A month has barely passed since the public beta debut of Windows 7 and we have our first horror story.
UAC (user account control) was the major gripe with Windows Vista which annoyed most tech savvy users and confused ordinary consumers. Microsoft has changed the behavior in Windows 7, lowering the requirement for user interaction when changing system settings. The apparent downside to this is, according to reports, the way Microsoft has changed the behavior makes it extremely easy for malware authors to write code to disable UAC without user intervention.
By default, Windows 7's UAC setting is set to "Notify me only when programs try to make changes to my computer" and "Don't notify me when I make changes to Windows settings". Microsoft makes the distinction between a (third party) program and Windows settings with a special signed Windows 7 security certificate. The applications/applets which manage Windows settings are signed with this certificate. Control panel items are signed with this certificate so they don't prompt UAC if you change any system settings.
The issue is as these applets are signed to not prompt for UAC, you could emulate some keyboard inputs and within a few moments have UAC disabled on a machine without user interaction. Rafael Rivera has done exactly that and posted concept code using some simple VBScript at his site. Malware authors could easily bake this into a fake program to trick the user to execute it.
You'd think this would be easy to fix right? Well you're right but beta testers have been filing bugs with Microsoft (via its connect program) and have met resistance from the software company when Microsoft employees state the behavior is "by design". We have contacted company officials for a statement on the issue but at the time of writing have not received a response.
114 Comments - Add comment