Paul Thurrott's SuperSite for Windows
Home > Type > News > Microsoft response to UAC 'issue'

Microsoft response to UAC 'issue'

Jan. 31, 2009 Paul Thurrott | Paul Thurrott's Supersite for Windows

Microsoft has sent me a statement about the UAC “issue” in Windows 7 that was raised by bloggers Rafael Rivera and Long Zheng. Long story short, it’s not a vulnerability. Here’s the full statement:

  • This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings.  This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User.  Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented).

There you go.

Discuss this Article 31

planetarian
on Jan 31, 2009
you have got to be kidding. you have no problem with their position? i don't think they truly understand the issue at hand here.
freakyfelt
on Jan 31, 2009
That is the most retarded response I've heard. There is no reason that Microsoft can't divide each control panel into user-configurable and system-configurable options like every other operating system. This is just passing the blame on to the user when Microsoft could prevent another attack point.
yert
on Jan 31, 2009
I plan on changing the UAC default to the highest, because this is a problem waiting to happen. I don't know why Microsoft suddenly got stupid; they were doing so well with security before.
DavidR91
on Jan 31, 2009
If they do this, then they need to do something along the lines of the "lock" system used in OS X (where the settings are unlocked/locked unless you explicitly click the lock and reverse the situation)
darkmax
on Jan 31, 2009
This thing is getting from dumb to dumber.... So they are trying to tell us that it is our fault for introducing the malicious code unwittingly? Or are they blaming us for visiting questionable sites and/or acquiring software with risks? Nice one, Microsoft.
Waethorn
on Jan 31, 2009
"So they are trying to tell us that it is our fault for introducing the malicious code unwittingly?" Um, that's the whole point with UAC. If you click "Continue" unwittingly, you only have yourself to blame if you don't understand the consequences. "Or are they blaming us for visiting questionable sites and/or acquiring software with risks?" Well, yes. The computer doesn't browse the internet by itself. Your antimalware software is what is supposed to notify you when malicious software is trying to take control of your machine though. "In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)." That's the thing to remember. It is not UAC's job to monitor what is malicious or not. It's only there to address whether or not system-level settings are trying to be modified. BTW: You can blame all the reviewers that claimed that "Windows 7 is now less annoying" for this. Less annoying = less secure. That's the price you pay for trying to appease everyone. Be a good plumber, and just pull your pants up.
shark47
on Jan 31, 2009
I don't understand why MS is being so adamant about this, especially since this probably won't take much effort to fix. Oh, well.
Dipsh t Admin
on Jan 31, 2009
"especially since this probably won't take much effort to fix. Oh, well." That may be what the problem is. I know that sometimes things that seem simple are in fact not, and it may take some fundamental changes to implement. And it clearly is by design when you think about it, so they are technically right about that. However, it does seem to me to be a big potential problem that they should take care of.
Mum
on Jan 31, 2009
"Less annoying = less secure." Absolutely not true. The more annoying something or someone is, the less likely people are to pay attention to what it/they are saying.
robertsjoe
on Jan 31, 2009
Microsoft is still evil. They have not changed. http://www.robertnyman.com/2009/01/26/microsoft-force-installs-firefox-e...
runner7775
on Jan 31, 2009
I don't know about Microsoft's position on this one. The whole idea of UAC is to make another barrier to malware. If the malware gets past the other security "walls" then it still has UAC to contend with. In this case UAC would be a nonfactor. It's like having three walls of security and the third wall falls immediately when you touch it. But I do not contend to know anything real about security, its just how I see this situation.
Waethorn
on Jan 31, 2009
"Absolutely not true. The more annoying something or someone is, the less likely people are to pay attention to what it/they are saying." So you're saying less annoying = more secure? Sorry, but you must be taking IT hints from Lindy on that one.... Look, the way that malware gets on the box is if the user actually allowed it. Since the software can't modify system settings by itself under the privilege level, the user would've purposefully launched it within the browser, or downloaded and executed it. At that point, the malware would've been able to drop the security settings because the app inherited admin privileges by the admin that ran it manually. To change this, Microsoft would have to code extra exclusions into UAC so that the UAC slider would need special exemptions to bypass UAC's policies. How do you code something to be exempt from it's own security policy? Create a safe list? That opens up a whole other can of worms. Look at what happens when a browser hijacker infects a system - it will add sites into IE's own safe list.
darkmax
on Jan 31, 2009
@Waethorn There are people who place malwares in free programs. You expect a 12-16 year old to know? Ever heard of drive-by malware sites? Most people find out about these after they ahve "accidentally" visited them. Frankly speaking if someone wants to break into your computer, no amount of security is going to stop him/her. Well, just one, unplug the computer and stop using it.
Lindy
on Jan 31, 2009
Lol Waethorn and your small time computer shop thinking/MS has the answer for everything. UAC is busted in 7. If I ever let Vista (never) or 7 touch my AD environment even Admins will be forced to use a password with UAC forced by a GPO. UAC is good, they just need to make it like OS X or Linux
darkmax
on Jan 31, 2009
