I admit, as a non-programmer, I have very little knowledge about the inner-workings of Windows. However, as an enthusiast, I thought I had a basic but firm understanding of what User Account Control is, how it works, and why it exists. That’s no longer true. After reading reading an article by Windows-god Mark Russinovich, “Inside Windows 7 User Account Control“, I’m bewildered by the changes to UAC in Windows 7.

At first, Mark provides this logical explanation for UAC elevation prompts.

Elevation prompts also provide the benefit that they “notify” the user when software wants to make changes to the system, and it gives the user an opportunity to prevent it. For example, if a software package that the user doesn’t trust or want to allow to modify the system asks for administrative rights, they can decline the prompt.

Bearing this in mind, you’re probably familiar with the commotion raised months ago over a concern over how applications can silently turn off UAC prompts in Windows 7 which Microsoft addressed (after a fair dose of community effort), but what you might not know is that there is another and more serious “exploitative” UAC vulnerability breaking exactly what Mark described.

The other UAC exploit, discovered, demoed, extensively documented by Leo Davidson, is a code-injection vulnerability made possible by the new Windows 7 auto-elevation system. To summarize War and Peace into a short story if you will, it allows applications without UAC prompts (medium-level) to run code or other applications with administrative privileges (high-level), assuming the default security configuration in Windows 7 (don’t notify changes to Windows).

It was my original intentions to not publically address this until Windows 7 has been finalized, giving them an opportunity to fix it, which they have not in RC or later builds, but Mark’s article today tells me they’re doing no such thing.

Knowing the vulnerability, I was of surprised to see the article conclude with a direct reference to this exploit.

Several people have observed that it’s possible for third-party software running in a PA account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. […]

The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true, but as I pointed out earlier, malware can compromise the system via prompted elevations as well. From the perspective of malware, Windows 7’s default mode is no more or less secure than the Always Notify mode (“Vista mode”), and malware that assumes administrative rights will still break when run in Windows 7’s default mode.

Ultimately Mark dismisses the exploit and that’s where he lost me.

Mark points out though, excluding this vulnerability, there are actually other known methods for malware to compromise the system via elevation exploits, a flaw in the UAC design. What he misses though is the fact that the problem is more serious in Windows 7 than in Windows Vista.

How these variations of elevation vulnerabilities work is that they all piggyback on elevated application with COM objects that can be exploited to run functions at elevated privileges. However, in Windows Vista, the applications that can be piggybacked on would have displayed a UAC prompt at one point or another to elevate, whereas in Windows 7, there are known Windows executables that can be launched, silently elevated and piggybacked on.

What’s more is that this applies not only to malware but to any application. By that I mean legitimate developers can write applications that take advantage of this code-injection vulnerability to make their applications run in administrative privilege without UAC prompts. Of course, the likelihood of this is low, but not impossible. For example, competing softwares could leverage this to make their software appear “less annoying”. If you’re having to doubt if an application is following the rules, it would damage the reputation of the whole ecosystem.

Putting the “security barrier” jargon aside, I argue as a direct result of the auto-elevation white-list, the UAC in Windows 7 by default is fundamentally less secure than Windows Vista’s default. I recognize that UAC was not designed to be a “security feature” to begin with, but with each new version, an operating shouldn’t become less secure and expose more risk to the user.

Granted it is highly unlikely Microsoft is willing to revert Windows 7 to UAC-prompt-hell, what they can and should do is communicate that there is a difference in security between the Windows 7 default UAC setting and the “Always Notify” mode. If users then accept the increased risk, then they should be able to enjoy a less annoying Windows.

Thoughts?

Update: I have a video demonstration of this vulnerability in play at an updated post here. The source code has also been released.

Whilst NASA’s Astronomy Picture of the Day (APOD) sets the bar pretty high, Bing.com’s daily photograph backgrounds are also worth taking a look. Of course not everyone uses or want to use Bing everyday, easily missing out on some amazing pictures. Granted there is a little navigator on the site giving you past 7 days’ photos, but it’s clumsy and time-consuming. Therefore without further ado, I present, the Bing Image Archive.

Here, you can find all background images from Bing presented in a simple calendar format, appropriate to the day which the image was originally displayed on. As you might have noticed, there are two photos per day, one of which is for United States and the other for everywhere else. Notably, the US image comes with richer metadata and hotspots which I’ve also transferred from the site to give you a better understanding behind the image.

The site also allows you to send permalinks of images by copying the URL, for example. Enjoy.

The Zune team needs to learn a lesson from the Windows team. Microsoft’s latest campaign, “Laptop Hunters” has made the 12,000 kilometers (7,500 miles) trip to the land down under and is now running an exclusive campaign for Australians, but with a twist.

