The first Tuesday of November 2009 saw Sophos security community liaison Chester Wisniewski commenting in Windows 7 vulnerable to 8 out of 10 viruses on Microsoft Windows 7's UAC behavior.
It started with an ad-hoc test at SophosLabs on 22 October.
We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.
This should not be terribly surprising, of course. As he explained at the beginning of his report on the test, UAC was essentially the only defense on the system against the malware the researchers loaded onto the system. In addition to the two malware samples that simply were not compatible with Win7, one of them was effectively blocked by UAC.
Some of the key take-aways from Wisniewski's report are:
"UAC's default configuration is not effective at protecting a PC from modern malware."
In particular, Wisniewski is picking on the fact that UAC behavior on Win7 is less draconian than on MS Windows Vista, and less prone to intruding on a smooth user experience. In Wisniewski's view, the strictness of UAC should never have been scaled back, as indicated by a quote in Computerworld US's Microsoft left Windows 7 open to hackers, says Sophos, "UAC was neutered too much by Microsoft."
Of course, he has ignored the reasons that cutting back on the intrusiveness of UAC in Win7 may have been a good decision, even if it is slightly less likely to catch malware infections before they do harm:
- Users who are bothered too often by nags from the OS that, in most cases, do not actually protect anyone from anything, may train the users to just hit "OK" all the time without even checking to see what they are approving.
- Perhaps even worse than uncritically clicking "OK" on everything is the tendency many people have to just turn off UAC, because a computer whose security features make it almost unusable is little better than one that is prone to infection.
- If UAC provided the level of security it seems to provide at first glance — akin to what you might expect from the
sudoutility on Unix — "neutering" the capabilities of UAC for all users might be an unforgivable sin, regardless of the previous two points. The fact remains, though, that UAC is a superficial feature that tries to layer some user approval based security over a system whose architecture is oriented toward letting most software do whatever the heck it wants to, without a decent, foundational privilege separation scheme in sight.
"Lesson learned? You still need to run anti-virus on Windows 7."
I wonder whether anyone with a lick of sense thought otherwise. It is good, of course, that the people at Sophos chose to make this demonstration of principle and share it with the world so that any security unsavvy users who read about it would hopefully be enlightened. As long as Microsoft fails to properly address the matter of actually patching any and all virus and worm exploitable vulnerabilities in a timely manner, rather than just leaving the vast majority of them to be covered over by band-aids like antivirus software and UAC, the assumption should be that MS Windows will always need antivirus software. Period.
This is not exactly "news" to those of us who know anything about principles of security.
"Microsoft seems to be saying that Vista is the least ugly baby in its family."
Unfortunately, I am not sure Microsoft is even correct in that claim. While it is true that Vista tends to be compromised and infected less often in general usage, and some of that may even be attributable to changes in the way Vista works, the statistics only show that it is less prone to infection in the general case. The general case, of course, is someone going down to Best Buy and getting some off-the-shelf laptop or desktop system, taking it home, plugging it in, and forgetting about it.
As Wisniewski pointed out, new computers running Vista tend to have antivirus software preloaded with a free year of AV update subscription protecting them. while XP systems that have been running since 2003 or 2004 are well beyond their freshness dates for antivirus protection, and many home users never ensure continuing updates after that first year. This one fact alone could potentially account for Vista's reduction in the rate of infection as compared with XP's.
Meanwhile, many users disagree that Vista is a less ugly baby than XP. I find that XP is more responsive and easier to configure to meet my security needs than Vista, for instance, and I am not the sort to just use the default AV software and firewall, then let protection lapse after a year. At least until Microsoft stops supporting XP with security updates, I am more confident of my MS Windows XP test system's security than I would be with an equivalent Vista system, at least for my purposes.
"Windows 7 users need not feel left out. They can still participate in the ZBot botnet with a side of fake anti-virus. Windows 7 is no cure for the virus blues, so be sure to bring your protection when you boot up."
I have to wonder if, in this wrap-up to his report on the Sophos Win7 malware test, Wisniewski means to equate UAC with antivirus software. That is what it appears he means. It is not antivirus software. Unless I missed something important, even Microsoft has not made any claim that UAC is intended to be antivirus software. It is a superficial attempt to implement usable privilege separation, and to provide protection against automatically executing malware. It attempts to do this over the top of an operating system without effective privilege separation at the architectural level, and with Windows Autorun exposing its users to substantial risk from malware that takes advantage of uncritical automatic execution of foreign code.
If you think of UAC as virus protection, you're doing it wrong. Wisniewski is right: you need separate antivirus software on MS Windows 7, just as on previous MS Windows OS releases. UAC does not in any way make your computer invulnerable, just as sudo does not make Ubuntu invulnerable. In fact, the major privilege separation benefit on Ubuntu Linux comes from the core of the Linux system itself, and sudo just opens a hopefully well-defended hole in that to make life easier for users. If Microsoft wants its Windows operating systems to have real privilege separation security, it could do worse than to learn from Ubuntu's example.
Ultimately, UAC is just a superficial, pseudo-heuristic security "feature", as currently implemented. As long as the underlying design of Microsoft Windows eschews true architectural privilege separation, it will never be more than a band-aid on a gushing wound in OS security.
It is in large part because of this fact that I find Wisniewski's criticism of Microsoft for "neutering" UAC in Win7 so ill-conceived. The security of Vista is not significantly better than that of Win7 because of any changes in UAC. To the extent it is achievable, real security with either version of MS Windows depends far more heavily on other factors, such as user behavior, firewall configuration, and good, solid update policy for the OS itself, the applications that run on it, and a lineup of hopefully high quality security software.
To the extent that making UAC's intrusions into the lives of MS Windows 7 users more gentle and less annoyingly common encourages its average home computing customers to use the feature properly, it is my opinion that Microsoft did the right thing. Those of us with a better than average understanding of security principles know that much more than UAC needs to be employed in the fight against malware infections in any case, and the change in User Account Control behavior is quite unlikely to affect us negatively anyway.
