Windows 7 UAC vuln not a vuln, MS repeats When is a Windows 7 vulnerability not a vulnerability? When the malware that's been written to exploit it can't be installed without the user's OK. That's according to Microsoft's Windows core operating system division senior vice president Jon DeVaan, who felt moved to post a lengthy blog standing behind the security of …
"There will also be Internet Explorer 8 with features such as SmartScreen Filter to tell a user when they are about to visit a site that contains malicious code. "Much of the recent feedback has failed to take into account the ways that Windows"
So basically, what they're saying is "use the browser we're not supposed to be shipping and tying to our operating system to gain another level of perceived safety which isn't offered byu UAC, which we put in to place the burden onto the user rather than on our software design"
And here I thought Microsoft was actually learning something ...
Only two is two many?! That ridiculous.
I had WAY too many in Vista. I work in my company's IT department, and I do a lot of OS reinstallations. When I did Vista installs, I was getting one every time I tried to change a Control Panel setting. Sometimes, it would even close Explorer because it was trying to do one of the good-ol' illegal operations.
part of the issue in Vista, in my opinion, is the way that Vista informs a user.
Rather than a small info box prioritised to stay on top it floods the whole screen.
I'd guess that from a UX point of view that is "Whoah! What's happening here?!" reaction rather than a managed and more traditional infobox thingy.
Maybe it should be a bright red, alert symbolified traditional infobox thingy rather than blanket out the whole screen type thing?
Maybe even "This is a top priority alert" banner heading across the info box?
Maybe one should be able to say:
My computer has been nicked.
I am a registered and licenced user with permissions activated on a device I no longer own therefore I request you to suspend all licences in my name on the device and give permission for you to contact Police quoting crime reference ..... Should the device try to use my licence to perform some online activity thereby declaring its presence please inform the police immediately.
Now that might just make the licenced use of on declared device type model more pragmatically workable?
Today I finished writing a proof-of-concept application that demonstrates a third flaw of the Windows 7 UAC design.
I don't know whether this is fixed in the reported changes that will go into the final build as they haven't been released for people to inspect. I feel they really should be another beta at least, else these problems could wind up left in the retail release.
The flaw I demonstrate allows:
- Any *unelevated* process
- On an x64 or x86 Windows 7 with default settings
- To create and use elevated COM objects without any UAC prompts
- Using code injection into *any* process that is flagged for silent elevation.
If it needed to it could scan the running processes and pick a random one that had the appropriate elevation manifest but at the moment it just targets Explorer.exe.
It demonstrates what I was trying to prove which is that fixing the problem in, or removing the silent elevation flag from, individual programs such as RunDll32.exe may make attacks a little bit harder but does not fix the problem.
Here is a video (with a mirror site donated by a friend as the first one seemed slow):
http://nudel.kelbv.com/W7Elevate/W7Elevate.htm
http://leo.lss.com.au/W7Elevate/W7Elevate.htm
I'm in the process of writing up what it does. The write-up will appear here once I've finished it:
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
(If the URL doesn't work then I'm still typing away. :))
Before anyone says that "it just copies a file, so what?!", note that it's copying to Program Files, a protected area, and I could trivially make it do other things. The demo is just to prove that the unelevated process is doing things it shouldn't be able to do. My intention isn't to produce a proof-of-concept program that actually does some damage; just to prove that there's a problem here that could be exploited by someone malicious.
Besides, if you can rename, delete and replace files in System32 and Program Files then you can easily take full control of a machine.
> "Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent," DeVaan said.
That attitude is exactly why Microsoft need to be removed from the software market. It shows a spectacular ineptitude when it comes to understanding the users.
The simple fact is that software manufacturers are still failing miserably to understand their markets. In this case, DeVaan is asking users to have some grasp of security and not clicking on things they shouldn't. This clearly shows DeVaan, and, by extension, Microsoft, to be clueless fuckwits.
Yes, users shouldn't click on stuff. But you are a fuckwit if you fail to assume that they will.
(and no, it's not just MS, our Linux fanboys need to learn that most computer users "get" a Windows XP desktop - so please make KDE/Gnome etc work the same. Hide what you want behind the right-click or control panel, but you won't "sell" Linux until the users can glance at the ***default*** desktop and see "my computer", "my documents", and "maybe a couple of other blindingly obvious icons" on their desktop, with a programs/quicklaunch/tasks/systray/clock)
is that almost all malware *does* get onto a computer with the users express permission. Most ordinary users don't know what they are giving permission to and what that permission will let them do.
