IT Jobs
Microsoft left Windows 7 open to hackers, says Sophos
'Neutered' UAC misses 7 of 8 trojans
By Gregg Keizer | Computerworld US
Published: 11:30 GMT, 06 November 09
Microsoft's decision to reduce the number of annoying security messages that Windows 7 delivers when users install software makes the new operating system more vulnerable to malware infection than Vista, a researcher said today.
"UAC was neutered too much by Microsoft," argued Chester Wisniewski, a senior security advisory with Sophos, talking about Windows' Users Account Control (UAC), the security feature Microsoft debuted with Vista.
UAC prompts users for their consent before allowing tasks such as program and device driver installation to take place. In an effect to quash user complaints which had condemned the constant intrusions, Microsoft modified UAC so it appears less frequently in Windows 7.
Microsoft to update Windows 7 already? | Windows 7's share jumps 40 percent | Windows 7 app turns laptop into Wi-Fi access point | Intel solid drive update crashes Windows 7
That wasn't a good idea, said Wisniewski.
"We wanted to know if UAC was going to be effective in Windows 7," he said. "So we grabbed the next 10 [malware] samples that came in and tried them out."
The 10 samples, most of them Trojan horses, were loaded onto a clean Windows 7 PC that lacked antivirus software, simulating payloads that an actual exploit would deposit on a compromised computer. Wisniewski then ran each piece of malware, as if a user had been duped into launching a file attachment or had surfed to a malicious site and been victimized by an drive-by attack and subsequent silent download.
Of the 10 samples, two would not run under Windows 7, not surprising since they were likely designed to execute on the far more common Windows XP and Vista, and only one of the remaining eight triggered an UAC prompt, said Wisniewski.
He acknowledged that the test was quick and dirty, and didn't accurately portray how secure Windows 7 was overall, or even how well it would withstand attack if protected by antivirus software, even basic programs like Microsoft's free Security Essentials. The point was to see how much Windows 7's reconfigured UAC would help block malware that made it past security software or got by other defensive measures of the operating system, like DEP (Data Execution Protection) and ASLR (Address Space Layout Randomisation).
"UAC is really not protecting users properly," Wisniewski said. "Frankly, people should turn it back into the more aggressive mode, like Vista," he said, speaking of the ability to set the feature's prompting frequency. "And if you find it annoying, you might just as well turn it off, because otherwise it's not doing any good."


.gif)




Add your commentComments
Zeke Shadfurman | Published: 21:47 GMT, 12 November 2009
This really is a silly article. No security measure is supposed to be 100%. I've never had a problem with security and I've only got a firewall in my router and run a virus scan every few months. But as a previous comment pointed out, there is no fix for stupidity, and for that reason I thought the annoying UAC as default was a smart idea on vista. Anyone NOT stupid can disable it (make it too easy and stupid ppl will disable it)
Mark | Published: 06:04 GMT, 11 November 2009
I can't believe that the new operating system I just bought is so riddled with holes. I thought Windows 7 would be good - better than Vista. But now I'm learning that I have just spent my good money buying a Vista wannabee. I guess it's back to Vista. Anythings better than getting hit with malware and viruses.
neverhome | Published: 23:54 GMT, 09 November 2009
UAC is a pain. I disabled it the 1st day with Vista. Never looked back. Norton has kept me secure for 10 years without a single problem.
SnowDog1974 | Published: 20:08 GMT, 09 November 2009
The fact that "Vista handled UAC more securely is misleading. I know for a fact that the first thing many "technical users" (myself included) was to turn off UAC in Vista because it was so annoying and intrusive.
reinisb | Published: 18:33 GMT, 09 November 2009
"He acknowledged that the test..didn't accurately portray how secure Windows 7 was overall, or even how well it would withstand attack if protected by antivirus software". So.. it was basically pointless then. Nice.
Aaron | Published: 15:23 GMT, 09 November 2009
Holy crap. Can you idiots please make up your minds? First it's UAC sucks because it gets in your way, now it sucks because it's not in your way enough. Stop with the stupidity. If you don't know how to use a friggen computer, then stop blogging about it!
oldtech | Published: 14:19 GMT, 09 November 2009
wow I knew ms had lots of guys looking for bad press so they could "blog" it away, never thought there would be so many. BTW using the word lame does not make you any cooler.. NICE TRY Boyz now get back to that corporate marketing work and leave the techies alone.
Tim | Published: 14:15 GMT, 09 November 2009
People say they want security, but when it is given to them, it's too much of an inconvience. There are items about Vista I don't like over XP, but I realize those features are there for added security, so I can live with it. Never had any real complaints about UAC. What UAC should be is smart enough to know what program have been run and you've accepted, and not prompt you for them again.
thom | Published: 13:41 GMT, 09 November 2009
Micro$oft is damned if they do and damned if the don't. "This idiot" got his 15 minutes worth and has been delegated to the waste bin with the rest of the reality show freaks. Yes maybe most consumers are morons but this isn't an episode of no child left behind.
MadGerbil | Published: 13:20 GMT, 09 November 2009
For people who wander aimlessly around the internet downloading software from unknown sources there is no fix otehr than pulling the ethernet cable out of the wall. FUN TIP FOR WISNIEWSKI: Learn to do real research.