I just finished reading an interesting article in which the writer claims that Microsoft has made a mistake in how they are controlling the behavior of UAC. UAC = User Account Control which was first introduced in Windows Vista. What UAC was originally designed to do was to prompt the user to either accept or reject changes being made to the system. Many people complained that the over obundance of pop-up windows were annoying, so Microsoft tried to address the problem in their latest Beta of Windows 7.

This is what the article states:

Now for a bit of background information on the changes to UAC in Windows 7. By default, Windows 7’s UAC setting is set to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. How it distinguishes between a (third party) program and Windows settings is with a security certificate. The applications/applets which manage Windows settings are signed with a special Microsoft Windows 7 certificate. As such, control panel items are signed with this certificate so they don’t prompt UAC if you change any system settings.

The Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.

Of course it’s not a security vulnerability if you have to coerce the user into disabling UAC themselves (although sweet candy is exceptionally persuasive), I had to think “bad thoughts” to come up with a way to disable UAC without the user’s interaction. The solution was trivial, you could complete the whole process with just keyboard shortcuts so why not make an application that emulates a sequence of keyboard inputs.

The writer also provides a download of a script that will disable UAC. Which made me think? Is posting the information a good idea? Should vulnerabilities be pointed out to Microsoft before they release Windows 7?

I believe personally that such security issues need to be addressed before, not after, Windows 7 hits the street. Or we may have to wait until Windows 7 SP1 for a fix to appear. 🙁

Comments welcome.