Microsoft fixed a privilege escalation issue in internal beta builds of Windows 7 that was raised by researchers, the company said. Still, Microsoft officials take issue with claims that UAC’s default setting can be classified as a vulnerability.
The issue relating to UAC was publicized by Windows bloggers Rafael Rivera and Long Zheng. During the week of Feb. 2, Zheng and Rivera have posted proof-of-concept code that circumvents UAC in the Windows 7 beta and allows hackers to use preapproved Microsoft applications to fool Windows 7 into granting malicious code full access rights.
The core of the issue is that by default, Windows 7’s UAC is set to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings.” According to the researchers, Windows 7 uses a special Microsoft Windows 7 certificate to distinguish between third-party programs and applications or applets that manage Windows settings.
Because some Microsoft-signed applications can also execute third-party code, and there is an inherent trust for everything Microsoft-signed, the chain of trust inadvertently flows onto other third-party code as well, Zheng explained. As a result, it is possible for hackers to use that trust to change the UAC settings without the user ever knowing, the researchers said.
“This public disclosure comes after a private disclosure to Microsoft and Windows 7 beta testers earlier this week,” Zheng wrote on his blog Feb. 4. “If and until a patch is available, I feel obliged to outline the elevated risk to the millions of Windows 7 beta user running Windows 7 beta in its default UAC policy of ‘Notify me of changes by program, not of Windows changes,’ which does not adequately enforce the privilege system, arguably an essential factor to a safe operating system.”
Microsoft, however, contended that UAC works as it’s supposed to.
“The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running,” blogged Jon DeVaan, senior vice president of Microsoft’s Windows Core Operating System Division. “There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent.”
According to DeVaan, Microsoft has added two options to UAC that were not available in Windows Vista-“Notify me only when programs try to make changes to my computer (without desktop dimming)” and “Notify me only when programs try to make changes to my computer (with desktop dimming).” Windows Vista only allows for “Always Notify” and “Never Notify.”
The idea was to give users more choice, and to keep the prompts from becoming annoying. Though a Microsoft spokesperson offered no timeline for when the fix in the internal beta builds would make its way to the public, the spokesperson said the fix will be in the upcoming release candidate.
In the meantime, users of the current beta can change their UAC settings to higher levels as a solution.