Windows 7: Poking holes in Vista’s UAC umbrella

Is UAC in Windows 7 broken? That’s what some IT Windows community agitators are saying. They claim that one of the most critical system settings in all of Windows 7 — the on/off switch for UAC (the User Account Control) — can be compromised using nothing more than a simple VBScript file.

On the surface, their claim seems to have some credibility. However, Microsoft has been quick to deny that what these people have discovered is in fact a flaw. Rather, the behavior observed is by design, and furthermore could not be exploited without complicity on the user’s part (i.e., a social-engineering attack).

I believe that both sides are correct. The particular exploit in question requires that the user somehow introduce the VBScript file (or comparable malware payload) to their system — either through a download, file copy, or similar operation.

However, the fact that once introduced said script can so easily take out Windows 7’s primary line of defense (just don’t call it a “security boundary”!) shows how ill-conceived this version’s UAC implementation really is.

What Microsoft was thinking, and why it’s a lazy approach

Microsoft’s goal in dumbing down Windows 7’s UAC was to eliminate the frequent double-clutch nag prompts that drove so many Vista users crazy (myself included). Want to enable a network connection in Vista? Nag prompt. Want to disable this same connection you just enabled? Another nag prompt, even when the very last task you performed was to enable it.

Simply put, Vista’s UAC lacks any sense of state or context. Basic operations, like modifying files in a protected folder, cause a parade of nag prompts — at least two for each operation: One to warn you that your initial attempt resulted in an “access denied” error (because you’re running in deprecated Administrator context) and a second to confirm that you want to elevate your security context so that the operation can succeed.

This nag once, nag twice, rinse, repeat phenomenon is what gave UAC such a bad name. So, Microsoft’s solution has been to suppress the secondary prompt — the one where you provide consent to elevate — in the default security configuration for Windows 7. Some operations, like the aforementioned protected file/folder operations, still generate a nag prompt, but these are tied strictly to the individual access control lists (ACLs) for the objects in question. Gone is the double-clutch behavior from Vista, making the Windows 7 experience much smoother and less jarring for new users.

Unfortunately, it has now been demonstrated that Microsoft’s brute-force suppression approach with Windows 7 opens up an alternate attack vector — namely, the ability to override critical system settings programmatically, without alerting the user. All of which serves to highlight just how lazy Microsoft was in its efforts to “fix” UAC in the new Windows.

How Microsoft should have fixed UAC

Instead of enhancing UAC to make it more granular and context-aware, Microsoft took a hammer to it by globally suppressing an undesirable behavioral trait.

What Microsoft should have done was introduce additional state to the various Explorer windows — for example, having the target window for a previously elevated action (such as the protected folders and network connection examples) remember the new security context for the duration of its existence.

Such a change would allow the user to complete several related operations without the constant double-clutching behavior of Vista. You can do this now with the Command Prompt and various Vista elevate utilities. It shouldn’t be too hard to implement shell-wide.

And for the truly paranoid, Microsoft could introduce an administrator-definable time-out period after which the window would lose its elevated status. I seem to recall something similar to this under Linux — once I had entered my sudo password, I could complete several related operations within the same general area of the system’s configuration UI without triggering additional prompts.

What users and IT should do about Windows 7 UAC

The bottom line: UAC is a good idea poorly executed. Windows Vista was annoying, but at least it was secure out of the box. Now, in a fit of consumer-oriented, Apple-inspired angst, Microsoft has neutered this same mechanism in Windows 7, exposing countless future users to the very real threat of an undetected malware infection.

Thankfully, you can restore UAC to full Vista-like potency by simply moving the much-ballyhooed slider control to its topmost position — a setting I strongly urge consumers to adopt immediately after installing Windows 7.

As for enterprise customers: You shouldn’t be allowing users to run as local administrators in the first place. So, if you get bitten by this flaw (which only affects Windows 7’s default deprecated administrator configuration), you deserve to suffer the consequences.