Windows 7 UAC Vulnerability Exposed

Microsoft insured that in Windows 7 the annoyances that plagued Windows Vista would not plague their next operating system. One of the most annoying features of Vista is the UAC, or User Account Control. This feature was created to prevent viruses and malware from gaining access to certain areas of the system that only administrators should have access to or programs that you specifically grant access to. In Windows 7, UAC is still there but less annoying in the fact that it no longer bugs you when you perform certain functions or even disable UAC.

A Microsoft developer named, Long Zheng posted a proof-of-concept to his blog Friday that illustrates a major vulnerability that exists in Windows 7 beta. The default UAC settings is to alert users only when a third-part program tries to make changes to a PC and not when the actual user makes changes. Therefore, no alert would be generated if a user turned UAC completely off and this is where the vulnerability exists. A script could easily run under your credentials, turning off UAC and you would never know. Then a startup file could be launched on the next reboot that infects your computer - rendering UAC useless.

Of course you should not rely on any one technology be it UAC, Antivirus, or a firewall but it goes to show you how easily UAC can be taken out of the picture. We recommend Windows 7 users bump up the security level of UAC.

As for what Microsoft should do, they need to always prompt the user before UAC is actually disabled. I would like for them to prompt for the users' password of the account they are running under and if they aren't an administrator they must provide an administrators credentials.