Sophos' Windows 7 Infection Test

Chester Wisniewski, senior security adviser for Sophos Canada, Nov. 3 published on his blog a rather damning account of Windows 7 security and User Account Control. In his examination, he found that seven out of 10 malware samples tested were able to successfully run on a fresh Windows 7 installation employing the new, quieter UAC that is the default in the new operating system. Ugly. Not a surprise, but ugly. Also, it's not a test designed to be passed. In essence, the default setting for UAC in Windows 7 is, "Don't notify me when I make changes to Windows settings." So when Wisniewski downloaded malware samples onto the PC and ran them--simulating a user intentionally downloading and running a file obtained via e-mail or the Web--he was purposefully making changes to Windows settings, so UAC did not prompt him. The system acted as it was told to do, so it should come as no surprise that UAC did not block the malware installation. The shortcomings in Windows' 7 UAC design have been apparent for quite some time. In my August review of the RTM of Windows 7, I postulated that "the new settings--including the new default--serve to worsen the security protections UAC affords," a theory that seems to be borne out by this study. Basically, with Windows 7's UAC, Microsoft decided to step back from trying to save users from their own mistakes--leaving that role primarily to third-party security solutions. Indeed, Wisniewski comes to the same conclusion, that, "You still need to run antivirus on Windows 7." Leaving that argument aside, what Microsoft should be doing is figuring out ways to change the way people compute. That default UAC setting is only the default setting for users who are part of the Administrators group. Users that only have standard User privileges instead, by default, get the strongest option--to be notified when the user or programs make changes. And since the standard user doesn't have rights to automatically elevate their tokens in order to make the change anyway, they would have to enter over-the-shoulder administrator credentials to make the change. Certainly, I like to see security companies--or even Microsoft--publish the results of similar tests, focused on systems operated in a more secure manner. Malware running on an unprotected system with admin privileges is not news, while malware that runs and stays resident without admin rights certainly would be.

Chester Wisniewski, senior security adviser for Sophos Canada, Nov. 3 published on his blog a rather damning account of Windows 7 security and User Account Control.

In his examination, he found that seven out of 10 malware samples tested were able to successfully run on a fresh Windows 7 installation employing the new, quieter UAC that is the default in the new operating system.

Ugly. Not a surprise, but ugly. Also, it's not a test designed to be passed.

uac admin.png

In essence, the default setting for UAC in Windows 7 is, "Don't notify me when I make changes to Windows settings." So when Wisniewski downloaded malware samples onto the PC and ran them--simulating a user intentionally downloading and running a file obtained via e-mail or the Web--he was purposefully making changes to Windows settings, so UAC did not prompt him. The system acted as it was told to do, so it should come as no surprise that UAC did not block the malware installation.

The shortcomings in Windows' 7 UAC design have been apparent for quite some time. In my August review of the RTM of Windows 7, I postulated that "the new settings--including the new default--serve to worsen the security protections UAC affords," a theory that seems to be borne out by this study. Basically, with Windows 7's UAC, Microsoft decided to step back from trying to save users from their own mistakes--leaving that role primarily to third-party security solutions.

Indeed, Wisniewski comes to the same conclusion, that, "You still need to run antivirus on Windows 7."

Leaving that argument aside, what Microsoft should be doing is figuring out ways to change the way people compute. That default UAC setting is only the default setting for users who are part of the Administrators group. Users that only have standard User privileges instead, by default, get the strongest option--to be notified when the user or programs make changes. And since the standard user doesn't have rights to automatically elevate their tokens in order to make the change anyway, they would have to enter over-the-shoulder administrator credentials to make the change.

uac user.png

Certainly, I like to see security companies--or even Microsoft--publish the results of similar tests, focused on systems operated in a more secure manner. Malware running on an unprotected system with admin privileges is not news, while malware that runs and stays resident without admin rights certainly would be.

Reblog this post [with Zemanta]