Big security hole punched in Windows 7

 

A prolific Aussie blogger is warning of a possible security hole in the latest beta version of Windows 7.

Researcher Long Zheng has posted both a description and a proof of concept for an issue which could allow an attacker to skirt the User Account Control (UAC) component in the new version of Windows.

UAC is designed to monitor a system and notify the user when a program attempts to alter the system.

Originally designed to help prevent malware infections, the software was disabled by many users and widely mocked for the barrage of dialog boxes it created in some systems.

To improve the software in Windows 7, Microsoft has set new guidelines for UAC which allow changes to Windows settings but require authorization to otherwise alter the system.

The problem, explains Zheng, is that UAC itself is controlled through system settings. This, argues the researcher, can allow an attacker to completely disable the protections without user notification.

"We soon realised the implications are even worse than originally thought," Zheng wrote.

"You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

The researcher notes that the issue can be easily fixed by changing the UAC setting to notify users when Windows settings are altered, and that Microsoft could remedy the problem by prompting the user when the UAC setting is altered.

However, Zheng alleges that Microsoft is dismissing the report, and that the problem may go unfixed.

"The reason I’m blogging about this flaw is not because of its security implications, it is blatantly simple to fix, but Microsoft’s apparent ignorance towards the matter on their official Windows 7 beta feedback channel by noting the issue as 'by design' and hinting it won’t be fixed in the retail version," the researcher wrote.

At the time of publication, Microsoft had yet to return a request for comment on the UAC security issue or Zheng's posting.

Copyright ©v3.co.uk


Big security hole punched in Windows 7
 
 
 
Top Stories
Change is the only constant at iiNet
iiNet's Matthew Toohey is trialling IBM's Watson - between preparing for an acquisition and making sure Netflix doesn't swamp the network.
 
Why straight-through processing is the holy grail for banks
Big benefits from stripping away human intervention and digitising processes.
 
CBA sued over frozen millions in IT bribery scandal
Eric Pulier's not-for profit lodges lawsuit in US.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
New features are coming to Outlook.com
May 27, 2015
Outlook.com, thanks to its predecessor Hotmail.com, is one of the world's major webmail services ...
Windows 10 to feature integrated apps for Android and iOS
May 27, 2015
Microsoft reveals multi-platform Cortana connectivity for Windows 10. What the heck is that, and ...
Microsoft launches Office for Android preview
May 22, 2015
Microsoft has launched a preview of Office for Android smartphones. Pre-release versions of ...
Microsoft is working on an iOS email chat feature called Flow
May 22, 2015
Microsoft is working on a new chat app, but at the moment we know more about what we DON'T know, ...
Windows 10 free upgrade: Microsoft details who gets what
May 22, 2015
Microsoft was meant to be streamlining its OS with Windows 10, so why is upgrading so confusing? ...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  44%
 
No
  56%
TOTAL VOTES: 665

Vote