Windows 7 beta UAC completely vulnerable to malware

Poke

Pub Member / Supporter
Original poster
Dec 3, 2003
13,886
238
OK
TG Daily - Windows 7 beta UAC completely vulnerable to malware

Chicago (IL) - An almost unbelievable flaw in Windows 7 beta and Microsoft's User Account Control (UAC) feature - the one designed to keep all of the annoying messages seen in Vista away from its users - allows its protection to be defeated by any malware which happens to infect the system. The malware needs only to send a series of false keystrokes from a Visual Basic script to activate the UAC dialog, move the slider bar to the disable position, and then save the changes. After that, the program can access protected functions or even reboot the system, thereby gaining full total system access on restart.


This type of security breach has been in use for as long as there have been PCs. In the old DOS days, a terminate and stay resident (TSR) program could invoke the system BIOS functions, wait for the password screen to appear then start issuing interrupt 16h instructions (which send fake keystrokes). Doing so would mimic the effect of a user pressing keys on a keyboard, and old DOS programs like Sidekick used to do this as part of their feature in order to provide DOS with copy-and-paste-like functionality, as well as pop-up abilities like a calendar, calculator, etc. Sidekick would intercept and send its keystrokes in this way.

Over the years, similar techniques were employed to bypass security in later operating systems. Such programs could repeatedly try various password combinations, for example, at very high speed one right after the other. Early on system designers began to realize this weakness and developed the "three strikes and you're locked out" policy. But today in Microsoft's upcoming flagship operating system to be released later this year, Windows 7, such antiquated attempts aren't even necessary.

Windows uses a message-based communication system internally. When a user presses a keystroke on the keyboard, the keyboard controller identifies which key was pressed (or released) and sends a signal to the motherboard, which then issues a hardware interrupt signal to the CPU. The CPU stops what it's doing (processing a spreadsheet, drawing some graphics in a game, whatever it is), and then retrieves the keystroke - sending it to the appropriate software algorithm (an internal keyboard handler). Such a handler allows keys to be remapped, intercepted, and all kinds of other things which allow for abilities macros, etc. But ultimately, the keystroke message, such as "KEY 'X' IS DOWN WHILE THE RIGHT-SHIFT KEY IS PRESSED," are sent to the appropriate program (or, more precisely, the appropriate "window" in Windows).

This newly discovered "flaw" is actually not a flaw at all (see below). It employs something similar by using the "SendKeys" function in Visual Basic which mimics the process explained above in today's Windows operating systems. When a window receives a keystroke sent by SendKeys, the program assumes it came through legitimate channels and is really a valid key. There is no testing which takes place to find out if it was programmatically inserted into the queue, or if it was the result of a real keypress.

As a result, using only keystroke commands issued by a malware program, in Windows 7 beta it can activate the UAC, move the slider bar to the "disable messages" position, close the dialog and then proceed through the system doing whatever it wants to in the background without the user ever knowing that their system's been compromised - because they don't see any popups as their UAC setting should've indicated.

The discoverer wrote some simple code (which can be downloaded from his page) and also notes that this is apparently a Microsoft-purposed design feature of Windows 7, as related inquires appearing on Microsoft's beta page are all marked "closed."

See the WithinWindows.com article for the source code and additional links to bloggers who have quickly picked up on this story.
 
No really they should have just left the UAC alone instead of tweaking it.. It works fine in Vista it's just that it seems they adjusted it to much in 7 sounds like..
 
Hi Im a Mac...Pc is currently fighting a bad virus so I am doing this commercial alone :D

Macs have similar issues I just read the other day there were two new virus that are only targeting Macs.. So this stuff is nothing new just got to make sure you protect your stuff the best you can no matter what you use.. :)
 
Macs have similar issues I just read the other day there were two new virus that are only targeting Macs.. So this stuff is nothing new just got to make sure you protect your stuff the best you can no matter what you use.. :)

I dont want to derail too much, but the virus that are targeting macs are user initiated and from illegal programs, you actually have to install the program and give the permissions to it..but yeah everyone has them...Windows 7 to me is very solid and I dont think this would have gotten much coverage if it was a closed beta instead of a open beta like it is.
 
I'm not sure how this is a security issue. It's not letting malware onto your system, it's just making it easier for it to do something if it gets there. If you don't let it onto your system in the first place, you don't need to worry about this "issue".
 
I'm not sure how this is a security issue. It's not letting malware onto your system, it's just making it easier for it to do something if it gets there. If you don't let it onto your system in the first place, you don't need to worry about this "issue".

well, I just cleaned someones computer with over 800 "infections" they never heard of malware till it slowed their computer, I had one computer so bad it wouldnt print and would freeze on the internet.
 

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 1)

Top