"Look, the way that malware gets on the box is if the user actually allowed it. Since the software can't modify system settings by itself under the privilege level, the user would've purposefully launched it within the browser, or downloaded and executed it. At that point, the malware would've been able to drop the security settings because the app inherited admin privileges by the admin that ran it manually." Okay. How many of the average consumer you know actually knows what each component of an installation does?
rjohn05
on Jan 31, 2009
I am willing to bet they make some changes so that this sort of breech does not happen.
tayme
on Jan 31, 2009
My feeling is that the security should be annoying...to a point. I don't mind the long TSA lines at the airport if it means that a terrorist is not boarding the plane. I do mind that many of the people running the checkpoint are lackeys that know nothing about law enforcement, though. UAC in Vista had it about right. There was room for improvement, butcContrary to what most people have heard...Vista UAC worked pretty well and did not annoy endlessly. I also like the way OS X lets you lock the system settings, requiring the admin password to make changes. That would be a good additional step. As for people not knowing what each step of the installation process is doing...there is no need to. There has been enough information available to average users to know not to visit p o r n sites and to only open email attachments from trusted sources, etc. If that advice is ignored, they deserve what they get. I ahve told some people that I will no longer "fix" their computer, because I know that they are ignoring my advice. All of that said....yes, Microsoft's answer is lame, especially the first bullet. That should be a default setting...if you are going to change security settings...I need, not only an OK...but a password. Like Waethorn said...this is one that they should not be trying to appease the public, but keeping Windows secure as it has been and even more secure. --tayme
MrDiSante
on Jan 31, 2009
@darkmax - the average user is supposed to use common sense and do his/her best not to get infected. I'm currently running Vista with UAC, however if I were to install something right now, click-through the little UAC prompt that told me I may be doing something retarded it could install itself as a driver, service or some other component requiring administrative access and change all the settings it likes. As for drive-by downloads: they were a major issue in pre-SP2 XP running IE6. They're not anymore. There's a reason there's an annoying little yellow bar that pops up at the top of your internet explorer when a file wants to download itself. MOREOVER: kindly recall that IE runs as a least privileged user and thus can't do jack to your system even if something does happen to compromise it. Finally, while I disagree with Microsoft's decision to change the default UAC level, do note that the option to change it to the strictest possible is still there. Long story short, I think the following quote still summarizes the situation perfectly: "Social engineering... because there is no patch for human stupidity."
valisystem
on Jan 31, 2009
For the last few years, I've run into many pieces of malware that continually reach out and seek to install other malware programs. That's why it's not sufficient for Microsoft to respond that this could only matter on a system that is already compromised. Although that's true, this opening will make it possible for the system to have additional malicious programs installed without the default Windows 7 UAC protection. Microsoft's response seems ill-considered.
war59312
on Jan 31, 2009
You guys do know that UAC is not a security boundary right? Thus, why Microsoft stated what they have!
amabo
on Jan 31, 2009
@war59312 "User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft's Windows Vista operating system. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase in privilege level." Its a protection layer, or stop gap. Take the average home XP user, they probably dont even have a password and they are running at full admin rights. Malware just walks in. Vista and UAC turned on prevent this, but a user can OK it threw. UAC is the same thing that OS X and Linux have except they are less annoying and always require a password. UAC is highly configurable. http://www.howtogeek.com/howto/windows-vista/make-user-account-control-u... Registry settings that can be forced by GPO.... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000002 "ConsentPromptBehaviorUser"=dword:00000001 "EnableInstallerDetection"=dword:00000001 "EnableLUA"=dword:00000001 "EnableSecureUIAPaths"=dword:00000001 "EnableVirtualization"=dword:00000001 "PromptOnSecureDesktop"=dword:00000001 "FilterAdministratorToken"=dword:00000000 "LocalAccountTokenFilterPolicy"=dword:00000001
screechi0784
on Jan 31, 2009
I don't understand this. First UAC was too annoying, now that everybody has complained about and Microsoft decided to change it, it's broken. Like it's says in the statement: "This is not a vulnerability. The intent of the default configuration of UAC is that users DON'T GET PROMPTED when MAKING CHANGES to Windows settings" So if you write a script to change windows settings and you have the UAC settings not to prompt when you make changes, what do you expect!! Everybody complained about UAC, now that it has been changed Microsoft isn't doing it's job. Come on people. You asked for this. Now who's fault is it?? And I do understand why Microsoft would say that something else would have been breach for malware to be on the system. Ask any IT how many people just install crap on there computer. And blame Microsoft for getting all sorts of malware. For me UAC was fine like it was in vista. It protected people who didn't have a clue on what is good and what is not. The only change they had to make, could have not to darken the whole screen, that's it.
subzerohitman721
on Jan 31, 2009
