Vista's UAC security is colour blind

Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, said a Symantec researcher.

Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in a colour associated with alerts generated by Windows itself.

The process to spoof a UAC dialog is roundabout, but doable, said Whitehouse. It would start with a user falling for any one of the current hacker tricks. "The most likely scenario is that a user gets compromised by malicious code, from a Trojan or a vulnerability in a third-party application like Office or a browser," he said in an interview.

Next, the malicious code would drop a malformed .dll file onto a part of the hard drive that the user, who would presumably be running as a restricted Standard User, was allowed to write to. Because the user has rights to write to the disk, a UAC wouldn't pop up at that point.

View: Full Article @ TechWorld

Report a problem with article
Previous Story

Online Petition asks Blair to pressure Microsoft

Next Story

Wii Invades Retirement Home

37 Comments

Commenting is disabled on this article.

That just prooves that they are the best virus makers..

Well its true you need to know your "enemy" (are virus really enemies to them?) to attack it properly but it is also true that they could indeed make a virus to helpthem make money..

Blah..all the virus ive always had have never caused as much hassle as norton antivirus caused me once so.. symantec..just improve your products and shut the hell up about windows..

Dont bite the goddam hand that feeds you just because it gives you less food this time.

As soon as you see "...said a Symantec researcher...." you know you don't really need to keep reading. Just another attack on Windows to try and sell their bloatware.

Sorry, no sale.

I'm still waiting for the flaws that bypass the UAC protection completely and gain root privileges without any prompts. I consider those to be real threats.

I have educated the rest of my semi-computer-illiterate family to read what they are authorizing in the UAC dialogs. I told them if they don't know the program described, it is always safe to click "Cancel." I am 99% sure if they saw this prompt, they would click "cancel."

Do you know how much it takes to get system access on Vista with UAC enabled?

I had to delete some registry keys from Enum today on my copy of home premium.. Damn, had to do a little more work then just running a program as a service this time..

As others said earlier.. People like both sides.. Complaining the security sucks and at the same time enjoying the fact that they can do anything to their copy of windows that they want.. Maybe I need to contact Microsoft and complain because I cant format my boot drive while windows is running from it like you could in old win 9x versions.

I am not a fan of Mac OS X, but at least some mac users have adapted to the security restrictions in it..

That commercial with PC and MAC and the vista guy in a black suite and sun glasses is pretty funny.. Not very realistic though.. Those Mac commercials always give me a chuckle though.

if someone hacks your box, it doesn't matter anymore at that point that they can spoof UAC. It's not your box anymore.

Sounds to me like the user is blind if they are clicking the button to run the program without reading.. If Microsoft intended the dialogs just to be a hurtle in the way without the user reading it, it would have been a box that said "Click the button to run the program.


Like Jive said.. No excuse for not reading the dialog. This is the bull that will make windows always seem less secure.. You cant force users to choose one option over the other.. If you could, it wouldnt be an option. It it would be a mandate (I think).

bilemke said,
Sounds to me like the user is blind if they are clicking the button to run the program without reading..
It is unfortunate, but that is exactly what makes up the majority of "computer users".

People should be told that if one of these boxs popsup and they don't have any idea what it means when reading it, to click Cancel.

The only thing MS can do is to refine UAC to popup less and become less annoying as some say it is. Then also have it display simple to understand information when it does popup so people can then make a decision.

Try to cut back on the technobable, leave that for the Details part.

GP007 said,
People should be told that if one of these boxs popsup and they don't have any idea what it means when reading it, to click Cancel.
Sure. And this is what they will learn: "When I click 'Cancel', the computer doesn't do what I wanted"

My mother-in-law is one of those people. I'm not saying anything bad about those types of people, just stating the fact that most computer users are not Neowin-visiting "computer enthusiasts" ("geeks" ) :P

Look, let's face it... if you're a blithering idiot who allows everything then of course it's a problem. This is the same reason Mac users were slammed with a virus about 8 months ago when they opened a zip file that had "pics of the next OSX" in it and the idiots entered their root password.

There is absolutely no substitute for the human firewall. Until security analysts and reporters realize that and stop pushing their own personal agenda, we will be haunted with insignificant stuff such as this. Do I consider it a bug that you can spoof the colors using the legacy elevated app? Absolutely. Do I think that anyone who is paying attention to what they are clicking on should realize that they should not be getting that prompt? This is also true. In that case, it should be submitted to MS as a bug and fixed come patch Tuesday.

It's also great the Symantec is making this out to be a much bigger deal than it really is, and I bet we see them advertising something about this in the near future and using this article and statements in some way to push their product. Nice.

Jive stamps this as "FUD."

Mac users were not "slammed." There was never any real outbreak. UAC is a pain and was not done properly. It should work much like OSX does... or even when sudo is used in Linux, Unix and AIX.

betasp said,
Mac users were not "slammed." There was never any real outbreak. It should work much like OSX does...

Are you sure?
read this old article: http://alastairs-place.net/archives/000079.html
OS X authentication dialogs can lie:
"Some time ago now, in fact in November of 2003, I reported to Apple that it was possible to make the authentication dialog lie about which program was asking for authorisation to do something

(..)
Very funny, but quite scary because it means it's much too easy to trick an end-user into giving a potentially malicious program root privileges.
Apple have been widely—and, to my mind, rather unfairly—lambasted for their attitude towards security holes, but in this case I'm sorry to report that the critics are quite correct. I'm sure they'll fix this now I've published it on the Internet, but I really shouldn't have had to do this; it should have been fixed back in 2003 when it was first reported."

http://alastairs-place.net/archives/000079.html

franzon said,

Are you sure?
read this old article: http://alastairs-place.net/archives/000079.html
OS X authentication dialogs can lie:
"Some time ago now, in fact in November of 2003, I reported to Apple that it was possible to make the authentication dialog lie about which program was asking for authorisation to do something

(..)
Very funny, but quite scary because it means it's much too easy to trick an end-user into giving a potentially malicious program root privileges.
Apple have been widely—and, to my mind, rather unfairly—lambasted for their attitude towards security holes, but in this case I'm sorry to report that the critics are quite correct. I'm sure they'll fix this now I've published it on the Internet, but I really shouldn't have had to do this; it should have been fixed back in 2003 when it was first reported."

http://alastairs-place.net/archives/000079.html

Where was the slam? It was a vulnerability, but not outbreak. Everything in vulnerable...

Yeah I have to agree, it's a hole of some kind I guess, but basically if you're spoofing it, then the system is still doing what it's supposed to, and the only holes you're exploiting are in people's brains.


Oooh free screensaver....clickyclicky...

Yeah UAC will not survive well. Lots of people will just click Contiune without reading the message. Remember back in the Win98 days when people would try to download something from the internet, you remember this Security Warning dialog box? Many malware is distrubiated this way and can trick people into downloading malware onto their computers.

Same here. People will find a way to spoof the UAC. It will become extremely annoying when it pops up more frequently and many novices will not understand the message very well and get rid of them by clicking randomly on any buttons.

And of course if you had security desktop enabled, you'd be able to tell that it's fake since there wouldn't be one for a prompt that has been faked.

And usually the message of the prompts aren't so vague... i.e. you'll see an icon with the program's name, etc. otherwise the user would expect it to be displayed using the "unsafe" dialog.

It is not FUD, it is about that using this code:

RunLegacyRPLElevated shell32,Control_RunDLL "<your application>","Boof"

It will look like you are trying to execute a native part of Windows while it actually will run any executable given to it.
I don't care, I'll run with UAC off anyway.

CheeseCow said,
It is not FUD, it is about that using this code:
RunLegacyRPLElevated shell32,Control_RunDLL "<your application>","Boof"

Windows Vista'UAC will ask you for permissions:

And the user can also click on details in order to see the full details such as the command line

franzon said,
And the user can also click on details in order to see the full details such as the command line

but how many people will actually bother to click details, or even read the pop up. Most people (aka, your average person who knows hardly anything about PC's, and only uses them for web browsing etc), will just click continue.

I can't think of many people that would be suspicious of a prompt speaking of:

Run a legacy CPL elevated
Microsoft Windows

The first line is pure gibberish for a novice, and the second part says it's a message from Windows and not a third party app. The icon is the same as the one for e.g. a file copy operation. Heck, even I would perhaps just click past that one without going "hmm" and clicking on "Advanced" if e.g. an installer would show that message.

UAC is meant to give the user info that something is going on and to either block it or allow it, if in the end, the user just clicks on yes to everything without knowing what's going on, than that's really not UACs fault at all as a system.

It's no different from blocking attachments in e-mail from being run/opened automatically, but having the end user open them on their own anyways, the end resault is the same.

The only thing we can hope for is that MS keeps moving towards sandboxing apps so that if something does get through it will be limited in what it can do and so forth.

Also refineing UAC so it becomes less of a annoyence as some say it is, then maybe people will pay more attention to it when it does popup and not just click on YES to everything. If you don't know what it's doing or what it means when it popsup then click NO or Cancel! That should be the advice given out to everyone.

UAC is meant to give the user info that something is going on and to either block it or allow it, if in the end, the user just clicks on yes to everything without knowing what's going on, than that's really not UACs fault at all as a system.

Why are you so blind?

As demonstrated,

RunLegacyRPLElevated shell32,Control_RunDLL "<your application>","Boof"
will make UAC pop-up with a prompt shown above, but it will run any application of your choice. (hence "<your application>" ) In short, an attacker can make UAC provide the wrong information about what's going on.

The biggest problem here is, when people see that an unknown application name with "Microsoft Windows" below it, coupled with a friendly windows icon, people tend to trust it because they believe it's (the application) a part of microsoft windows when it's not.

It's UAC's job to provide sufficient, correct, and relevant information to the user, and this hack is preventing UAC from doing its job.

All of these supposed intrusion vectors proposed by nearly everybody under the sun in the Security segment of the industry is pure balderdash. Welcome to "Thoughtspeak: The Security Industry Version"

Notice that most of them require a previously-compromized system - such as, in this case, getting around UAC in the first place to drop the .dll file - or another cumbersome intrusion vector that would never really happen in real-life scenarios.

Incredulous!

It would require social engineering of a user who had the right permissions, or a single malicious user on that PC.

Indirect, at best, but I would not say that it "would never really happen in real-life scenarios". There are plenty of idiots on PCs, as well as a bunch of "bad guys" out there. Plus 'never' is a pretty strong word.

markjensen said,
There are plenty of idiots on PCs.

Just so we're clear, you're not singling out Windows PC users there, are you? Just checking ...

Kirkburn said,

Just so we're clear, you're not singling out Windows PC users there, are you? Just checking ...
:P
Nah, if I meant "Windows", I have the cojones to say so.

Just keep clicking yes... oh wait I disabled UAC ages ago....

I suspect most home consumers will get used to pressing yes all the time and not reading the dialogues, this is a rather pointless system imho, but it makes MS customers feel more secure right!? :)

I would have even preferred the *NIX way of doing things, where the user is 'sandboxed' (I think that's the term), despite how much I hate it and log in as root all the time anyways, it is a much more secure method.