Microsoft claims Windows 7 UAC flaw is by design

Woody leonhard By Woody Leonhard

Changes to User Account Control are designed to make Win7 less annoying, but they also make the OS vulnerable, according to a prominent researcher.

A very simple Visual Basic script — which in many cases runs without any prompts — can disable UAC completely, without warning.

Attempts to enhance UAC make it vulnerable

On Jan. 30, Windows über-geek Long Zheng posted a detailed explanation of a security flaw he had discovered in the Windows 7 beta, along with working proof-of-concept code. The next day, Microsoft responded with a lengthy riposte, declaring “[t]his is not a vulnerability” and refusing to fix the problem when Windows 7 ships later this year. And therein lies a story …

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

Anyone who has used Windows Vista for any time at all has encountered UAC, the vilified but effective security feature that dims the screen and forces you to click, click, and click again before you’re allowed to make changes to your PC.

Yeah — I hate UAC, too.

Windows 7, which is expected to ship as early as this summer, takes great strides to reduce the number of clicks required to perform many common tasks. If you use an administrator account, Win7’s Action Center lets you set a slider to choose among four levels of UAC intrusiveness, er, accountability (see Figure 1).

Windows 7 user account control settings
Figure 1: Windows 7 provides four levels of User Account Control.

• Level 1 always brings up the full UAC notification when a program tries to install software or make changes to the computer that require an administrator account. It also generates the UAC pop-up when you try to make changes to Windows settings that require an administrator account, even if you’re already using such an account.

• Level 2 brings up the UAC notification when a program attempts to change your computer in a way that requires an administrator account — just as with Level 1 — but not when you make changes to Windows settings. This is the default setting in Windows 7.

• Level 3 is the same as Level 2, except the UAC notification doesn’t take over the PC and dim the screen. Dimming is only part of the equation: when the screen isn’t dimmed, UAC isn’t in complete control of your computer and a running program can “send keys” or otherwise monkey with the UAC prompt.

• Level 4 disables UAC: programs can install other programs or make changes to Windows settings. This level lets you change anything you like without triggering any UAC prompts. Note that Level 4 doesn’t override other security settings: for example, if you’re using a Standard account, you still need to provide an administrator ID and password before you can install a program that runs for all users.

This description sounds pretty simple, but the details are quite complex. Win7’s help system says that if your computer is at Level 2 — the default setting — “[y]ou will be notified if a program outside of Windows tries to make changes to a Windows setting.”

How does Windows 7 tell when a program is “outside of Windows” and thus whether actions taken by the program are worthy of a UAC prompt at Levels 2 or 3? Tough question, as you’ll see shortly.

Long’s view: cracking Win7’s UAC is too easy

Long Zheng’s article, titled “Sacrificing security for usability: UAC security flaw in Windows 7 beta,” shook many of us who are testing Windows 7. Crediting a post on and discussions with developer Rafael Rivera, Long explains that the UAC level rules are interpreted according to a special Windows 7 security certificate.

Programs signed with that certificate are deemed to be part of Windows. Programs that aren’t signed with that specific certificate are “outside of Windows” and thus trigger UAC prompts if your computer is set at UAC Levels 1, 2, or 3. Long notes that the act of changing the UAC level counts as “a change to Windows settings” — not surprising — and thus does not trigger a UAC response at Levels 2, 3, or 4.

Here’s the surprising part: Long and Rafael wrote a very simple VBScript that you can copy and run for yourself. The script changes the UAC level in Windows 7 from 2 to 4. The four lines of the cracker program that change the UAC level are these:


This is the simplest security-busting program I’ve ever seen.

If you run that program with your UAC level at 2, UAC will check to see whether the program is “outside of Windows.” In this case, the VBScript is calling something named WScript.Shell, which is part of Windows and signed with a Windows 7 security certificate. Since the cracker program is perceived as being inside Windows, it runs without generating any UAC prompt.

If you run the script on your computer, you’ll see that Windows has to restart in order to turn off UAC entirely. As Long notes, it’s pretty easy to write a program that restarts Windows.

Bottom line: it’s almost trivially easy to write a program that disables User Account Control entirely when it’s run using a Windows 7 administrator account. Long recommends that Microsoft fix the problem before Windows 7 ships.

Microsoft is tap dancing as fast as it can

Microsoft’s response to Long includes the following statement:
  • “This is not a vulnerability … The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level … The only way [the UAC level] could be changed without the user’s knowledge is by malicious code already running on the box … In order for malicious code to have gotten onto the box, something else has already been breached (or the user has explicitly consented).”
In other words, Microsoft doesn’t see this as a security breach and won’t be fixing it.

The online community has exploded with a barrage of opinions on all sides. Clearly, if you intentionally run a program and that program does something bad to your computer — change the UAC level or reformat the C: drive, for example — you’re the one who tempted fate and reaped the consequences.

Just as clearly, a program that runs at a low level of security — causing no prompt at all for a typical administrator account in Windows 7 — and that turns off UAC with no warning whatsoever gives most people the willies.

Finding the best mix of security and convenience

So who’s right, Long or Microsoft? They both are. And they’re both wrong. Let me explain:

Looking at the behavior from the point of view of a typical Windows 7 user — someone who barely understands the difference between an administrator and a standard account — the problem certainly seems, well, shocking.

But it isn’t just the n00bs who should be concerned. Many of us who have dealt with Windows administrator accounts for years were quite surprised to learn that a silent program could zap UAC. I don’t know about you, but labeling a homegrown VBScript that calls Windows Shell an “inside Windows” program stretches my definition of “inside” beyond the breaking point.

That said, what Microsoft asserts is true as well. Changing the UAC level is certainly altering a Windows setting. If you leave your computer at UAC Level 2, you’re allowing “inside Windows” programs to change Windows settings without warning.

More importantly, if you’re running a program that zaps your UAC setting, that program can do all sorts of bad things. Any such program must’ve arrived via some security breach.

In the end, I agree with Long that Microsoft should make a small change to Windows 7’s current behavior:
  • “There is a simple fix to this problem [that] Microsoft can implement without sacrificing any of the benefits the new UAC model provides, and that is to force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state. This is not a fool-proof solution (users can still inadvertently click ‘yes’) but [rather] a simple one I would encourage Microsoft to implement.”
Don’t be fooled; we’re looking at a stopgap. Windows 7 won’t be secure until it can tell — reliably — which actions were initiated by the user and which were started by a program. The OS must also provide security prompts accordingly.

I wrote about this approach more than two years ago in a Woody’s Windows column that took Microsoft to task over implementation of UAC in Vista. Getting that level of security in some future version of Windows will require a major rewrite. I won’t hold my breath.

(As we were going to press, Long Zheng posted details about a second Windows 7 UAC security flaw. The problem Long describes has its roots in the “inside Windows”/”outside Windows” dilemma discussed above. It remains to be seen how Microsoft will respond. In the interim, Long recommends that Win7 users set their UAC prompt to Level 1. I’ve done exactly that on all my Windows 7 machines.)

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.
= Paid content

All Windows Secrets articles posted on 2009-02-05:

Woody Leonhard

About Woody Leonhard

Woody Leonhard is a Windows Secrets senior editor and a senior contributing editor at InfoWorld. His latest book, the comprehensive 1,080-page Windows 8 All-In-One For Dummies, delves into all the Win8 nooks and crannies. His many writings tell it like it is — whether Microsoft likes it or not.