Microsoft in retreat over Vista security claims

Microsoft has made a high-profile pitch to lower public expectations of the security mechanisms built into Windows Vista, particularly User Account Control (UAC).

Mark Russinovich, technical fellow in Microsoft's Platform and Services Division, used a talk at last week's CanSecWest security conference to assure professionals that despite UAC malware "will end up thriving in the standard user environment, setting up botnets, grabbing your keystrokes," according to a blog report by industry journal ZDNet.

Russinovich's talk was intended to give professionals an idea of how to work with UAC to avoid excessive pop-up warnings and avoid breaking the UAC model. But he also explained in detail that UAC isn't intended as a "security boundary", since there are a number of ways around it, and that even in standard-user accounts malware can inflict plenty of damage.

For instance, it can read all the user's data, can hide itself via a user-mode rootkit, and can control which applications the user can access, allowing it to block security programs.

Russinovich predicted that malware would find ways of elevating its privileges, through social engineering or by compromising applications that run with higher privileges, the report said.

However, UAC does "raise the bar" on security, he said.

This isn't the first time Russinovich has thrown cold water on Vista's security mechanisms, which Microsoft originally made out to be one of the principal improvements in Vista over Windows XP. In February, he made the surprising declaration that UAC is not really a security feature.

At CanSecWest he went further in giving details of how malware could work around UAC, even without elevating privileges.

He said malware authors will be able to do more or less what they like within UAC boundaries, such as setting up botnets and infiltrating user data, without taking over the entire system. But UAC will, at least, help protect the overall system and other user accounts, he said.

UAC and their underlying technology, "integrity levels", were not intended to guarantee that processes with higher privileges are protected from compromise by lower-level privileges, but rather as a way of changing the way Windows software is developed, Russinovich said in a February blog post.

"If you aren't guaranteed that your elevated processes aren't susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption," he wrote.

Microsoft's drive is to get users off of administrative accounts and onto those with limited privileges, even if the new arrangement isn't water-tight from a security point of view, Russinovich said.

"The elevation and Protected Mode IE sandboxes might have potential avenues of attack, but they’re better than no sandbox at all," he wrote.

His comments followed a lengthy analysis of UAC and its shortcomings by hacker Joanna Rutkowska, who said she was surprised by Microsoft's dismissive attitude to bugs in UAC's implementation.

"Is this supposed be a joke?" she wrote. "We all remember all those Microsoft’s statements about how serious Microsoft is about security in Vista and how all those new cool security features like UAC or Protected Mode IE will improve the world's security. And now we hear what? That this flagship security technology (UAC) is in fact... not a security technology!"