I mean?
If so, then I would ask how hard it would be to make changing the level into an item that requires you to be prompted? The OK button already has a UAC shield, so it obviously falls into the UAC realm. It shouldn’t be an issue to require that prompt regardless of whether I do it, or a program does it.
Have a great day:)
Patrick.
Comment by Patrick Dickey — 10/26/2009 @ 1:45 pm
Patrick:
I don’t believe it is. Microsoft did fix a couple of UAC bugs, including that one, I believe, in response to feedback from the security community. This issue has to do with the auto-elevate function itself. Instead of UAC on vs. off, as per the Vista mode, Windows 7 has a medium and medium-high setting, that automatically elevates some functions to administrator level access. Leo’s exploit shows how auto-elevate can be accessed an injection attack. That’s my non-technical understanding. Hopefully, Leo himself will comment here.
Thanks,
Byron
Comment by Byron Acohido — 10/26/2009 @ 2:16 pm
When we’re dealing with the most widely used operating system in the world, hackers are going to show up in droves to infect and cause problems. That’s why I’ve always advocated that security needs to happen in a layered fashion. If you only have one layer such as Microsoft’s own security suite Essentials, there are holes that won’t be covered. If you add layers to that, then you’re going to have protection and the bad guys won’t have an open door policy to hack your system. In depth defense is what is needed because the OS, whether it’s Windows 7 or Vista or whatever’s next, is always going to be the target and the bad guys will find a way through.
Comment by Roger Thompson, AVG — 10/26/2009 @ 2:49 pm
UAC’s goal was to finally wean Windows software developers off of requiring administrative access for every day applications. For that goal, it was very effective….and whatever issues happen to be found, have no impact on whether well-behaved Windows applications are written one way or another. UAC makes well behaved applications require fewer privileges to operate.
Comment by Dan Kaminsky, doxpara.com — 10/26/2009 @ 5:02 pm
Leaving security decisions to end users is never a solution, it simply ‘passes the buck’ in a effort to transfer the responsibility for security from vendor to consumer. End users are not security experts and cannot be expected to understand when they are at risk.
Consumer level security functionality needs to be as transparent as possible. If it isn’t, it will be disabled. Microsoft has realized that placing security in the hands of end users with Windows Vista was a failed approach. While adding more granular settings for UAC in Windows 7 and ‘auto-elevate’ functionality may limit this scenario, it does not change the overall approach.
UAC is not a solution to prevent malware, it is merely a band-aid to encourage software developers to adopt secure programming practices. Technical solutions such as DEP and ASLR will do far more to prevent the spread of malicious content. Fortunately, Microsoft continues to pursue such technical approaches which remain transparent to end users as they should.
Comment by Michael Sutton, Zscaler — 10/26/2009 @ 9:29 pm
Thinking that users need not be involved in security, or that somehow it’s not their responsibility, is where we continue to fail in securing systems. Of course they have a role.
Where Byron, and others, get it wrong is in recommending that consumers set their UAC level to high. Instead, consumers should be recommended (and the installation should ensure) that they create two accounts. The first is their Administrator account, and the second is their User account. The Administrator account environment should not allow tools like IE, Media Player, Windows Live, etc. The environment should not be customizable (i.e. you cannot have wallpaper, change the colors, or otherwise personalize it. IOWs make it so it is totally undesirable to use the Administrator account for day-to-day computer use.
In this way you may end up with far more consumers using UAC’s default settings as Standard User rather than Administrator. As such, the issue described by Leo becomes far less an issue. If I can’t access my email while logged on as Administrator, I can’t double-click on the criminal attachment or link…can I.
Comment by Russ Cooper — 10/30/2009 @ 4:30 am
Russ:
Thanks for laying out your strong stance. Realistically, though, the horse is out of the barn, don’t you think? Can you — or anyone — conceive of a plausible scenario by which Microsoft would reverse its rationale defending the current Win7 UAC default setting and move to configure the world’s dominant client OS along the lines you suggest?
Comment by Byron Acohido — 10/30/2009 @ 9:35 am
Russ Cooper is absolutely right but there is a problem. The first account (admin in aproval mode) in Vista/W7 is VISIBLE. As a systembuilder/retailer i know most users – even if they are the only user – they won’t create a second user that’s defaults as a standard user. It’s all coming down to user-skill i think.
Comment by Johan Vansevenant — 11/1/2009 @ 4:36 am