Windows 7 is still in the public beta process, and will be for some months to come. The purpose of true beta testing is to isolate and identify serious problems (we should know). During this testing, an unbelievable flaw in Windows 7 beta and Microsoft's User Account Control (UAC) feature, allows its protection to be defeated by any malware which happens to infect the system.

The malware needs only to send a series of false keystrokes from a Visual Basic script to activate the UAC dialog, move the slider bar to the disable position, and then save the changes. After that, the program can access protected functions or even reboot the system, thereby gaining full total system access on restart.

This type of security breach has been in use for as long as there have been PCs. In the old DOS days, a terminate and stay resident (TSR) program could invoke the system BIOS functions, wait for the password screen to appear then start issuing interrupt 16h instructions (which send fake keystrokes). Doing so would mimic the effect of a user pressing keys on a keyboard, and old DOS programs like Sidekick used to do this as part of their feature in order to provide DOS with copy-and-paste-like functionality, as well as pop-up abilities like a calendar, calculator, etc. Sidekick would intercept and send its keystrokes in this way.

Windows uses a message-based communication system internally. When a user presses a keystroke on the keyboard, the keyboard controller identifies which key was pressed (or released) and sends a signal to the motherboard, which then issues a hardware interrupt signal to the CPU. The CPU stops what it's doing (processing a spreadsheet, drawing some graphics in a game, whatever it is), and then retrieves the keystroke - sending it to the appropriate software algorithm (an internal keyboard handler). Such a handler allows keys to be remapped, intercepted, and all kinds of other things which allow for abilities macros, etc. But ultimately, the keystroke message, such as "KEY 'X' IS DOWN WHILE THE RIGHT-SHIFT KEY IS PRESSED," are sent to the appropriate program (or, more precisely, the appropriate "window" in Windows).

There is a simple fix to this problem. Microsoft can implement without sacrificing any of the benefits the new UAC model provides, and that is to force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state.

The discoverer wrote some simple code and also notes that this is apparently a Microsoft-purposed design feature of Windows 7, as related inquires appearing on Microsoft's beta page are all marked "closed."



0 comments

Post a Comment


Your Ad Here