Windows

Is this what they call a feature?

We've probably all heard the old joke that at Microsoft, "It's not a bug, it's a feature." Microsoft is at it again.

Anything that can be turned off without administrative user intervention can be exploited as a permission escalation vulnerability. That's one reason security should be kept in mind when designing the architecture of a system, rather than bolted on later -- as demonstrated by problems with Microsoft's User Account Control, such as described in Bolted-on security features aren't secure.

If true privilege separation is designed into your system from the ground up, you can not only prevent systemic permission escalation vulnerabilities, but also improve the interface used for administrative privilege authorization. The counterexample for UAC is the Unix tool sudo, including GUI front ends for it that should be familiar to users of Ubuntu Linux and PC-BSD. The operation of such tools tends to be less intrusive and more intentional than UAC's, providing a more comfortable experience that encourages security rather than discouraging it. After all, interface design is security design.

Few, if any, security experts would call Microsoft a hotbed of quality software security design. With the Windows 7 version of UAC, Microsoft is outdoing itself. Rafael Rivera, Jr. reports that malware can turn off UAC in Windows 7. Microsoft not only acknowledges the offending behavior, but states that it is intended behavior. It's a feature -- not a bug.

When something is vulnerable by design, it means one thing:

  bug == 'not fixed'
Any debate over how you should handle software updates or efficient patching policy is academic when your response to the discovery of a vulnerability is to declare it a feature. Even ignoring a bug for eight years is better than declaring it a feature that doesn't require fixing at all.

Of course, considering the flawed, bolted-on design of a security "feature" like UAC in the first place, I suppose the Windows 7 version's flaws aren't really all that big a problem. Sure, it's less secure -- but only by a matter of degrees. The real problem is far more pernicious, and endemic to the entire system's design.

5 February 2009 Update:

As reported by ComputerWorld yesterday (one day after initial publication of this very article), Microsoft changes Windows 7 UAC after new exploit code surfaces. Microsoft is not taking Rivera's advice to duplicate Vista behavior in Windows 7, however, so the extent to which the security issue will actually be fixed is yet to be seen. Furthermore, the fix will only apply to post-beta versions of Windows 7, so users of the Windows 7 beta are apparently SOL. As a result, if you're using the Windows 7 beta right now, you should immediately (or sooner) configure UAC security settings for maximum security. Otherwise, every single application installed on your computer could conceivably become a very easy UAC bypass, allowing malware and malicious security crackers to take over the whole system with minimal effort.


I get more ideas for articles out of conversations with Sterling Camden, of TechRepublic's own IT Consulting, than any other single source. The fact he sometimes provokes articles for his own purposes (such as to get my analysis of something before he writes about it elsewhere) doesn't change how much I appreciate it. Thanks for the inspiration, Sterling.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

25 comments
Neon Samurai
Neon Samurai

they claim it was always there intention to fix the behavior after denying that it was ever a bug.. but they are going to fix it and that benefits the end user at least.

apotheon
apotheon

Check out the article for an update about Microsoft's response to this issue.

Tony Hopkinson
Tony Hopkinson

What I said about UAC in Vista being the first step towards a secure windows architecture. Epic fail on Tony's part. This is probably why you get to write the security Blog and I get to make stupid pie in the sky comments on it.

Slayer_
Slayer_

behind the scenes to make their apps work, you just watch. Turn it off for the app, then turn it back on after the app is done.

santeewelding
santeewelding

You realize, of course, how easily that can be turned around to describe self, no one the wiser.

apotheon
apotheon

I had been planning to beta test Windows 7 very soon, but this puts a hesitation on my deployment plans. I may still go ahead with the test, but I don't want malware sneaking into the network, so I have to further evaluate the risk before I go forward.

Editor's Picks