A researcher at Sophos called the UAC feature in Windows 7 ineffective after numerous pieces of malware snuck by the technology in a test.
Microsoft first introduced User Account Control in Windows Vista to improve security. After some users complained the number of alerts it generated were annoying, the company pledged to cut down on the number of prompts in Windows 7. The move however has raised concerns in the security community, and Sophos Senior Security Adviser Chester Wisniewski said his test proves Microsoft took it a step too far.
Wisniewski wrote on his blog Nov. 3 that seven of the 10 pieces of malware he tested ran with the default UAC enabled in Windows 7 without generating any prompts. As part of the test, no antivirus software was installed on the system. Two of the malware samples did not work in Windows 7; of the remaining eight, only one generated a prompt, and that one still would have been installed had the user clicked yes, Wisniewski told eWEEK.
When asked about the test, Microsoft officials pointed to the other features of Windows 7 that have improved security.
“Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP),” a spokesperson said.
“Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released,” the spokesperson added. “Coupled with Internet Explorer 8-which includes added malware protection with its SmartScreen Filter-and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions.”
Still, Wisniewski noted on his blog that UAC’s failure to truly block more than one sample reinforced his warning prior to the Windows 7 launch that the feature’s default configuration does not ensure protection from malware.
“Lesson learned? You still need to run antivirus [protection] on Windows 7,” he blogged.