Posted by: reformedmusings | May 3, 2009

At least 62 gaping security holes in Windows 7 Release Candidate

Well, I’ve been writing that without requiring a password to make system changes here and here, Windows 7’s User Account Control (UAC) can be bypassed. The situation is even worse than that. Rafael’s Within Windows documents 62 executables in Windows 7 that can autoelevate their security clearance by way of a Microsoft-generated white list without informing the user. Way not good.

Why should you care? Because Leo at pretentiousname documented a code-injection vulnerability that can use any of these 62 programs to bypass the Windows 7 UAC. He includes explicit examples/videos of the exploit, but won’t share the code with just anyone. He uses the term code injection but notes:

The technique is often called DLL injection in the Windows world, but that name isn’t accurate here because I am not injecting a DLL. I am copying, or injecting, the code directly from my in-memory exe to the target process.

Note that Leo injects code directly into a running process. If that process is one of the 62 golden boys, then you have full access to the target system. Here are a few quick lines I’ve taken from throughout Leo’s post to give you the flavor:

If you run a process on this list and it requires elevation then it – the whole process – will be given elevation without showing you a UAC prompt….

Unbelievably, as of build 7000 (and confirmed in RC1 build 7100), the list includes not only programs like Explorer.exe which use this feature (or potential security hole, if you like) but also programs such as Calc.exe, Notepad.exe and MSPaint.exe. Microsoft appear to have done nothing to minimize the attack surface and have arbitrarily granted almost all of their executables with this special privilege whether they actually use it or not….

My proof-of-concept program is a standalone executable that is run as a normal unelevated process. I made from scratch in about a day and a half….

The proof-of-concept works by directly copying (or injecting) part of its own code into the memory of another running processes and then telling that target process to run the code. This is done using standard, non-privileged APIs….

The underlying problem is that the silent elevation feature, enabled by default in Windows 7 beta, does not check where the code requesting elevation comes from. It checks which process it is running within but not the particular code came from. So, for example, if you inject code into Explorer, or get Explorer to load your DLL, then you can create elevated COM objects without the user’s knowledge or consent.

The short story is that a malware developer can use the privileges that Microsoft grants to its own programs to execute whatever code they wish with Microsoft’s tacit blessings. Still think that Windows is secure?

It must be noted that there is built-in way to treat this sucking chest wound:

If you go against the defaults and run as a non-admin user or turn UAC up to the Always Prompt level, so it behaves like it did in Vista, then it is no longer possible for code-injection from unelevated processes to bypass UAC prompts.

In other words, follow basic security procedures for any computer system. Don’t log in as admin for normal operations. If you must or want to be a full-time admin user, then set the UAC to the highest level. At this level, even privileged Windows programs generate UAC prompts when modifying the system. Malware may try to run on your system, but the user is given opportunity to intervene. A password is still not required, so I still contend that the system can be beat in other ways.

As I noted in this post, Windows 7 Release Candidate retains the same default UAC setting as earlier betas. This default setting leaves users painfully vulnerable to exploits using any of 62 of Microsoft’s own programs. As Leo says:

If, on the other hand, you don’t care about silent elevation then you should turn down UAC to Elevate Without Prompting — so that UAC is still enabled but it never prompts you — because the default level isn’t buying you much except a few pointless prompts which can be bypassed by any program which wants to.

Note carefully that last phrase. Any malware program that desires can have complete access to your system at the default UAC setting. Microsoft ships an inherently insecure operating system. If anything, Windows 7 is even less secure than Vista.

According to Rafael at Within Windows, Microsoft claims that all this is by design. Rafael makes the same recommendation as Leo:

Until Microsoft addresses this “issue”, you can set UAC to its highest mode to kill any concerns you may have… but you’re not using this in a production environment anyway – right?

Just thought that you ought to know. I’d make a different recommendation: check out and switch to Ubuntu. And it won’t cost you a penny.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: