Windows 7's vaunted security is flawed. The good news is that, despite initial responses denying it, Microsoft announced today that it plans to deliver a comprehensive fix soon.
After a week of denying that the default setting for Windows 7's User Account Control (UAC) is too easy to compromise and could lead to malware disabling the very mechanism that's meant to keep users safe from attacks, Microsoft (NASDAQ: MSFT) Thursday caved in to users' demands.
If not fixed, many observers had said in their harangues, the issue could turn out to be Windows 7's Achilles' heel. In fact, Microsoft claimed as recently as early in the day on Thursday that Windows 7's UAC default settings are not flawed at all, but rather constitute a feature created "by design."
Further, the company argued, an attack program would already have to be installed on the user's PC in order to exploit the two holes in UAC found by third-party developers, a Microsoft executive insists. For that to happen, Microsoft asserts, the user would need to click to allow a malware download to the user's PC in the first place.
A few hours later, things changed. "We are going to deliver two changes to the [Windows 7] Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation …. Second, changing the level of the UAC will also prompt for confirmation," said a joint posting on the Engineering Windows 7 blog Thursday afternoon.
The post was co-signed by Steven Sinofsky, senior vice president of Windows and Windows Live Engineering, and Jon DeVaan, senior vice president of the Windows Core Operating System Division.
Windows 7 is currently in beta test and is in the hands of literally millions of users. The system has largely gotten rave reviews, including one group of hardcore fans that have started an online petition demanding the beta be terminated now and the software released immediately.
Microsoft continues to maintain Windows 7 will ship in the first quarter of 2010. In actuality, however, Windows 7 is expected to reach the release candidate stage of testing – the last testing step before commercial release – by the end of April. That's when the changes to UAC will be added.
Observers still differ on their bets as to when Windows 7 will actually be released – with estimates running from early June to late summer – but it will most certainly be available for the Christmas sales season, barring any showstopper bugs turning up between now and then.
A familiar headache
UAC is not new. It debuted with Windows Vista as a way to double check that changes to the operating system – such as installing new programs – are done under the auspices of high-quality security, including passwords that must be keyed in before such an installation proceeds.
While Vista's UAC got high marks for security, it was too disruptive for many users. In fact, many users became so frustrated with the constant dialog boxes and prompts popping up, asking for a password before continuing, that they simply disabled UAC altogether, thus defeating UAC's purpose.
With Windows 7, Microsoft changed the defaults for UAC at what it insists was users' request. The current default in Windows 7 is to notify the user and ask for permission to download a file or install a program only if that action is triggered by a script, but not if the user is clearly interacting with Windows 7 him or herself. This lessens the number of prompts that the user needs to respond to, but makes a tradeoff on the quality of Windows 7's security.
However, what if an attacker could write a script that did a good job of pretending to be a human keying in changes – such as turning off UAC or elevating the script's user rights? That's the rub.
The problems were initially publicized late last week by several blogger developers, including Rafael Rivera and Long Zheng. The second problem, the ability for a script to upgrade its user rights to a higher administrative level, surfaced earlier this week.
"A change to User Account Control (UAC) in Windows 7 (beta) to make it 'less annoying' inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction," said a post on Zheng's blog.
Microsoft officials, meanwhile, insisted that the problems were overblown. "Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent [of the user]," said a blog post by DeVaan earlier Thursday [February 5].
A lot can change in just a few hours, though, as the later joint posting reveals.
"The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required," reads the late afternoon joint post.
Just dump administrator access?
Of course, one thing to do is to take advantage of other Windows security features to mitigate the problems. For instance, security management firm BeyondTrust published a report on Tuesday stating that its research shows that 92 percent of "critical Microsoft vulnerabilities" can be ameliorated by simply eliminating administrators' rights from users' systems.
That could be annoying for both corporate and consumer users, however, and defeats one of UAC's goals, which is to reduce demands on administrators' time and enable users to perform some of their own security tasks. For consumers, it means logging off their user accounts, logging into separate administrator's accounts and performing the needed tasks, then logging back in as users.
One leading security expert says that he thinks Microsoft's heart is in the right spot.
"What they're trying to do is improve the usability of UAC," Johannes Ulrich, chief research officer for the SANS Internet Storm Center, If it frustrates the users, they'll just turn it off."
Perhaps one thing that got Microsoft executives' attention was the fact that Long Zheng and Rivera, as well as others, posted proof-of-concept code to disable UAC in Windows 7. Additionally, they also posted a homegrown fix for both holes.
The Internet Storm Center's Ulrich says there will always be tradeoffs between protecting users and allowing them to have more control of their systems.
"What it would really take is a completely new operating system, but for Windows 7 this is the best you can expect," Ulrich added.