In response to user concerns, Microsoft has agreed to change the User Account Control feature in Windows 7 so it generates a prompt if there is an attempt to alter its settings.
The decision was something of a reversal for Microsoft, which earlier indicated it did not want to force users to deal with additional prompts despite a debate that was raging in the blogosphere.
“With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see,” according to Microsoft’s Engineering Windows 7 blog. “First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.”
The debate over the UAC settings began when Windows bloggers Rafael Rivera and Long Zheng posted proof-of-concept code that circumvents UAC in the Windows 7 beta. The attack allowed hackers to use pre-approved Microsoft applications to fool Windows 7 into granting malicious code full access rights.
The company announced the move late Feb. 5, hours after it agreed to fix what officials called a privilege escalation issue in Windows 7 uncovered by Zheng and Rivera.
Currently, the default UAC setting in the Windows 7 beta is set to only notify users when programs try to make changes. According to Zheng and Rivera, Windows 7 uses a special Microsoft Windows 7 certificate to distinguish between third-party programs and applications/applets that manage Windows settings.
Due to the fact some Microsoft-signed applications can also execute third-party code, and there is an inherent trust for everything Microsoft-signed, the chain of trust inadvertently flows onto other third-party code as well, Zheng explained in a blog. As a result, it is possible for hackers to exploit that trust to change the UAC settings without the user’s knowledge, the researchers explained.
Though it agreed to the additional change, Microsoft continued to defend its actions, stressing once again that for the attack to matter, the machine would already have to be compromised. As a result, the situation was technically not a vulnerability in the UAC.
“It is important to look at the first step-if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else,” Microsoft officials contended on their blog.