CDRInfo Forum CDRInfo Forum

Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

Microsoft Won't Fix Windows 7's UAC.   Logged in as: Guest
Viewers: 680 You can click here to see Today's Posts | Most Active Topics | Posts Since Last Visit
  Printable Version
All Forums >> [News Around The Web] >> Microsoft News >> Microsoft Won't Fix Windows 7's UAC. Page: [1]
Message << Older Topic   Newer Topic >>
Microsoft Won't Fix Windows 7's UAC. - 6/11/2009 9:03:59 AM   


Posts: 462
Joined: 4/1/2009
Status: offline
Not too long ago, we ran a story informing you of how the auto-elevation feature in Windows 7 is broken in a way that allows malicious programs to silently gain administrative privileges. We wondered if Microsoft was ever going to fix this one before Windows 7 goes final, and even though we're not there yet, a recent article by Mark Russinovich seems to imply pretty strongly that no, Microsoft is not going to fix this.

After lots and lots of user complaints about how people were annoyed by UAC prompts in Windows Vista, Microsoft gave in to the whiners, and created something called auto-elevation, which allows certain parts of the system to auto-elevate themselves without bringing up any UAC prompts. This way, Microsoft was able to bring down the amount of prompts.

A clever programmer - not a security researcher - quickly found out that this was a pretty braindead decision by Microsoft, as it is now possible to quickly, easily, and silently bypass UAC completely by anything injecting code into the memory of another process, a process with auto-elevation capabilities, using standard, documented APIs. Some noted that this only works for administrators and not for standard user accounts, but since Microsoft still defaults to administrator accounts, that point becomes a bit moot.

The way to fix this issue is pretty simple: set the UAC slider back to its topmost, Vista-like level, which disables auto-elevation, and removing the threat completely, and as such, I always advise people to do so. The question has always been: Will Microsoft fix this?

A recent article on UAC in Windows 7 by Mark Russinovich seems to indicate that no, Microsoft is not going to fix this. First, he explains that even without auto-elevation, there are several ways malware can take advantage of unsigned executables asking for higher privileges. However, Russinovich adds, it's hard for malware to get on the system in the first place. "Windows has many defense-in-depth features, including Data Execution Prevention (DEP), Address Space Load Randomization (ASLR), Protected Mode IE, the IE 8 SmartScreen Filter, and Windows Defender that help prevent malware from getting on the system and running."

Still, if malware were to get on a system anyway, it could get past UAC, auto-elevation or not. He also reiterates that even without administrative privileges, malware can still do just about anything malware wants to do these days, such as joining a botnet or messing with user files, data, and input.
More reading:

Post #: 1
Page:   [1]
All Forums >> [News Around The Web] >> Microsoft News >> Microsoft Won't Fix Windows 7's UAC. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI