Categories: Security

Microsoft Changes Windows 7 UAC

In response to user concerns, Microsoft has agreed to change the User Account Control feature in Windows 7 so it generates a prompt if there is an attempt to alter its settings.

The decision was something of a reversal for Microsoft, which earlier indicated it did not want to force users to deal with additional prompts despite a debate that was raging in the blogosphere.

“With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see,” according to Microsoft’s Engineering Windows 7 blog. “First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.”

The debate over the UAC settings began when Windows bloggers Rafael Rivera and Long Zheng posted proof-of-concept code that circumvents UAC in the Windows 7 beta. The attack allowed hackers to use pre-approved Microsoft applications to fool Windows 7 into granting malicious code full access rights.

The company announced the move late on the 5th Feb., hours after it agreed to fix what officials called a privilege escalation issue in Windows 7 uncovered by Zheng and Rivera.

Currently, the default UAC setting in the Windows 7 beta is set to only notify users when programs try to make changes. According to Zheng and Rivera, Windows 7 uses a special Microsoft Windows 7 certificate to distinguish between third-party programs and applications/applets that manage Windows settings.

Due to the fact some Microsoft-signed applications can also execute third-party code, and there is an inherent trust for everything Microsoft-signed, the chain of trust inadvertently flows onto other third-party code as well, Zheng explained in a blog. As a result, it is possible for hackers to exploit that trust to change the UAC settings without the user’s knowledge, the researchers explained.

Though it agreed to the additional change, Microsoft continued to defend its actions, stressing once again that for the attack to matter, the machine would already have to be compromised. As a result, the situation was technically not a vulnerability in the UAC.

“It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else,” Microsoft officials contended on their blog.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 hour ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

2 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

1 day ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

1 day ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

1 day ago

Trump Media Briefly Worth More Than X

Truth Social parent company Trump Media sees shares rally and then sink as stock price…

1 day ago