Wow. That response of Microsoft is shameful and disheartening. You're going to leave a potential backdoor for code writers and cracker's to blatently breech Windows 7? This is very disappointing, considering the fact that so many millions of users have put hours of time, testing, observations, and you're going to allow a simple VB script to have that much power to compromise the system? I'm sorry but thats pathetic. That means anyone taking High School Visual Basic and is competent writing in VB will have the ability to make changes in Windows 7 and Vista. You could mimic something thats very common and implement a breech. This is some of the same boneheaded decision making that makes people really hate Microsoft. This decision might just have handed the keys of PC kingdom over to anyone who wants to step up to the public OS market. However, I do not think Apple will go that route and Linux doesn't have the collective will to do it. So, the status quo in the PC industry remains. Now, if Apple really wants to take Windows Marketshare, Snow Leopard will have to have to show security improvements plus much greater stability. A price cut on the hardware would really help.
whiplash55
on Jan 31, 2009
It seems simple to fix. Require full admin rights to move the damn slider. Of course people will whine but they did the right thing with Vista and idiots either turned it off,(if they could) or complained. If MS doesn't fix this someone, like Norton with their UAC utility will. But companies are like everyone else, the pendulum swings toward secure and they get slammed for UAC, They try to "fix" UAC and the security geeks complain.
subzerohitman721
on Jan 31, 2009
@whiplash55 I agree with you. But I would really not want to start using Norton again. I stopped using them in 2003 and really have no desire to. Maybe AVG will come up with something. However, VB is taught in High School. I shudder at the possibility of some loser with too much spare time compromising Windows 7. Or the proof of concept code falling into worse hands. I did post a blog response on the Engineering Windows 7 blog. I hope many on here will follow suit and let Sinofsky and Company some pressure to change this. http://blogs.msdn.com/e7
lketchum
on Jan 31, 2009
It's very clear that Microsoft's explanation is quite correct. Period. End of story. It was more than a bit alarmist to have presented the original "vulnerability" in the context of some kind of breach or flaw. Since UAC was originally announced its role and function within user space has been clear and this nonsense that it is a boundary has to stop. It is an alerting mechanism designed to inform the logged user of impending changes - and nothing more. Similarly, the idea that what appear to be similar functions in OS X and other *nix are somehow superior, seems silly - they are entirely different things. On the *nix privilege elevation takes place and persists opposite a simple read, write, execute model. Unlike on Windows where UAC may be exposed to policy objects and much more granular control, OS X and other *nix adhere to an archaic model that is not only less secure, it is far more difficult to manage centrally. I can imagine that more than one fist found its way to slamming more than one desk up in Redmond when this matter was presented here and elsewhere as it was. I was equally miffed - explaining things in a way small business customers understand well is hard enough and that kind of rubbish made 07 and 08 hard enough on partners in the channel with Vista. As an industry, we have to beg two things: "If you do not know what you're writing about, don't publish it" and "if you do not know what you are talking about, ask questions." - less clickety clickety and more journalism, please.
DRWAM
on Feb 1, 2009
Sub, MS was referring to me, and people like me. We're the doofuses that install stuff without much thought. Even though I scanned the 'free disc utility' twice, I still installed a trojan. It was my fault. So maybe MS is not too far off the mark on this one. We shall see. Go Steelers!
whiplash55
on Feb 1, 2009
@subzerohitman I believe you can get the Norton UAC tool stand alone .http://www.nortonlabs.com/inthelab/uac.php I have to say after being a Norton hater for years the 2009 version is quite good. I think it might use less resources than the new AVG with seemed to have gained a little bloat. If I pay for security software I like Eset NOD 32 been using it for years, and it has always done a good job.
realtestman
on Feb 1, 2009
tayme, you mentioned that OS X lets you lock the system settings so that you require a password and you stated that it would be nice if Windows did the same. Windows already does. If you make everyone use a limited account, then if they change a setting they will have to put in a password. No changes to Windows are needed.
Victek
on Feb 1, 2009
"This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level." This is an example of if you say something with sufficient self-confidence and assertiveness it will cause others to suspend common sense and agree, but it's still wrong. In fact it's offensively stupid.
shark47
on Feb 1, 2009
Oh dear. I just ran the code that Raf has posted on his blog. The scary part is, like Long Zheng says, that even a low privileged application can turn off UAC. This is serious. I hope Microsoft fixes it before Windows 7 is RTMed.

Please or Register to post comments.

Related Articles

IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• 120 Technical
Sessions
• Networking with Peers
• Expert Speakers


Come See Paul Thurrott & Mary Jo Foley in Person!

Register Now

Office 365 InfoCenter

Get the latest insight and info from Paul

Read Now!

What I Use
Apr. 18, 2013
Article

What I Use: On the Road 21

Every so often, I publish an updated version of my “What I Use” document, which details the technology products and services I actually use day-to-day. Since I’m currently on my third business trip in five weeks, this is perhaps an ideal time to discuss the technology products I rely on when I travel and a few related points....More
Mar. 6, 2013
Article

What I Use: March 2013 33

Lots of changes since November, including a new PC-based home server running Windows 8, several new smart phones, new PCs and tablets, new cloud backup, Office 365 Home Premium and a nice doubling of my Internet speeds courtesy of Verizon FIOS....More
WinSuperSite.com
Related Penton Sites
Copyright © 2013 Penton Media, Inc