Two Windows 7 testers claim they've found a second glitch in the Windows 7 beta's default security configuration that could let malware automatically elevate itself to full administrative privileges without triggering User Account Control prompts or even shutting down UAC at all.

Last week, Microsoft (NSDQ:MSFT) bloggers Long Zheng and Rafael Rivera published simple proof-of-concept code that automatically disables UAC in Windows 7 without any user interaction. On Wednesday, Zheng and Rivera published details on a second UAC flaw in the Windows 7 beta that stems from the OS being set up to automatically elevate Microsoft-signed applications and code in order to minimize UAC alerts.

The problem, according to Zheng, is that some of these trusted, Microsoft-signed applications are designed to execute third-party code for legitimate reasons, which allows attackers to create malware that exploits their trusted status.

"Unfortunately, this flaw is not just a single point of failure. The breadth of Windows executables is just too many and too diverse, and many are exploitable," Zheng wrote.

Microsoft denied that the first UAC flaw was actually a flaw, claiming that the only way UAC could be changed without the user's knowledge was if malicious code was already running on the box.

Microsoft is still investigating the second UAC flaw, said a spokesperson who declined to comment further. However, both Zheng and Rivera reported hearing rumors that the second UAC issue has been fixed in internal Windows 7 builds.

To illustrate the potential impact of the second UAC flaw, Rivera published a proof-of-concept that could let attackers use rundll32.exe -- one of the Microsoft-signed applications -- to execute malicious code on a PC with full administrative privileges.

Zheng recommended that Windows 7 beta users set their UAC settings to 'high' in order to minimize the danger for both flaws. However, that makes UAC in the Windows 7 beta behave in the same overly chatty fashion it did in Vista, which once again highlights the difficulty of balancing security and usability concerns.

While Windows 7 is expected to hew to the same high security standards as Vista, security experts are watching Microsoft's response to the UAC issues closely, and some are beginning to take issue with how the software giant is responding to the UAC reports.

Microsoft is denying that there is a security hole in the User Account Control (UAC) feature of Windows 7 after a blogger reported it last week and posted what he said was a fix for it.

"I can tell you that this is not a vulnerability," a spokesman for Microsoft through its public relations team said in an e-mail.

Last week, Long Zheng, a long-time Microsoft watcher and blogger, wrote on his I Started Something Blog that a change Microsoft made in Windows 7 to improve the UAC security feature has left the new OS less secure because it allows someone to remotely turn the feature off without the user knowing.

Zheng said that the new UAC default setting, which does not notify a user when changes are made to Windows settings, is where the security risk lies. A change to UAC is seen as a change to a Windows setting, so a user will not be notified if UAC is disabled, which Zheng said he was able to do remotely with some keyboard shortcuts and code.

However, Microsoft is standing by the change to UAC's default setting, saying it was the result of "a great deal of usability feedback on UAC prompting behavior," and that the feature cannot be exploited unless there is already malicious code running on the machine and "something else has already been breached."

"The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings," the spokesman said. "This includes changing the UAC prompting level."

UAC has been a controversial feature since Microsoft introduced it in Windows Vista to improve its security and give people who are the primary users of a PC more control over its applications and settings. The features prevents users without administrative privileges from making unauthorized changes to a system.

Because of how it was set up in Vista, UAC sometimes -- through a series of screen prompts -- prevents even authorized users from being able to access applications and features they should normally have access to. Microsoft vowed it would make changes to the feature to make it more user-friendly in Windows 7.

Windows 7 has been in public beta for about a month and not expected to ship until early next year. However, Microsoft said Friday the next release of the OS would be a nearly final release candidate and not another beta release, so some believe it will be out before the end of 2009.

C. Slide the slider bar to the lowest value (towards Never Notify), with description showing Never notify me. 



D. Click OK to make the change effective.


E. Restart the computer to turn off User Access Control.[Via DigitalLife]

These are some quick notes from a session on UAC by Paul A. Cooke, Tech-Ed EMEA 2008:

Microsoft Windows 7 will reduce the number of OS applications and tasks, that require elevation – this has been done by re-factoring apps and tasks into elevated and non-elevated pieces.

UAC v2 will provide a more flexible prompt behavior for administrators, also administrators will see less UAC elevation prompts.

Users can do even more as standard user (eg. parts of Bitlocker, Windows Update etc.), they will also be able to ‘read’ system settings without needing to elevate.

Windows 7 will be better spotting human vs. application changes, this way “human administrator” changes will be allowed without too many prompts.

UAC can now easily be graduated into 4 levels (from the strict Vista default to totally off) - everything can of course be handled using group policy.

 

To me this is all pretty cool – but to be honest, I’m one of those weird guys, who don’t care about Vista UAC prompts… I just press ALT+C… How hard can it be? ;-)

.

Nicholas Rayner pointed out (via Twitter linking back to his blog) a new article available for download on Microsoft.com looking at 5 misunderstood features in Windows Vista today.

Download: 5 Misunderstood Features in Windows Vista

Those 5 misunderstood features include:

• User Account Control (UAC)
• Image Management
• Display Driver Model
• Windows Search
• 64-bit architecture

The article looks to clear up some confusion IT Pros might have with these features. This article is part of the Springboard Series on TechNet offering a collection of resources, tools, and monthly articles to address your questions on Windows Vista based on community feedback and feedback from early adopters.

We blogged about a Springboard Series Live Roundtable event in February in which Technical Fellow Mark Russinovich took part of addressing Windows Vista Deployment and Adoption. You can watch the recording of the session here.

Thanks Nick (a.k.a "aussienick") for pointing this out!