Bloggers Long Zheng and Rafael Rivera have found what appears to be a serious failing in the emasculated version of User Account Control (UAC) that Microsoft is including in Windows 7: Apparently, it doesn’t work and is very easy to bypass. So easy, in fact, that Zheng and Rivera were able to write up a quickie Visual Basic Script (VBScript) that can compromise a Windows 7 PC. Microsoft’s response so far: “This feature works as intended.” This has the makings of a fight.

Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code)

This is dedicated to every ignorant “tech journalist” who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 to make it “less annoying” inadvertently clears the path for a simple but ingenius override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided.

By default, Windows 7’s UAC setting is set to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. How it distinguishes between a (third party) program and Windows settings is with a security certificate … The Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.

The implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc.

Beta users of Windows 7 can also apply a simple fix. Changing the UAC policy to “Always Notify” will force Windows 7 to notify you even if UAC settings change. Annoying, but safe.

Put another way, “annoying but safe … Like it was in Windows Vista. And is in Mac OS X, by the way.”

Raf’s take...

Malware can turn off UAC in Windows 7; “By design” says Microsoft

Windows 7, however, now ships with UAC configured to hide prompts when users change Windows settings. While this mode still ensures normal applications can’t overwrite your entire registry hive, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts. Yes, you can even change UAC settings, allow applications free reign in elevated mode (after the required restart).

An obvious fix for this “issue” would be to force the adjustment of UAC parameters to be confirmed by a human. Until Microsoft addresses this “issue”, you can set UAC to its highest mode to kill any concerns you may have… but you’re not using this in a production environment anyway – right?

Um. Right.

Microsoft?