June 11th, 2009

Should "Standard User" be the default in Windows 7?

Posted by Adrian Kingsley-Hughes @ 7:29 am

Categories: Security, Windows 7

Tags: Standard User, Microsoft Windows 7, Malware, Admin Account, Spyware, Adware & Malware, Microsoft Windows, Cyberthreats, Security, Operating Systems, Software

It seems clear to me that combining an Admin accounts with Windows 7’s “low nag” User Account Control (UAC) setting is a bad idea. Problem is, Admin accounts and “low nag” UAC settings will be the default for millions of people buying Windows 7-based PCs.

The problem with systems running with these two settings is that it’s possible to use a code-injection vulnerability to silently run code or other applications with administrative privileges behind the user’s back. Even Windows super-guru Mark Russinovich acknowledges that a problem exists:

Several people have observed that it’s possible for third-party software running in a PA account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer, which is a Windows executable, it can leverage the COM objects that auto-elevate, like the Copy/Move/Rename/Delete/Link Object, to modify system registry keys or directories and give the software administrative rights. While true, these steps require deliberate intent, aren’t trivial, and therefore are not something we believe legitimate developers would opt for versus fixing their software to run with standard user rights. In fact, we recommend against any application developer taking a dependency on the elevation behavior in the system and that application developers test their software running in standard user mode.

The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true, but as I pointed out earlier, malware can compromise the system via prompted elevations as well. From the perspective of malware, Windows 7’s default mode is no more or less secure than the Always Notify mode (”Vista mode”), and malware that assumes administrative rights will still break when run in Windows 7’s default mode.

 Loading ...

So, a problem exists, and not only is it something that malware authors could use but we could even see software developers using the trick to make their product less naggy than the competition. The solution is to change default settings, something that most people out there in Computer Land won’t even know is possible.

Another flaw is to assume that just because someone is running Admin account, they would accept all prompts thrown their way anyway. The problem with this is that the current settings allow a behind-the-scenes code injection to stealthily mess around with a system.

It seems to me that Microsoft has backed itself into a corner. It tried to make UAC less naggy, but by doing so introduced some serious vulnerabilities. The only advice it can offer to counter these vulnerabilities is that users should change default settings. Why not just make these more secure settings the default? Because it would break stuff. Like I said, Microsoft is backed into a corner.

My view is that Microsoft should make Standard user the default user on systems. Sure, it would break some stuff, but eventually something has to change because the current situation can’t last forever. It’s clear that Admin accounts are a security vulnerability in the hands of those who don’t understand what it means to be running Admin accounts.

[UPDATE: Here's a video of the code-injection vulnerability in action:

Bottom line is that this tweaking to the UAC make Windows 7 less safe than Vista. If you think anything else, you are wrong.]