Modifications in UAC of Windows 7 beta Introduces Vulnerability
Security experts have discovered a potentially severe vulnerability in the UAC (User Account Control) utility in Windows 7. The utility, a security feature in Windows Vista, asks users to acquire consent before proceeding with any application. Microsoft has designed the technology to defend against malicious software. Now the company has revised it in its beta editions of Windows 7.
Windows 7 now has four separate levels of the improved edition of UAC, which implies that along with other things, regular activities does not any longer prompt for acquiring consent to execute software. While Microsoft has made these modifications, a serious security flaw has been accidentally introduced, the experts revealed.
Long Zheng, Security Blogger for Windows, said that future malware items might silently cause the UAC to shut down that could mislead users to think that the controls continue to be active, as reported by TheRegister on January 30, 2009.
Further, to highlight the issue, Zheng has designed a proof-of-concept that secretly deactivates UAC without using user interaction or social engineering. This proof-of-concept Zheng developed with his colleague Rafael Rivera. It imitates a series of keystrokes to disable the guard or to restart it following the installation of a booby-trapped code.
In addition, Zheng says that they soon realized that the effects are more adverse than what was initially thought. It is possible to do an automatic reactivation after modifying UAC, add an application to the start-up directory of the user, and while UAC is turned off, run programs with all administrative privileges to cause havoc.
The security researchers said that Microsoft has enhanced the technology so that it becomes more acceptable in not requiring the user to take permission before changing settings.
Meanwhile, although Microsoft knows about the problem, it is still not convinced that it is as serious as Zheng has underlined. However, till Microsoft decides on a fix, Zheng suggests users of beta in Windows 7 to change the UAC instruction to "Always Notify" that will compel Windows 7 to notify the user even if changes occur in the UAC settings.
» SPAMfighter News - 16-02-2009