Symantec: Vista’s UAC Warnings Are Unreliable
A Symantec researcher has refuted Microsoft's claim that its Windows Vista's User Account Control (UAC) largely secures the operating system from attack. On February 21, 2007 Ollie Whitehouse said that it was possible to spoof UAC so it couldn't be fully trusted.
Ollie Whitehouse, a security researcher and blogger at Symantec elaborated UAC's alerts and the risks they pose, in the firm's blog under the title, "An Example of Why UAC Prompts in Vista Can't Always Be Trusted."
In his writing piece Whitehouse has described the functions of Vista's UAC. He has given a meticulous illustration of the process with the support of a flowchart. He has also explained the method that encourages offensive DLL files when a non-associated legacy process is in use.
Whitehouse holds the RunLegacyCPLElevated.exe application integrated in Vista responsible for the problem. The application helps legacy control panel software to operate with heightened privileges. It also helps UAC to prompt various color headers on the basis of their origin.
A spokesperson of Microsoft told eWEEK that social engineering techniques could indeed affect UAC except those security modes that the user might have put in place.
With UAC, Microsoft aims for customers to act like a standard user, the spokesperson said. It provides customers with information about probable changes in the operating system so that they can formulate decisions on that basis. Even then the OS is susceptible to potential attacks as no software is completely secure. This is precisely why Vista is built with in-depth defenses.
In an interview, Ollie Whitehouse pointed that UAC prompts were not the ultimate security; they didn't facilitate direct protection. PCWorld published the interview on February 22, 2007. Although UAC prompts give a chance to assess an action before it takes place but once the user allows it to proceed there can be no return. So, says Whitehouse, although Microsoft relates the word "trust" with UAC, actually one cannot rely on even the data these UAC prompts furnish.
Whitehouse had contacted the Microsoft Security Response Center with his points but they ignored the issue, showing him instead the 'Security Best Practice Guidance for Consumers."
» SPAMfighter News - 14-03-2007