There have been a few stories about Windows 7, even one about Windows 7 UAC before and now it’s officially on sale I’d expect there to be many more.

As always malware and mass infections is a numbers game so the bad guys will always target the most popular and prolific operating systems to increase their chances of widespread infections.

For me personally UAC in Windows Vista was simply a pain in the ass, so much so I just turned it off completely as did most people rendering it completely ineffective. They seem to have toned it down in Windows 7 to make it less invasive and perhaps as a byproduct have made it less effective.

A researcher at Sophos reports putting Windows 7′s User Account Control feature to the test and finding the technology failed to block numerous pieces of malware. Microsoft, however, stresses that UAC is only one part of Windows 7′s security.

A researcher at Sophos called the UAC feature in Windows 7 ineffective after numerous pieces of malware snuck by the technology in a test.

Microsoft first introduced User Account Control in Windows Vista to improve security. After some users complained the number of alerts it generated were annoying, the company pledged to cut down on the number of prompts in Windows 7. The move however has raised concerns in the security community, and Sophos Senior Security Adviser Chester Wisniewski said his test proves Microsoft took it a step too far.

Wisniewski wrote on his blog Nov. 3 that seven of the 10 pieces of malware he tested ran with the default AUC enabled in Windows 7 without generating any prompts. As part of the test, no antivirus software was installed on the system. Two of the malware samples did not work in Windows 7; of the remaining eight, only one generated a prompt, and that one still would have been installed had the user clicked yes, Wisniewski told eWEEK.

I’d imagine it only throws an alert if the software being installed tries to modify system files or place itself in system directories (c:/windows etc).

That would make sense to me, and yes it would make it ineffective against malware and even more ineffective when the bad guys work out how it functions and adapt to that.

Nothing much new here though is it, run anything on Windows XP and you’ll get no warnings..so just be vigilant. I’d rather Microsoft try an educate people on good security practice rather than trying to implement half-arsed technical measures to protect against wetware ignorance.

When asked about the test, Microsoft officials pointed to the other features of Windows 7 that have improved security.

“Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP),” a spokesperson said.

“Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released,” the spokesperson added. “Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions.”.

All the above technologies are great and they do help a LOT when it comes to exploitation of vulnerabilities and trying to execute shell-code. But that’s not the biggest threat, the biggest threat is idiot users installing malware ‘by accident‘ on their own computers.

So yes, however obvious it may seem to us – you still need to install Anti-virus software on Windows 7.

Source: eWeek

It seems like Windows 7 is already creating some controversy even though it’s still in BETA. Just like Vista it also has UAC (User Access Control) which a lot of people disable completely because they find it irritating (myself included).

When that happens, the boundary between security and usability has crossed too far and the control becomes useless because people just remove it.

Thankfully in Windows 7 they have made it more configurable with 4 levels to choose from which offer various levels of protection vs usability (level 4 is the same as Vista and it comes default at level 3).

The controversy is with a VBScript run in user-mode the UAC can be disabled (set to level 1) without any kind of prompt happening.

A controversy erupted last week with the revelation by a researcher that it is possible for a user-mode program in Windows 7 to disable User Access Control in the default configuration. My first reaction to this was that it was bad, but it’s a beta and it will be fixed. Now I’m getting the vibe from Microsoft that it won’t be fixed and I can see their argument. It still leaves me uncomfortable though.

For those of you unfamiliar with the specific problem, in Windows 7 the default behavior of UAC was changed so that the user is not prompted for access to Windows programs, such as control panel applets, as they are in Vista. UAC also no longer uses the “secure desktop” mode for confirmation by default.

And a new control panel is provided to let the user choose the behavior of UAC in Windows 7. There is a slider control with 4 levels: level 4 is the same as Vista, with all the same prompting for system-level changes and secure desktop; level 3, the default, is the same as level 4, but doesn’t prompt for changes in Windows settings, like the control panel; level 2 is the same as level 3, but does not use the secure desktop; and level 1 shuts off UAC; no prompting at all. The secure desktop is a special mode in which you can only interact with the UAC prompt, and no other software.

It’s not really a vulnerability in the traditional sense of the word as it’s a design choice by Microsoft and only occurs under a certain set of circumstances. For example the user must be running as Administrator for a program to be able to disable UAC without prompting.

So if the machine is set up properly and day to day usage is logged in under a non-privileged account this won’t be an issue anyhow. The problem I see is, how often does that really happen?

Everyone just uses the Administrator account, so this could be a real problem.

The proof of concept showed a user-mode program which spoofed keystrokes and mouse movements to change the setting from the default down to level 1.

What bothered me was that this was user-mode code. It seemed to me that it sort-of violated at least the spirit of UAC by indirectly elevating privilege through an external program, which level 3 is supposed to prompt. The author of the attack proposed what seemed a sensible solution: force a prompt, one that requires secure desktop, for that one case. The heart of the argument for making this a special case is that users would expect from level 3 that it would protect them from elevation changes from external programs.

There was a lot of hyperbole about this issue. There are many legitimate arguments that this isn’t so bad a problem, and in fact not surprising at all. Some of them are made in Roger’s Security Blog, who closes with the point that a lot of the criticism is hypocritical, amounting to calls for more rigid prompting from people who complained about it in Vista..

The more I’ve thought about it, the more I think Microsoft is right not to make a change here. Here are the major arguments for this position.

The fact still remains, for this to be an issue – the user has to run a piece of untrusted code (even if it’s ‘just’ a VBScript) and once that has happened you can assume the machine is compromised anyway.

I’d imagine the script to carry out the actions will soon enough be flagged by Anti-virus software rendering it a little less of a threat.

Either way I’ll be paying close attention to the insecurity security of Windows 7 – I hope you will too.

Source: eWeek