Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft: UAC not a security feature

Attack vectors through User Account Control holes can't be considered flaws ... apparently.

Article comments

For those who thought the User Account Control (UAC) feature introduced in Windows Vista was intended to set security boundaries, Microsoft has made a clarification: it isn't.

The message is attracting criticism from security experts, one of whom said it made features such as UAC seem like nothing more than a "joke".

The most direct communication about UAC to date came on Monday from Mark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, who joined the company when it bought Russinovich's Winternals Software. Russinovich is a noted developer of Windows utilities and is credited with being the first to discover the rootkit in Sony BMG's copy-protection software.

In a Microsoft TechNet blog post, Russinovich explained that Vista features such as UAC or Protected Mode Internet Explorer that are dependent on limited user privileges - which Microsoft calls Integrity Levels (ILs) - are designed to allow some IL breaches.

"Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use," he wrote.

Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," Russinovich wrote. "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."

He said Microsoft had communicated this in the past, but that the point needed reiterating.

According to Russinovich, a security boundary is a barrier through which code and data can't pass without the authorisation of a security policy.

UAC and integrity levels were not intended to guarantee that processes with higher privileges are protected from compromise by lower-level privileges, but rather as a way of changing the way Windows software is developed, Russinovich said.

"If you aren't guaranteed that your elevated processes aren't susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption," he wrote.

Microsoft's drive is to get users off of administrative accounts and onto those with limited privileges, even if the new arrangement isn't water-tight from a security point of view, Russinovich said.

"The elevation and Protected Mode IE sandboxes might have potential avenues of attack, but they’re better than no sandbox at all," he wrote.

His comments followed a lengthy analysis of UAC and its shortcomings by hacker Joanna Rutkowska, who said she was surprised by Microsoft's dismissive attitude to bugs in UAC's implementation.

"Is this supposed be a joke?" she wrote. "We all remember all those Microsoft’s statements about how serious Microsoft is about security in Vista and how all those new cool security features like UAC or Protected Mode IE will improve the world's security. And now we hear what? That this flagship security technology (UAC) is in fact… not a security technology!"

"If Microsoft doesn't change its attitude soon, then in a couple of months the security of Vista (from the typical malware's point of view) will be equal to the security of current XP systems (which means, not too impressive)," she wrote.

In her analysis, Rutkowska had two main criticisms of UAC: that it forces all installer programs to be run with administrative privileges, and that it allows certain IL breaches. She considered the first problem to be an understandable design decision, but said the second was simply a bug in UAC implementation.

Rutkowska was generally positive about UAC, however, calling it a great improvement over Windows XP's security model. She disagreed with the most common criticism of UAC, that its notifications are too intrusive, saying that after the first few days she only saw one or two notifications a day.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *