UAC Vulnerability Found in Windows Vista

A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges -- an issue Microsoft has been hotly debating recently.

BeyondTrust Corp. (BTC), a software development company specializing in enterprise rights management, has indicated that the act of giving users administrative rights may leave systems more open to risk.

The report issued by BTC was prepared by assessing security vulnerability bulletins released by Microsoft in 2008, and identifying specific "mitigating factors" (those that could reduce or negate the risk of an attack) within the bulletin. If Microsoft reported that having fewer security privileges would negate or eliminate risk, BTC concluded that the vulnerability was admin-privilege related.

The result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will "close the window of opportunity" for attackers. This is particularly true for users of Internet Explorer and Microsoft Office. (Source: computerworld.com)

Microsoft has been relatively transparent in their revelation of security vulnerabilities, and has worked with organizations such as Cert.org to identify and address security concerns to the online community. (Source: cnet.com)

While Microsoft is not denying the vulnerabilities present in its various Windows operating systems, they have not been exactly forthright about how internal programming "holes" (such as increased vulnerability for users with admin privileges) may make users susceptible to threats or attacks.

Bloggers Demonstrate Threat posed by Vista's UAC

In recent news, two bloggers were able to demonstrate the threat posed by the Vista's Windows User Accounts Control (UAC) feature. UAC, a feature that provides a prompt when users attempt to perform tasks such as installation of new programs or changes to settings, is meant to provide added security to the system. (Source: computerworld.com)

Bloggers were able to script an artificial and malicious code that entered via the UAC feature and was then able to make changes to the system and create copies of itself as an entity with full administrative privileges. When the bloggers confronted Microsoft with their findings, they were assured that the UAC feature was "not a vulnerability" and that no changes would be made in Windows 7 to address this potential concern.

In fact, the official answer from Microsoft seemed to indicate that the UAC was behaving exactly as it was intended to and that any threats resulting from the supposed "flaw" were not a result of the program at all. (Source: istartedsomething.com)

Tips to Reduce Risk of Attack or Infection

So what can average users do to reduce their risk of attack or infection on their own PCs? Generally, the consensus seems to be that limiting the amount of time spent logged on as an administrator is the best means of limiting the risk. Also, as both Microsoft and Cert.org recommend, it is always wise to restrict administrative actions to a computer or workstation that you can trust, such as one with a personal firewall. (Source: cnet.com)

Typical users shouldn't have much to fear from the vulnerabilities associated with admin status, but it is cause for some concern that the very security features installed for user protection, like UAC, may be those that pose the greatest risk.

It remains to be seen how many of these security issues will be solved by Windows 7.