We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Windows Vista UAC hack published

Two steps to break through Vista

A security researcher has found another way to attack Windows Vista's UAC (User Account Control) feature.

Robert Paveza, a web application developer with Terralever, has published a paper:

iconUAC exploit white paper

The PDF demonstrates a two-stage attack which allows malicious code to infect Windows Vista systems - even from accounts running under the limited privileges afforded by UAC.

The UAC attack takes advantage of the fact that UAC permissions are porous. Programs are able to ride on the coat-tails of other processes that are commonly granted higher privileges.

However, Mark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, already answered such criticisms back in February by explaining that UAC is not to be considered a security mechanism.

Rather, it is a way of prompting developers to build more secure applications, he said.

"Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use," he wrote.

Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said.

Paveza's flaw is related to one of the flaws in UAC pointed out by security researcher Joanna Rutkowska in February. Rutkowska pointed out that the ILs (integrity levels) put into place by UAC are designed to allow certain breaches.

During Paveza's attack, the malicious code would ride on seemingly innocuous software that could, in fact, run as advertised and without any elevated privileges needed, leaving the work of infection for later.


IDG UK Sites

Windows 9 launch event live: Windows 9 launch live blog - find out first as the new Windows is...

IDG UK Sites

Windows 9 and the death of the OS as a must-have product

IDG UK Sites

Video trends: 4K is here – HDR video, VR and 3D audio is coming

IDG UK Sites

Best iPhone 6, iPhone 6 Plus deals: iPhone 6, iPhone 6 Plus tariffs, contracts and prices UK