[ insider_reports_insider ]
Symantec's UAC Worries Challenged
David Utter
Staff Writer
2007-02-28
 Insider Reports RSS Feed
Windows Vista has a security feature called User Account Control that helps inform users about applications attempting to run on their systems; UAC's potential exploitability has been the subject of debate.
 | | Symantec's UAC Worries Challenged |  |
Symantec researcher Ollie Whitehouse got the ball rolling with his blog post about UAC. Titled "An Example of Why UAC Prompts in Vista Can't Always Be Trusted," the post described concerns that UAC and Vista's security policy could be fooled by a malicious party.
The end result of that could be malicious code running on a Vista system, including such pleasantries as a rootkit with administrative privileges. Naturally, such a scenario prompted the attention of security researchers.
Responses from some of them don't consider the scenario described by Whitehouse as very likely. One poster on the Bugtraq mailing list described the Symantec post as FUD:
Let's note this passage about what would have to happen *first*:
"The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser."
Oh, the awe a magician can inspire after "The Magic Rooting" takes place. The UAC would, of course, prevent this from happening in the first place. I also doubt the "magic assumptions" of "most users would just click through without a second thought."
Security author Mark Burnett took the discussion a few steps further. On his MB's Windows Security blog, Burnett ran down everything that would have to take place before Whitehouse's scenario could yield its bitter harvest:
Just the fact that all this really exploits is some presumed difference in user behavior between a teal prompt and a yellow-orange prompt shows how lame this really is.
That assumption itself is questionable because if a user with admin credentials is smart enough to know the difference between the two colors and prudent enough to take different actions based on color would they really be lame enough to download an unknown file from an unknown web site, click past all the other prompts, including one asking them to "run a legacy CPL elevated?" I doubt it.
UAC may not be a perfect security model. But exploiting it requires a lot of events to take place. Anything is possible, considering the average computer user, but a UAC-powered exploit may be less likely than others.
---
Tags: Windows, Vista, UAC, Security
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the updates - 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
RSS
Archive
Contact Us
Advertise
