Windows 7 Security Flaw is "By Design"

It is well known now that User Account Control (UAC) in Windows 7 is more customizable than in Windows Vista. With several levels of notification, the system can be "tamed" so that it doesn't ask for permission to do every task. However, the default setting that most people will run has an inherent flaw that will allow a malicious script or program to trick users into disabling UAC, without causing a UAC security prompt to occur.

Vista users complained about UAC, so Microsoft offers four levels of notification in Windows 7. The default option is “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. A security certificate is used to distinguish Windows settings from third-party software, thus preventing prompts when changes are made to these settings.

The problem lies with the fact that when a user alters UAC settings, it is considered a "change to Windows settings" by the default notification level. Therefore UAC's notification level can be altered, or even disabled altogether, and the user would not be prompted to actually consent to it.

A basic proof-of-concept VBscript has been made public that demonstrates how simple it is to disable UAC automatically. A sequence of keyboard inputs is emulated to perform this simple task, alongside Sleep and Run methods. It is also possible to force a restart after UAC has been toggled off to force the user to run with full administrative rights. Malicious programs can then freely alter the system now that they have sufficient privileges to do so.

It would be simple for Microsoft to fix this security hole before the OS ships out. All that is needed is to force a UAC secure desktop prompt to occur whenever UAC settings are changed, regardless of current level of notification. The user would then have to click "yes" to render their system open to attack, so while the fix is not bullet-proof, it is better than requiring no user intervention at all.

Microsoft responded to the publication of this security flaw stating that in order for this vulnerability to be exploited, a user's computer would have to contain malicious code already, which means other security software has failed to prevent this or the user has explicitly allowed it. Also, on Microsoft Connect, submissions made regarding this flaw were all closed and labeled as "By Design."

It is important to note that only users that are part of the Administrative user group will be vulnerable, as Standard users will require an administrative password to make these changes (whether they are initiated by the user or by scripts). However, since the default user group is Administrative, most home users, especially those with only a single user account, will be vulnerable.