Microsoft Hits Back At Sophos Windows 7 UAC Claims

Sophos Senior Security Adviser Chester Wisniewski caused a stir on 3 Nov. when he repeated claims that Microsoft had rendered the Windows 7 User Account Control feature ineffective.

To back this up, Wisniewski cited a test he had run in which numerous pieces of malware ran on Windows 7 without generating any prompts from UAC.

In a blog post on 6 Nov, Paul Cooke, Microsoft’s director of Windows Client Enterprise Security, countered that the Sophos test was inconclusive.

“I’m a firm believer that if you run unknown code on your machine, bad things can happen,” Cooke wrote. “This test shows just that; however, most people don’t knowingly have and run known malware on their system. Malware typically makes it onto a system through other avenues like the browser or e-mail program. So while I absolutely agree that antivirus software is essential to protecting your PC, there are other defenses as well.”

Among them, Cooke blogged, are Windows Service Hardening, Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization and Data Execution Prevention.

“Beyond the core security of Windows 7, we have also done a lot of work with Windows 7 to make it harder for malware to reach a user’s PCs in the first place,” he continued. “One of my favorite new features is the SmartScreen Filter in Internet Explorer 8 … [which] will notify you when you attempt to download software that is unsafe—which the SophosLabs methodology totally bypassed in doing their test.”

In the Sophos test, Wisniewski explained, the approach was to set up a Windows 7 desktop with default configurations, take 10 malware samples at random and run them to see if UAC would provide a warning to the user. Eight of the 10 sample pieces of malware ran, although one of those failed to run unless UAC was disabled. The other two did not run at all.

“My purpose was not to, as Microsoft has accused, [sensationalize the issue for profit] … but … to dispel the idea that UAC will warn [users] of risks associated with installing malware,” Wisniewski told eWEEK. “I believe people who are accustomed to how this feature works in OS X and Ubuntu will believe that the Windows version of this technology provides similar protection. To install a Trojan on OS X you need to supply your administrative password.”

He added, “The best advice for administrators of corporate PCs is to run your users as nonprivileged accounts and not worry about UAC. This brings us back to Windows legacy applications, which is why Microsoft developed UAC, and the circle continues around.”

Despite the controversy, Cooke said he actually agrees with Wisniewski’s ultimate conclusion.

“While I’m not a fan of companies sensationalizing findings about Windows 7 in order to sell more of their own software, I nevertheless agree with them that you still need to run antivirus software on Windows 7,” Cooke wrote. “This is why we’ve made our Microsoft Security Essentials offering available for free to customers. But it’s also equally important to keep all of your software up-to-date through automatic updates, such as through the Windows Update service. By configuring your computers to download and install updates automatically you will help ensure that you have the highest level of protection against malware and other vulnerabilities.”