You have to hand it to them: Microsoft has made an excellent marketing move the last couple of days. Remember the UAC issue we reported on earlier? It turned out that changing UAC settings did not actually trigger a UAC dialog, allowing scripts and malware to disable UAC altogether without the user ever noticing anything – obviously leaving the system wide open. After stating numerous times the company wouldn’t do anything about this issue, they have now done a complete 180, and will fix UAC to work as many had already advised. A brilliant marketing ploy right there.
As soon as the net got wind of the vulnerability in the UAC slider setting dialog in Windows through the work of Long Zheng and Rafael Rivera, the net was filled with complaints and requests to Microsoft to fix this issue. In summary, the issue boils down to this: in Windows 7, there is a slider that allows you to fine-tune UAC. From [Vista-]paranoid-mode, to “off”. The problem s that changing this slider did not trigger a UAC dialog. In other words, scripts and malware could easily disable UAC without the user ever noticing anything. The solution was to move the slider all the way up to paranoid mode.
Long Zheng contacted Microsoft shortly after, and the company claimed this was by design, and that they wouldn’t change it. To further detail this position, Microsoft’s Jon DeVaan wrote a lengthy blog post on the Engineering 7 weblog. The company’s argument is that in order for the vulnerability to work, malware would already need to be running on the system, and that modern web browser and email clients already present a good enough security barrier. “We know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system,” DeVaan writes, “We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines.”
The comments to this blog post were crystal clear: most accused DeVaan of missing the point. The situation was best summed up by commenter d_e: “Jon, you’re missing the point. The people only want to see an UAC notification when the UAC level is changed. That’s all. You don’t have to change anything else.” The call to treat UAC as a speicasl case – always requiring confirmation no matter the account or elevation level – was loud.
Microsoft gave in. In a follow up post, DeVaan and Sinofsky write:
With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.
Basically, they will treat changing UAC settings as changing a password: you always need to enter your old one for that.
Great marketing example, this. You cannot say with a straight face that such a massive company made such a 180 in such a short time. This feels rather planned out, and it has been executed wonderfully. Still, that does not negate the fact that this change makes Windows 7 a better and more secure operating system. Marketing ploy or not, people will benefit.
is it just me, or did they say before that they wouldn’t change it because that was how it was supposed to be, and now they’re saying they’re changing it because they’ve been planning to change it all along?
edit:
before according to osnews:
“This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.”
after according to cnet:
“With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see,” the pair wrote. “First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion…Second, changing the level of the UAC will also prompt for confirmation.”
hmm maybe. sounds like they tried hard to not sound wrong, or are in denial about being wrong
Edited 2009-02-06 12:10 UTC
Not “according to OSAlert”, but “according to Microsoft” .
what I meant with that was citing where I got it from
Thom Holwerda reported…
…it’s the scent of desperation! When somehow fixing a vulnerability becomes a “brilliant marketing ploy” you know Microsoft has nothing of substance to offer in Windows Seven. Hey at least it’s not Vista right?
–bornagainpenguin
I wouldn’t get too excited about this..
Many Linux distro’s STILL maintain a 15 minute sudo timeout (apparently ubuntu is one of them), which means any program (virus or otherwise), can sit there and wait until there’s an open sudo session available, and then get admin privs without a password. Some linux distro’s are still calling that a feature unfortunately (so they are no better then Microsoft).
But yeah, its about time Microsoft fixed this stupidity. UAC is certainly a good thing, but that broken behavior would have made it as insecure as Windows XP. Good to see they stopped playing politics and caved in.
Btw, at least they did a 180degrees… I wouldn’t say its a marketing ploy though (not sure where the author came up with that BS from).
Either way, I don’t care as long as its fixed.
And not only that, but with some distros (perhaps most notably Ubuntu), anyone with physical access to your computer can gain root-level access without any effort at all, by selecting “recovery mode” from the bootloader prompt.
Not quite the same thing, I realize, but still an example of an easily fixable security flaw that remains untouched.
As long as you are not using file/disk encryption, anyone with physical access can have full access to your data stored on that device. Adding a “feel-good” security as you propose does not enhance security at all.
Think about it this way–if you’re leaving your house for a week, and for whatever reason your front door lock is broken, do you…
a) close the front door
b) leave the front door open
The fact is, the Ubuntu option is closest to choice b. At least using a boot CD requires some effort.
Anyone expending the effort to select “recovery mode” is going to be prepared with a liveCD also. I’d actually skip to step two and just use the liveCD or trusty flashdrive in my pocket; why use your distro in recovery mode when I can use my distro in “all your disk are belonging to us” mode.
I see it the same way with wireless routers. People say; but if I hid my SSID then I’m cutting out the skript kiddies because it’s too much effort to see my SSID. (.. in the first packet detected by kismet, airodump and nearly any other tool that anyone looking at other’s wireless networks are already going to be using)
Actually, Ubuntu’s decisions regarding security are one of the reasons it’s not the distro of choice for many security concious geeks. You can either lock down Ubuntu and have the popular brand name installed or you can use a distro that believe in security-by-default even if that causes a little more learning for the end user. I don’t mean to say that Ubuntu is not a great introductory distribution.. it’s just not what some are going to stay with once they get comfortable enough to try other liveCD.
Big deal – you can reset the admin password on just about anything (Windows, Linux, or MacOS X) if you happen to have a boot CD handy. An Ubuntu LiveCD will do the job nicely, as would a WinPE boot CD, or a Mac OS X install CD.
