Anything that can be turned off without administrative user intervention can be exploited as a permission escalation vulnerability. That’s one reason security should be kept in mind when designing the architecture of a system, rather than bolted on later — as demonstrated by problems with Microsoft’s User Account Control, such as described in Bolted-on security features aren’t secure.

If true privilege separation is designed into your system from the ground up, you can not only prevent systemic permission escalation vulnerabilities, but also improve the interface used for administrative privilege authorization. The counterexample for UAC is the Unix tool sudo, including GUI front ends for it that should be familiar to users of Ubuntu Linux and PC-BSD. The operation of such tools tends to be less intrusive and more intentional than UAC’s, providing a more comfortable experience that encourages security rather than discouraging it. After all, interface design is security design.

Few, if any, security experts would call Microsoft a hotbed of quality software security design. With the Windows 7 version of UAC, Microsoft is outdoing itself. Rafael Rivera, Jr. reports that malware can turn off UAC in Windows 7. Microsoft not only acknowledges the offending behavior, but states that it is intended behavior. It’s a feature — not a bug.

When something is vulnerable by design, it means one thing:

  bug == 'not fixed'

Any debate over how you should handle software updates or efficient patching policy is academic when your response to the discovery of a vulnerability is to declare it a feature. Even ignoring a bug for eight years is better than declaring it a feature that doesn’t require fixing at all.

Of course, considering the flawed, bolted-on design of a security “feature” like UAC in the first place, I suppose the Windows 7 version’s flaws aren’t really all that big a problem. Sure, it’s less secure — but only by a matter of degrees. The real problem is far more pernicious, and endemic to the entire system’s design.

5 February 2009 Update:

As reported by ComputerWorld yesterday (one day after initial publication of this very article), Microsoft changes Windows 7 UAC after new exploit code surfaces. Microsoft is not taking Rivera’s advice to duplicate Vista behavior in Windows 7, however, so the extent to which the security issue will actually be fixed is yet to be seen. Furthermore, the fix will only apply to post-beta versions of Windows 7, so users of the Windows 7 beta are apparently SOL. As a result, if you’re using the Windows 7 beta right now, you should immediately (or sooner) configure UAC security settings for maximum security. Otherwise, every single application installed on your computer could conceivably become a very easy UAC bypass, allowing malware and malicious security crackers to take over the whole system with minimal effort.

I get more ideas for articles out of conversations with Sterling Camden, of TechRepublic’s own IT Consulting, than any other single source. The fact he sometimes provokes articles for his own purposes (such as to get my analysis of something before he writes about it elsewhere) doesn’t change how much I appreciate it. Thanks for the inspiration, Sterling.