Telling the user that running any and everything, not signed by microsoft, could potentially damage thier system, are they sure they want to proceed, is bound to cause problems. The user gets used to the fact that they are asked for stuff that is perfectly safe, just non-microsoft
If i actually want to run Iamavirus.exe, not realising it's a virus, then no security* on any operating system will stop that.
*well whitelisting will, if you absolutely trust the list, but i don't want to give microsoft any silly ideas, like disabling anything not expressly signed by themselves.
Hey Dopus buddy,
Nice to see you still around hacking away :]
Now convince Jon and Greg to write Directory Opus for Linux, I want to buy it along with a stink load of other people I bet.
Back on topic, would the programs replaced in Program Files run if replaced as if they were original as they are trusted from just being present where they are, or is there a sig/hash check or something similar also
SubBASS
UAC in Vista is annoying enough to some users that they turn it off. Microsoft have introduced a slider so that you can progressively make it more/less annoying/secure. The default is a halfway house between annoying and secure.
If you're worried about security, you can turn the slider up. If you're not, you don't care. More options are good, no?
Paris icon 'cos she enjoys regular, invasive popups.
Ryan, do you work for an MS VIP partner?
The problem is that UAC wasn't the way to secure the OS. The OS should BE secure.
But marketing want, nay DEMAND, the OS be easy to use for someone who knows nothing. Which means that a clever person can fake it so that the OS does what this nefarious individual wants.
And having made this OS do it, they can't UNDO it because that would be, like, admitting they were wrong, wouldn't it. And where would their bonuses go then???
So instead of fixing the OS, the wrap a layer on top that then, instead of securing the OS, makes the user responsible for any insecurity.
Which is nice.
"UAC in Vista is annoying enough to some users that they turn it off. Microsoft have introduced a slider so that you can progressively make it more/less annoying/secure. The default is a halfway house between annoying and secure.
If you're worried about security, you can turn the slider up. If you're not, you don't care. More options are good, no?"
So you can have annoying and moderately unsecure, insanely annoying and secure or completely unsecure, which would lead to insanely annoying when your machine is trashed.
Where can I buy this fantastic bit of software?
In all my years most issues ive found with users computers are because the user them selves have made the mistake.
Yes you can say that they will always do this so it automatically makes them not at fault but there has to be a limit, i know someone that actually deleted half his Windows folder to free up space, if a user is determined they will bugger it up, that is a fact, if a user ignores basic advice like keeping up to date anti virus and not turning the firewall off because its a pain then it IS the users fault.
MS is correct, it is very hard / almost impossible to install dodgy programs WITHOUT the users intervention, you mention about injections in to suitable host programs, but please tell the masses how you did that?
i bet my life you didnt do it from half way round the planet on a fresh PC which was uptodate and secured, my bet is you did it from the computer its self. Well call me old fassioned but i dont know many hackers that go to the lengths of gaining physical access to users computers
Im not saying its perfect, infact far from it, there are many issues, but it IS gettings better, and any progress forward is good progress. Fact is most people use Windows, you lot can bash MS all you want, that doesnt change the fact, good or bad that is the truth.
Instead of you lot helping the users out there you attack MS, some of you openly publish exploits on the net which harms more users, you keep up the pretence of helping people but your not. if you find an exploit, tell MS, dont tell the world, then rather than MS having to chase its tail fixing millions of little bugs in a knee jerk reaction they could get their heads on and fix the damn thing in the first place.
Old news dude, Vista exploit discovered in at least 2007
I ain't posting the asm obviously, but this proves ain't fibbing;
GetModuleHandle
VirtualAlloc
WriteProcessMemory
CreateRemoteThread
DLL_PROCESS_ATTACH and you're away
It does highlight a more generic issue with closed source like Windows, you have a (publically) undocumented function (NtCreateThreadEx) and people will try to find out what it does, security by obscurity is not security at all.
The reason it fills the entire screen and fades everything behind it is so the user knows it is the OS prompting and not a malicious program. With any other sort of alert this prompt could be spoofed by the program itself.
If it could be spoofed I suppose what it could do was to keep asking the user if it could continue and then keep appearing if the user clicked No. The user would get pi**ed off with this and eventually click Yes, allowing the program to do what it wants if that happened to be the real OS dialogue. Also,Vista might control this so you can only have one instance of the elevated privileges prompt appearing once per process so the user cannot be tricked in this way if Vista is the only thing that can fade the screen. I wonder if you could spoof this prompt though by taking a screen shot, fading it and the displaying it as your app's background at full screen?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
