> Microsoft Corp.'s decision to reduce the number of annoying security
> messages that Windows 7 delivers when users install software makes the
> new operating system more vulnerable to malware infection than Vista
> was, a researcher said today.

> "UAC was neutered too much by Microsoft," argued Chester Wisniewski, a
> senior security adviser at Sophos PLC, talking about User Account
> Control (UAC), a Windows security feature that Microsoft debuted with
> Vista.

> UAC prompts users for their consent before allowing a task such as the
> installation of a program or a device driver to take place. In an
> attempt to quash user complaints about the constant intrusions,
> Microsoft modified UAC so it appears less frequently in Windows 7.

> That wasn't a good idea, said Wisniewski.

> "We wanted to know if UAC was going to be effective in Windows 7," he
> said. "So we grabbed the next 10 [malware] samples that came in and
> tried them out."

> The 10 samples, most of them Trojan horses, were loaded onto a clean
> Windows 7 PC that lacked antivirus software, simulating payloads that
> an actual exploit would deposit on a compromised computer. Wisniewski
> then ran each piece of malware -- as if a user had been duped into
> launching a file attachment or had surfed to a malicious site and been
> victimized by a drive-by attack and subsequent silent download.

> Two of the 10 samples would not run under Windows 7 (probably because
> they were designed to execute on the far-more-common Windows XP and
> Vista), and of the remaining eight, only one triggered a UAC prompt,
> said Wisniewski.

> He acknowledged that the test was just a quick-and-dirty exercise that
> didn't accurately portray how secure Windows 7 was overall -- or how
> well it would withstand attack if it was protected by even a basic
> antivirus tool like Microsoft's free Security Essentials. The point
> was to see how much Windows 7's reconfigured UAC would help block
> malware that made it past security software or got by the operating
> system's other defense mechanisms, like DEP (Data Execution
> Protection) and ASLR (Address Space Layout Randomization).

> "UAC is really not protecting users properly," Wisniewski said.
> "Frankly, people should turn it back into the more aggressive mode,
> like Vista," he said, referring to the fact that users have the
> ability to set the frequency of UAC alerts. "And if you find it
> annoying, you might just as well turn it off, because otherwise it's
> not doing any good."

> UAC's effectiveness has been questioned before. Last February, for
> instance, a developer for a Virginia-based company that sells secure
> messaging software to the U.S. government and a well-known blogger
> claimed that a change to UAC 7 could be exploited by attackers to
> secretly disable the feature. Microsoft first denied that that aspect
> of the software was a bug, saying instead that it was by design. But
> it later backpedaled and promised to fix the problem.

> Microsoft Corp.'s decision to reduce the number of annoying security
> messages that Windows 7 delivers when users install software makes the
> new operating system more vulnerable to malware infection than Vista
> was, a researcher said today.

> "UAC was neutered too much by Microsoft," argued Chester Wisniewski, a
> senior security adviser at Sophos PLC, talking about User Account
> Control (UAC), a Windows security feature that Microsoft debuted with
> Vista.

> UAC prompts users for their consent before allowing a task such as the
> installation of a program or a device driver to take place. In an
> attempt to quash user complaints about the constant intrusions,
> Microsoft modified UAC so it appears less frequently in Windows 7.

> That wasn't a good idea, said Wisniewski.

> "We wanted to know if UAC was going to be effective in Windows 7," he
> said. "So we grabbed the next 10 [malware] samples that came in and
> tried them out."

> The 10 samples, most of them Trojan horses, were loaded onto a clean
> Windows 7 PC that lacked antivirus software, simulating payloads that
> an actual exploit would deposit on a compromised computer. Wisniewski
> then ran each piece of malware -- as if a user had been duped into
> launching a file attachment or had surfed to a malicious site and been
> victimized by a drive-by attack and subsequent silent download.

> Two of the 10 samples would not run under Windows 7 (probably because
> they were designed to execute on the far-more-common Windows XP and
> Vista), and of the remaining eight, only one triggered a UAC prompt,
> said Wisniewski.

> He acknowledged that the test was just a quick-and-dirty exercise that
> didn't accurately portray how secure Windows 7 was overall -- or how
> well it would withstand attack if it was protected by even a basic
> antivirus tool like Microsoft's free Security Essentials. The point
> was to see how much Windows 7's reconfigured UAC would help block
> malware that made it past security software or got by the operating
> system's other defense mechanisms, like DEP (Data Execution
> Protection) and ASLR (Address Space Layout Randomization).

> "UAC is really not protecting users properly," Wisniewski said.
> "Frankly, people should turn it back into the more aggressive mode,
> like Vista," he said, referring to the fact that users have the
> ability to set the frequency of UAC alerts. "And if you find it
> annoying, you might just as well turn it off, because otherwise it's
> not doing any good."

> UAC's effectiveness has been questioned before. Last February, for
> instance, a developer for a Virginia-based company that sells secure
> messaging software to the U.S. government and a well-known blogger
> claimed that a change to UAC 7 could be exploited by attackers to
> secretly disable the feature. Microsoft first denied that that aspect
> of the software was a bug, saying instead that it was by design. But
> it later backpedaled and promised to fix the problem.