A pair of Windows bloggers posted more proof-of-concept code today that subverts an important security feature of Windows 7, a problem Microsoft knew about as long ago as last October and which one of its software engineers said would be fixed in the beta.
According to bloggers Rafael Rivera and Long Zheng, hackers can easily piggyback on "pre-approved" Microsoft applications and code to trick Windows 7 into granting their malicious code full access rights to the machine.
Researcher Rafael Rivera Jr. has released proof-of-concept code that demonstrates how unauthorized third-party software can elevate its privileges and install a potentially malicious payload.
The vulnerability stems from Microsoft's attempts to make UAC more palatable by allowing certain applications to make changes to the OS without first prompting the user for permission. Executables that are digitally signed are essentially given fast-track permission under UAC's default configuration. And it turns out many of these third-party executables are in turn able to invoke still more third-party code.
Soon after writing my last blog post on the potential security vulnerabilityto autonomously disable Windows 7 betas UAC system, I had realized that flaw was just one piece in a string of dominoes that fell much earlier when the new tiered-UAC system was introduced ... a second UAC security flaw ... allows a malicious application to autonomously elevate themselves ... cannot be classified as by design.
Since there is an inherent trust on everything Microsoft-signed, by design, the chain of trust inadvertently flows onto other third-party code as well. A phenomenon Ive started calling piggybacking ... The advice to every Windows 7 beta user is to set your UAC setting to high.
In every binary that Microsoft feels should have auto-elevation capabilities, a flag is added to its manifest and the executable (of which the manifest resides in) is digitally signed. I havent dug into the internals yet, but Im assuming that a) the manifest must be embedded (i.e. external manifests should not meet auto-elevation requirements) and b) the image must be signed by Microsoft and Microsoft alone.
[But] theres a problem. This auto-elevation flag was applied to rundll32.exe, an executable that has and still ships with Windows today ... As a proof of concept, I created two programs. The proxy application, Catapult.exe is a one-line C# application (code) that uses the Process.Start method to launch an instance of rundll32.exe, requesting elevation with the little-known runas verb. Cake.dll is a multi-line C++ library (code) and our payload ... the entry point of our malware.
There has been no report of a way for malware to make it onto a PC without consent ... the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine ... [But] please know we take all of the feedback we receive seriously.
UAC is not a security boundary ... If anyone says something like, UAC is broken, it is easy to see they are mischaracterizing the feedback ... While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view.
Almost the whole point of UAC is so that you can run a system as a standard user and have the option, on the odd occasion when necessary, to elevate privilege to administrator. The logins can be annoying, but they should be infrequent ... Some in Microsoft will tell you, mostly off the record, that the whole point of UAC was to force ISVs to fix their software so that it ran properly for standard users.
When you think about it, the logic of this attack is not that there is a vulnerability in Windows 7, but that the default design decision of making UAC more lenient was wrong. You can always change it to make it more stringent, but how many of you really want to do that?
Im going to open this post by kindly asking you, the user, to go into the Windows 7 Action Center ... and setting it to the maximum ... This flaw is so ridiculously and utterly bad that it brings us right back to the times that people used XP with an unprotected administrative account ... This essentially negates any benefit that UAC gives to the user.
People saw ... the UAC posts by Rafael Rivera and Long Zheng ... and immediately assumed that this issue is only relevant for users who download malware ... [But] if a security hole is found in any user-mode application, that application can be infected and used to silently attack the system ... Prior to this new non-invasive UAC, the number of silent attack vectors was limited to any flaws in elevated Windows components.
There may be a rational argument for why Windows 7s approach to UAC makes sense, but so far, Microsoft doesnt even seem to be trying to make it.