Security → Malware turns off Windows' UAC, warns Microsoft

Urges users to check that the regularly-belittled prompt is really on

By Gregg Keizer
August 5, 2011 02:17 PM
Computerworld - Microsoft this week urged users to keep an oft-criticized Windows security feature turned on, even as it said that more malware is disabling the tool.

User Account Control (UAC) is the feature that debuted in Vista and revised in Windows 7 that prompts users to approve certain actions, including software installation.

UAC was "universally hated" in Vista, and was a major complaint about the unsuccessful operating system, a Gartner security analyst said more than two years ago.

"From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get 'click fatigue,'" said John Pescatore of Gartner in the months before Windows 7's launch.

Microsoft took the complaints to heart, and downplayed UAC in Windows 7 after its data showed users got irritated when they faced more than two such prompts in a session at the computer.

This week, Microsoft's Malware Protection Center (MMPC) said that malware was increasingly turning off UAC as a way to disguise its presence on infected PCs.

To disable UAC, attack code must either exploit a bug that allows the hacker to gain administrative rights -- Microsoft calls those flaws "privilege elevation" vulnerabilities -- or trick the user into clicking "OK" on a UAC prompt.

Apparently, neither are difficult.

»www.computerworld.com/s/ ··· crosoft?

Hasn't it been said here that UAC is not designed to afford "security"?

> the worm disabling UAC by exploiting a four-year-old Windows vulnerability

Interesting.

And when MS made changes to UAC from the Vista way to the W7 way, weren't there those who said MS was "dumming down" UAC, that it would be less effective?

So, should we expect more?

(More what? More from MS, i.e., have do things right [different from "fixing" a problem]. Or should we expect more malware to take advantage. Well, the latter is a given.)

But irritation was the point.

»www.zdnet.com/news/micro ··· s/197089

Here's a nasty little secret that doesn't get shared often enough.

At companies; I've reduced the infection rate on their networks from 4-12/month to Zero over 3 months.

I did it by blocking ads/trackers/redirectors - for the entire company - at the router.

Full Disclosure:
I also block known malware domains/IPs. It does help but is useless against Zero-day threats, shifting malware IPs, etc.
It buys me - maybe - a 25% reduction. It's more like insurance.

NV

I'm using normal user account instead of admin, so everytime I need more privileges, there is window asking for password, not just asking me to click OK. Irritating maybe, but there is quite a lot for malware to do before it can guess the password.

What comes to irritation... I really don't find it irritating. I have to write the password at most once per day. What are those who tired of clicking OK to UAC prompts doing on their machines?

Does malware (at that stage of an attack) even have the authority/ability to "guess the password" without the user supplying it at the keyboard, regardless of password complexity?

No. And if people would stop being bull-headed about running Windows as admin and use a standard/limited account for daily use this wouldn't be a major problem. In fact, people wouldn't be complaining about all the UAC prompts since you only get a single password prompt to elevate privilege as a standard user.

So the malware is not able to fill the password prompt and press "OK"? I have seen programs/scripts filling up service formats and such.

Anyway even if the malware is able to do it, users would see the action and going through millions of possible passwords one by one would take lot of time.

(I've said it before...)

quote:

---

I have no problem with UAC.

My problem is that when you elevate, inputting the password of the Admin, at that point you are no longer running as the user that you were, you ARE running & you ARE the Admin. And with that change comes an entirely different profile, entirely different program settings & setups ... everything is no longer as it was. You are not yourself, you ARE someone else.

Simple test. Run your browser, runas Administrator. Open your bookmarks. Gone! Because you are not opening your bookmarks, because you are not you. You are Admin, & you are therefor opening Admin's bookmarks.

---

»Anyone been running as Administrator account without issues?

»Re: XP to Win 7 Security Migration

(& I'm sure other posts too).

To me, at least the way I work, the MS concept of elevation (as far as elevating against a [different] admin level account) is flawed, is not a workable solution.

If the assumption is that the malware is already installed on the system then, yes, that's possible. But a password prompt in the first place would be asking for elevation for installation.

That's true, but why would you be running your browser with elevated privilege? The only real reason to elevate is to accomplish administrative tasks, program installation for example. The other reason would be to run poorly written programs that require administrator privilege. Then, yes, you will be running those programs under your admin account. But hopefully, those programs will be a thing of the past soon.

My idea was mainly malware trying to elevate privileges after it is running on a user account. You are right, in saying that malware still trying to install itself and needing admin access has no way of filling up the password prompt.

> why would you be running your browser with elevated privilege

1) user prerogative, why ask why
2) (actually) only used as an easily confirmed example

3) some programs require Admin rights, examples:

Everything (a program no one should do without!) not sure what the implications are offhand of running as a different user? Possibly none? Possibly some (Windows) context-menu actions could be thwarted?
(This is even better, »forum.voidtools.com/view ··· =9&t=592.)

Net Transport (the URL Sniffer component only) requires Admin rights. With that, everything that goes along with it history, preferences ... is Admin, not "yours".

Not certain but quite possibly most NirSoft & Sysinternals utilities (again not certain offhand of implications)?

The better question, to me, is why MS choose to go that route. Why are you running as someone else instead of yourself with some sort of temporary elevation, of you. (And this to get around their blocks, no less - blocking you from doing what you want to do, as we certainly know that malware will work its' way around such blocks anyhow.)

After quickly checking the programs you introduced, I could easily categorize most of those as administration tools, so requirement for admin privileges is ok.

What comes to different user - different settings -problem, I usually use programs with one account only. If the program doesn't need admin privileges, I run it with user account. On the other hand, programs that do require the admin privileges, require the privileges practically every time I run those programs. So no problem for me.

Why Microsoft didn't go the sudo way? I have no idea that could explain it without some questions.

I am not suprised by this since MS made this decision to "dumb" down the UAC due to users complaints.