Windows 7 Security Flaw is "By Design"

[topgear]

It is well known now that User Account Control (UAC) in Windows 7 is more customizable than in Windows Vista. With several levels of notification, the system can be "tamed" so that it doesn't ask for permission to do every task. However, the default setting that most people will run has an inherent flaw that will allow a malicious script or program to trick users into disabling UAC, without causing a UAC security prompt to occur.

Vista users complained about UAC, so Microsoft offers four levels of notification in Windows 7. The default option is “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. A security certificate is used to distinguish Windows settings from third-party software, thus preventing prompts when changes are made to these settings.


The problem lies with the fact that when a user alters UAC settings, it is considered a "change to Windows settings" by the default notification level. Therefore UAC's notification level can be altered, or even disabled altogether, and the user would not be prompted to actually consent to it.


A basic proof-of-concept VBscript has been made public that demonstrates how simple it is to disable UAC automatically. A sequence of keyboard inputs is emulated to perform this simple task, alongside Sleep and Run methods. It is also possible to force a restart after UAC has been toggled off to force the user to run with full administrative rights. Malicious programs can then freely alter the system now that they have sufficient privileges to do so.


It would be simple for Microsoft to fix this security hole before the OS ships out. All that is needed is to force a UAC secure desktop prompt to occur whenever UAC settings are changed, regardless of current level of notification. The user would then have to click "yes" to render their system open to attack, so while the fix is not bullet-proof, it is better than requiring no user intervention at all.


Microsoft responded to the publication of this security flaw stating that in order for this vulnerability to be exploited, a user's computer would have to contain malicious code already, which means other security software has failed to prevent this or the user has explicitly allowed it. Also, on Microsoft Connect, submissions made regarding this flaw were all closed and labeled as "By Design."


It is important to note that only users that are part of the Administrative user group will be vulnerable, as Standard users will require an administrative password to make these changes (whether they are initiated by the user or by scripts). However, since the default user group is Administrative, most home users, especially those with only a single user account, will be vulnerable.

Source : *www.tomsguide.com/us/windows-7-uac-vista,news-3416.html

Take look at here also : *www.withinwindows.com/2009/01/30/malware-can-turn-off-uac-in-windows-7-by-design-says-microsoft

 

[Faun]

lolwut? It was expected

Catering to noobs and pros.

 

[JojoTheDragon]

I thought that win7 was better than vista's security. Lol

 

[gopi_vbboy]

Win7 would be worse than win98

 

[hellknight]

Microsoft needs to release a solid version of Windows or end the Windows brand and focus on their new operating system called Midori

 

[Pat]

Already posted

 

[comp@ddict]

So, win7's future looking shaky here

 

[Dark Core]

If M$ falls down in Win 7, it wil b hard 4 them to rule 0S market. They know that and won't try 2 let it down. I hate using linux, don't know why but doesn't come near to Windows for me :-/

 

[Faun]

^^M$ wont fail as long as users like you are clinging to it.

 

[Liverpool_fan]

That is what happens when the design is secure as an afterthought, rather than by design...

 

[topgear]

Windows 7 is in still beta stage. So I think they will fix it in the final version & so it's release will be delayed like vista.

For M$ market share - A huge numbers of gamers have to use windows despite of knowing it has more flaws & security holes than linux as many DX based games just won't run ( or run properly ) on linux.

 

[gxsaurav]

The issue has been fixed in the latest internal built of Windows 7.

 

[x3060]

thats great to hear, i hope they would do well this time. i just like the number "7".

 

[chooza]

WOw. another MS bashing thread. Do some research of such kinds on other OS'es also.

So, win7's future looking shaky here

Yaar. Full & stable versin release toh hone de. Abhi se bhavishyawani karne laga.

 

[iMav]

It's gonna be fixed. MSFT has admitted to the flaw in UAC & have said on the Win 7 blog that it will be fixed in the RC release.

 

[chooza]

Win7 would be worse than win98

Oh I see! I think that you had worked on all the code of Win7. Right???? Dont make such statement when you dont know anything. and there are many difference between India and America. Some of them are:

1. In India you remain with your parents in their old age and do not throw them in old age homes, not in America.
2. In India, you do not sleep with you gf when your parents are with you.
3. In India, there is still some decency left for girls and kids. They are not only meant to do ***.

 

[iMav]

That is what happens when the design is secure as an afterthought, rather than by design...

Actually its the other way round, people on many forums cried like babies because of the UAC in Vista & when it was relaxed because of the troubled souls they are now criticizing it for being weak. Microsoft - damned if they do, damned if they don't.

 

[infra_red_dude]

^^^ Fully agree with you!

Win 7 is still in beta, give MS a chance!!! Bash if you find all this in the final release. How can anyone expect a beta version to be perfect??!! Beats me!

 

[MetalheadGautham]

When is the RC expected to be out ?

And when is the Windows 7 launch date ? I am eagerly waiting for Windows 7 Home Basic edition. Its propably the BEST version of windows to use and buy.

 

[Garbage]

Oh I see! I think that you had worked on all the code of Win7. Right???? Dont make such statement when you dont know anything. and there are many difference between India and America. Some of them are:

1. In India you remain with your parents in their old age and do not throw them in old age homes, not in America.
2. In India, you do not sleep with you gf when your parents are with you.
3. In India, there is still some decency left for girls and kids. They are not only meant to do ***.

Reported!
Reason - OFFTOPIC

[ontopic]
Before commenting, we should wait for final release.
I won't say it's too bad, but installation of Windows 7 Beta failed 4 times on my lappy.

Any way, it's good that M$ is fixing it's os.
[/ontopic]