A pair of Windows bloggers posted more proof-of-concept code today that subverts an important security feature of Windows 7, a problem Microsoft knew about as long ago as last October and which one of its software engineers said would be fixed in the beta.
Today, however, the company said it had addressed the issue in post-beta builds that have not yet been released to the public.
[ Read what InfoWorld's Randall C. Kennedy has to say about the dumbing down of UAC in Windows 7. ]
According to bloggers Rafael Rivera and Long Zheng, hackers can easily piggyback on "pre-approved" Microsoft applications and code to trick Windows 7 into granting their malicious code full access rights to the machine. "This is a real threat," Rivera, who is also a developer, said in an interview today. "No reconfiguration of UAC is necessary."
At issue is UAC, or User Account Control, a security feature that prompts users for their consent before allowing tasks such as program and device driver installation to take place. UAC, which debuted with Windows Vista in 2007, has been modified by Microsoft in Windows 7 in an attempt to dampen criticism of the feature, which has been blasted by users as being too intrusive.
In Windows 7, UAC prompts the user less frequently, in part because it checks to see whether the application making changes to the system is pre-approved, said Rivera and fellow blogger Long Zheng. If the application is considered safe -- Microsoft uses a combination of a digital certificate and a new, undocumented flag to mark approved code -- UAC steps aside and "auto-elevates" the application without putting up a prompt.
The trouble, according to Rivera and Long, is that attackers can use one of several pre-approved applications to fool Windows 7 into giving a malicious payload full administrative rights, something it would not have if the user was following Microsoft's advice and running the operating system in standard user mode.
"Windows will ... automatically elevate the process to High Mandatory Level, executing your payload wearing an administrative hat," Rivera said in a post to his blog early this morning.
The danger, he and Long argued, is real and significant. "Existing malware can be easily tweaked to accommodate the new weaknesses in Windows 7," Rivera said via instant messaging today.