Unlike the US campaign where you sit back and watch other people score cool laptops for free, Microsoft Australia in collaboration with Nova radio stations in Melbourne, Sydney and Brisbane are giving listeners a chance to score a Windows laptop a day.

Starting today in Melbourne (Nova 100) and Sydney (Nova 969) until Friday 12 June, and next week in Brisbane (Nova 1069) from 16 June to 20 June, clues will be provided on the breakfast shows from 8:30am and the station website to indicate where the “laptop hunter” is hiding (and presumably frozen in the cold winter breeze) in the city. Find them, tell them “I can buy great a laptop for under $1300” and they’ll take you shopping. If you do find a laptop for under $1300 (US$1000), the laptop is yours.

Videos of the winners of today’s challenge in Melbourne and Sydney will be posted later today, and I’ll embed them here when they’re available. Sounds like a lot of fun.

Update: The first day winners are David Kerr in Melbourne and Matt McGlinn in Sydney. They picked up a Dell Studio 15 2.0GHz, 3GB RAM, 250GB HD, Windows Vista Home Premium for $1,299 and Asus X82Q 2GB RAM RA, 250GB HD, 2.2 GHz, Windows Vista Home Premium for $1,199 ($101 bonus cash) respectively.

A couple of months ago, Microsoft conducted a research study where they found search engine branding had an impact on the perceived quality of results. Now, months later, Bing is launched and people are once again ranking the quality of search results. At first, there were direct side-by-side comparisons, but of course there’s no better challenge than a double-blind experiment.

Michael Kordahi, which I feel compelled to disclose is a Microsoft employee, has set up such an experiment, dubbed “BlindSearch” which you can try here. On the site, you enter a single search query which results three sets of unbranded results. After viewing the results, you are given an option to vote on one set of results, which then reveals the provider and adds it to the tally.

At the time of writing, Google is in the lead with the tally standing at “Google: 40%, Bing: 31%, Yahoo: 29%” out of 355 votes.

Update: Approximately half an hour after posting, Bing takes a slight lead over Google. (Google: 36%, Bing: 38%, Yahoo: 26% | 641 votes)

Update 2: A thousand votes later, Google and Bing are tied. (Google: 39%, Bing: 39%, Yahoo: 22% | 1757 votes)

Update 3: Three’s the magic number, for Google. (Google: 40%, Bing: 37%, Yahoo: 23% | 2554 votes)

Update 4: Google is taking a stronger lead with another thousand votes. (Google: 43%, Bing: 32%, Yahoo: 25% | 3520 votes)

Update 5: It appears the application has exceed Yahoo API’s daily limit. Michael is aware of the problem and looking for a workaround. Yahoo results has since been fixed.

Update 6: Some people’s attempt at gaming the system has forced the tallies to be now removed.

If you liked the first set of “Search Overload ads” for Bing, then get ready for round two, appearing soon on a big screen near you.

It appears advertisements in this series, collectively dubbed “Syndrome”, each parodies a topic directly related to each of the four strength areas for Bing. Whereas the first two ads “Hawaii” and “Cellphones” covered travel and product comparisons respectively, these two new ads “Pregnancy” and “Local bar” incorporates health and local search. Enjoy.

Oh, and I did a quick search trying to find the lyrics to the “Oklahoma” song, it’s number one result on Google, not Bing though. 😉

It appears the Polish website, CentrumXP.pl, who a month ago leaked images of what was believed the be the Windows 7 packaging design and box art is more credible than I thought. Shortly after I wrongfully dismissed their claims, I found some evidence that supported their claims, however it was not entirely clear at the time whether the leaked images were concepts in iteration or the final design. Now, to end the speculation once and for all, the boxart has been officially confirmed by no other than the Microsoft Store listing for Windows 7.

Notably the final physical design, color schemes and imagery are identical to the leaked images. If you haven’t seen already, CentrumXP.pl has high-resolution copies of these images providing a closer look at the finer details decorating the Windows flag, including but not limited to a butterfly and lens flares (not necessarily bad, just, rare). Perhaps more proof the industrial Windows brand evolving to incorporate more humanistic and personal elements.

Now that the full version boxart has been confirmed, there is a high probability the leaked upgrade edition boxart is also real deal, which would actually surprise me due to its unorthodox approach. We’ll have to wait and see I guess.

Tip: You can get the uncropped image from the Microsoft Store by directly accessing the image here.

Update: Someone pointed to me the Ars Technica article which also points to the same evidence on the Microsoft Store. I’m not familiar with when they made that update, and credits to them if it was earlier.