Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Two-step UAC hack published

How to defeat Vista security in two easy steps.

Article comments

Another security researcher has found a way through Windows Vista's heavily hyped User Account Control (UAC) feature.

Robert Paveza, a web application developer with marketing firm Terralever, has published a paper (PDF) demonstrating a two-stage attack which he says allows malicious code to infect Vista systems even from accounts running under the limited privileges afforded by UAC.

The attack takes advantage of the fact that UAC permissions are somewhat porous, with programs able to ride on the coattails of other processes that are commonly granted higher privileges.

This is related to one of the flaws in UAC pointed out by security researcher Joanna Rutkowska in February. Rutkowska pointed out that the integrity levels (ILs) put into place by UAC are designed to allow certain breaches.

Under Paveza's attack, the malicious code would ride on seemingly innocuous software that could, in fact, run as advertised and without any elevated privileges needed, leaving the work of infection for later.

"For instance, if users believe they are downloading a 'Pac-Man' clone, such a game could be run while the malicious software did its work in the background," Paveza wrote. "It is important to note that, realistically, once the proxy infection tool has been run on the target machine, the target is effectively infected."

Meanwhile, the program could create an "executable stub" pointing to a target program that runs at a higher level. The stub would be stored in a place such as the Start menu where the user would click on it thinking to run the original, legitimate higher-level program.

When the user eventually clicks on the stub, the higher-level program is launched and the malicious program is loaded into the process, Paveza explained. By authorising the higher-level program the user also authorises the malicious code.

"The original target process and the malicious process then run in parallel," he wrote.

Microsoft in a statement downplayed the risk of the attack, pointing out that the attack requires significant user interaction and that not all users will have the privileges to authorise the malicious code.

However, Mark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, already answered all such criticisms back in February by explaining that UAC is not to be considered a security mechanism. Rather, it is a way of prompting developers to build more secure applications, he said.

"Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use," he wrote.

Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said.

"Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," Russinovich wrote. "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *