Microsoft Withdraws Vista Security Claims

Published by Omkar Joshi | Filed under Microsoft, Windows, Security, Vista, UAC, CanSecWest

Microsoft recently made a high-profile announcement, backing down on its security claims in an effort to lower consumer expectations about the security mechanisms built into Windows Vista, particularly User Account Control (UAC).

At last week’s CanSecWest security conference, Mark Russinovich, technical fellow in Microsoft’s Platform and Services Division, informed professionals that even with UAC, Vista will still be susceptible to malware. In his talk Russinovich told of how it would “end up thriving in the standard user environment, setting up botnets, and grabbing your keystrokes”.

Russinovich’s talk was supposed to give professionals an idea of how to work with UAC in order to avoid excessive pop-up warnings and avoiding breaking the UAC model. Russinovich also made clear that UAC was never intended as a “security boundary”, since there are a number of ways to bypass it.

In his talk, Russinovich also predicted that malware would find ways of elevating its privileges, through social engineering or by compromising applications that run with higher privileges.

However, this isn’t the first time Russinovich has thrown cold water on Vista’s security mechanisms, which were initially made out by Microsoft to be one of the key improvements in Windows Vista over Windows XP. In early February, soon after Vista’s consumer launch, Russinovich made the startling declaration that UAC was not really a security feature.

At the CanSecWest security conference, Russinovich went on to give details of how malware is able to work around UAC without elevating privileges. Apparently, malware authors are able to do essentially what they like within UAC boundaries, such as setting up botnets and infiltrating user data, without taking over the entire system. UAC will however help to protect the overall system and other user accounts.

In a February blog post, Russinovich wrote that UAC was not intended to guarantee that processes with higher privileges are protected from being compromised by lower-level privileges, but rather as a way of changing the way Windows software is developed.

“If you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL (integrity level), why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption,” he wrote.

At CanSecWest, Russinovich spoke of Microsoft’s drive to get users off of administrative accounts and onto those with limited privileges, even if the new arrangement isn’t as safe from a security point of view.

“The elevation and Protected Mode IE sandboxes might have potential avenues of attack, but they’re better than no sandbox at all,” he wrote.

His comments follow a lengthy analysis of UAC and its shortcomings by hacker Joanna Rutkowska, who said she was surprised by Microsoft’s dismissive attitude to bugs in UAC’s implementation.

“Is this supposed be a joke?” she wrote. “We all remember all those Microsoft’s statements about how serious Microsoft is about security in Vista and how all those new cool security features like UAC or Protected Mode IE will improve the world’s security. And now we hear what? That this flagship security technology (UAC) is in fact… not a security technology!”

Commenters, how do you feel about Vista’s UAC and other security initiatives? What do you think Microsoft could do to improve security?