The only way to prevent someone with physical access to your machine from getting root-level access is to use whole-disk encryption.
By the way, as with the recovery console on Windows XP, most Linux distributions require you to enter the root password before you can use recovery mode. It’s just Ubuntu that doesn’t, because it doesn’t have a root password.
Reset my admin passwords? Truecrypt; no you can’t.
Downside is that I can’t use liveCD tools to fix issues in Windows that can’t be fixed from inside it (I’ve a Flash v6 plugin that can’t be deleted off the platter). I’m ok with it though, the benefits of encrypted disks outweigh the few hassles on the technician side.
Never understood why they changed UAC in the first place. It was supposed to be annoying, supposed to teach people better security. Just because they’re complaining doesn’t mean you have to appease them.
You know, it’s not necessarily Microsoft’s job, but seeing as they do control the market, they probably should put out more of an effort to really explain to people why things like this are necessary, and why people are going to have to fix over ten years of bad security habits. If the common user understood better, they’d probably complain less at least.
It was supposed to teach developers to write there software within Microsoft’s specifications by annoying the end users enough that they would put pressure on the third party developers.
Badly planned and implemented from start to end if they still claim that providing benefit to the end user is the goal of the product.
Well, yes – it does, rather. If people aren’t happy with your product, they might not buy it, and don’t give you their money. That’s what’s happened with Vista, and it’d be a disaster for Microsoft if Windows 7 got the same reaction.
An idiotic conclusion following from an idiotic line of reasoning.
At least you’re consistent!
Seven down-mods? My best haul yet!
It’s also interesting that there wasn’t a single reply. Thanks for proving that GNU/Freetards are not just a bunch of over-sensitive crybabies – but they’re also gigantic cowards to boot!
Hahaha!
Honestly, your comment isn’t substantive enough to comment on, so we just downmod it. Consider it my own kindness to even bother replying to you now.
I am really looking forward to Win7 because of the memory model. Not memory management, process management. With Applocker and SRS it should be a tight OS. I run Windows XP x64 without any full time AV running.
Edited 2009-02-06 12:48 UTC
Running XP without a full time AV ? Just shows how dopey some people can be….
I really don’t know what all that hullabaloo was about. You release betas to catch issues like this. They turned around to say it wasn’t a vulnerability, which is sort of right (it wasn’t a software flaw, more a logic issue), but to say that they wouldn’t change it is just retarded.
What they are saying now is the obvious fix, it is very hard to wrap ones mind around how this could be mis communication, but it is even harder to imagine that it was anything else. If it is this hard for an MVP to explain a very clear cut issue to the windows team during a time in the product cycle that is specifically for user feedback, it would be next to impossible for a normal person. I think this whole thing speaks to a communications issue the windows team sorely needs to address. Sinofsky is one of the good guys at Microsoft, I was really hoping him being there would fix that, but it seems that same wall of silence is still there.
The claimed it was a feature implemented that way on purpose. They now claim it’s “something we where going to fix anyway” only because they got embarrassed in the media.
Off topic: This is the reason why I have always disliked Ubuntu. They effectively got rid of the root account. Why? It just detracts from the overall security of the box. To gain access to my server’s root account, I would first have to compromise a user account. Then I would have to go after root through the user. With Ubuntu, there is only one account to compromise and it is available through ssh.
Edited 2009-02-06 14:54 UTC
It’s not that hard to change – all you have to do is:
sudo passwd
It’s actually one of the first things I do after an Ubuntu install.
My first addition; ssh
My first change after that addition; disallow root login through ssh config and passwd (-d is it?)
Yep, and then just remove the first user created from the wheel group (and any others).
I believe only the first account created has sudo access, and others are plain limited accounts, although I’m not 100% sure of this.
What a weak conspiracy theory from Thom there…
Microsoft planned this, what a joke to believe that…
I believe conspiracy theories that 9/11 and 7/7 were false flag operations, without any shadow of doubt, but I don’t for 1 second believe Microsoft planned this as a marketing stunt. Weak…
I agree. Teams within Microsoft revisit decisions on a regular basis, and I bet the large internet feedback prompted them to make this (relatively trivial) change. To be honest, all that’s required to adjust this behavior is a single line in an XML manifest file.
I don’t know if that’s actually what happened.. but I’m just saying that people do evaluate feedback and take action sometimes .
Love their wording….
‘With this feedback’ so it sounds like they’re listening. Then a diversion ‘high integrity process….. that was already in the works’ which is probably technically true, but whatever. Then finish with ‘…. prompt for confirmation.” after the already in the works part, so it kinda sounds like they were planning it, but technically it’s a separate thing they just totally screwed up on, and then tried to defend.
I believe they knew about it, and had a plan to fix it. Now they are pretending to respond to the communities highlighting of the security flaw to be the “big man”. Remember this is a BETA people! It’s not even a big deal, it is almost a year away from release, this kind of thing is NORMAL to be found in a BETA
If they told the truth and said its a BETA. It is not intended for production use in any form, and therefore riddled with things that are not production quality ie – we haven’t made this or that process the right privledge level yes blah blah. Then we would criticising that!
http://arstechnica.com/microsoft/news/2009/02/the-curious-tale-of-w…
OK, so the issue was a lot more serious than Microsoft at first admitted. But then they said they would fix it … right?
Apparently it won’t be “fixed” enough.
Oh dear.
Oh dear oh dear.
Edited 2009-02-09 02:21 UTC