We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
74,944 News Articles

Insecure UAC exposes Windows 7 users

Simple script disables Microsoft security

Microsoft's efforts to make User Account Control (UAC) more user friendly in Windows 7 have made the operating system less secure, according to Windows blogger Long Zheng.

Introduced in Windows Vista, UAC is designed to give users more control over security, but many people found the tool to be over-zealous in warning about apparently trivial 'threats'.

Microsoft has revamped the feature in Windows 7, revising the default setting in a bid to reduce the "unnecessary or duplicated prompts in Windows".

However, the changes to UAC have paved the way for "a simple but ingenious override" that disables UAC without any action on the part of the user, according to Zheng's I Started Something blog.

Windows 7 UAC

Zheng pointed out that UAC's default setting in Windows 7 is to 'Notify me only when programs try to make changes to my computer' and 'Don't notify me when I make changes to Windows settings'.

UAC distinguishes between a third-party program and a Windows setting with a security certification, and control-panel items are signed with this certificate so they don't issue prompts if a user changes system settings, he wrote.

Windows 7 review

Windows 7 forum

However, in Windows 7, changing UAC is considered a "change to Windows settings", according to Zheng. This, coupled with the new default UAC security level, means a user will not be prompted if changes are made to UAC, including if it was disabled.

With a few keyboard shortcuts and some code, Zheng said he can disable UAC remotely without the end-user knowing.

"With the help of my developer side-kick Rafael Rivera, we came up with a fully functional proof-of-concept in VBScript (would be just as easy in C++ EXE) to do that - emulate a few keyboard inputs - without prompting UAC," he wrote. "You can download and try it out for yourself here, but bear in mind it actually does disable UAC."

Zheng also posted what he said is a workaround for the problem on his blog.

Microsoft said on Friday through its public relations firm that it was looking into the problem and did not have an immediate comment.


IDG UK Sites

Netflix to introduce price increase: New subcribers to start with

IDG UK Sites

How to join Apple's new OS X Beta Seed Program: Run pre-release versions of OS X on your Mac

IDG UK Sites

Twitter - not news

IDG UK Sites

See Moo Studios' new animated advert for Blue Moon beer