UAC Hack Malware – Huh?

Not even released yet and a significant flaw is already out there with regard to how Windows 7 handles white listing in the UAC… or something like that. On the plus side, it seems that this kind of issue is something that can be detected and dealt with. So this is a good thing.

But the final line of thought on this issue appears to be that this is really a bug with the Security Essentials software. Certainly seems plausible enough. Another way of looking at this that Microsoft has totally dropped the ball and with any luck, will get this resolved with a bit of a stronger approach than it is in the current form.

At the end of the day, there is no question that people are really skittish about UAC hacks, issues, and exploits. After all, the UAC was a bit of a joke when it first came out in Vista and it took a while for that to finally settle down. Frankly, I don’t trust any OS that has me running as an admin out of the box. This includes Linux distros that do this along with Windows.

In fairness, the UAC is better than nothing. And it has been shown to cut down on the ability to install malware greatly. But as with any OS, it is not a cure all.

[awsbullet:atom+and+his+package]

Article Written by

  • http://www.aeroxp.org Bryant

    I actually specifically outlined why it’s likely not a bug with MSE:

    —————————-
    From my post:

    A friend of mine proposed one particular argument as a potential explanation to this issue, whereby this is a bug within Microsoft Security Essentials. The reasons I don’t believe this to be the case are:

    * This exploit was specifically named as HackTool:Win32/Welevate.A (A quick googling shows only three links; one is to the aforementioned virustotal link, the second and third to a Microsoft encyclopedia entry.
    * This particular label only applies to this specific proof-of-concept
    * A reasonable vulnerability assessment (”Medium”) was applied to this particular proof-of-concept, which makes sense given that this security vulnerability in UAC is only really an issue if either a user runs a malicious application or if some other internet-facing application were to be compromised. I covered the latter in an older post of mine where I explain how this flaw essentially raises the vectors of attack many-fold.

  • TwelveBaud

    Hi, I’m a friend of one of the editors on AeroXP, and I’d like to make the situation more clear than “huh?”

    Under Windows XP, users are administrators by default. This is a very bad thing, because any program can brick the entire machine, at any time, without notice. Furthermore, many programs assume the user is an administrator, which renders the preferred solution, switching to an account with fewer rights for all but administration-related tasks, unworkable.

    Windows Vista introduced User Account Control, a way for people to log in as an administrator, but still only have the rights of a limited user, unless a program requests and the guy at the keyboard grants full rights.

    This is a malware prevention method: Programs which you’d expect to need admin rights, like installers, you can safely let through, while programs you don’t, like an instant messenger, you can block. If an instant messenger program is compromised, it can’t affect any other users and the damage can be contained.

    However, all users expect full rights all the time, and most aren’t aware of the boundary between “standard user” rights and administrator rights. Moreover, some users don’t know that the computer can’t tell the difference between “I want this” and “A program wants this”. This led to what most people perceived as an insane amount of prompts, that UAC was just getting in the way, and that it was better off disabled.

    Microsoft responds in Windows 7 by adding a list of programs that get waived on through, without prompts. to reduce the load on the user. Things like using Windows Explorer to move files on your hard drive now work as they used to: no prompting. This makes UAC prompts rarer, and subject to closer user scrutiny.

    However, the programs on this list become massive targets: If a malware author can get into one of these, then UAC is not only worthless, it’s also worse, since it adds only the illusion of protection. The programs on this list need to be considered carefully, and put under a microscope to eliminate all chances for someone to run code.

    Microsoft decided to put nearly 700 programs on that list, including one specifically designed to run other people’s code. Head, meet desk. Meet desk again. Repeat.

    My friend at AeroXP and his friends pointed this out to Microsoft, and made a small tool in about ten minutes that would let any program run as an administrator, without any prompting, bypassing UAC entirely, using one of these whitelisted programs as a springboard.

    Microsoft responded by removing the one program they used from the list.

    My friends continued to petition Microsoft to fix the problem, and quickly changed their proof-of-concept to use another easy way to run code in these special programs.

    Now, Microsoft has responded by marking that tool — and only that specific tool — a virus. ANY change to it, even as little as putting a dot in the icon, and it continues to work, completely undetected.

    This is like moving all the money from a bank’s safe into the lobby, knocking out the entire front wall, and saying “We’ll catch bank robbers one by one. And we’ll only catch them after they’ve robbed us once. And putting on a different mask is enough for us to not recognize them.”

    (That is to say, it’s stupid.)

    So, it’s strongly suggested by the community to, as soon as you install Windows 7, change the User Account Control setting to disable the white list and continue prompting you. Because that white list is horribly broken.

  • Pingback: What’s the First Thing you do in the Mornings? | Chris Pirillo

  • http://www.youtube.com/addiskun Addis

    OSX lets you run as admin “right out of the box” also. Just a correction

  • whizkidtoo

    I personally dont trust or even like UAC period, i tell anyone with a vista machine that they should just disable it and not deal with the headache. i honestly dont see how it does anything to remotely secure my system. its just there to look good.

  • http://www.matthartley.com Matt Hartley

    Addis: I am certainly not an OS X expert here, but as a BSD based operating system…I am 99.9 percent sure you are not running as root…hence needing to enter the root password to make system changes. ;)

    If I am wrong and this is wrong, please provide the link to support your belief that it does run as root/admin and I will correct this.

  • Pingback: Roaming Gnomes And Happy Homes ~ Windows Fanatics

  • whizmyass

    You know I really have to laugh when I read an article like this and then read some of the comments.

    I have’nt quite inquired as to the details of the issue. However UAC serves its purpose. Quite simply users don’t like being prompted for something they want to do on their computer. The problem…. People bashed it from the beggining for the wrong reasons.

    Whitelisted applications out of the box is just wrong in my opinion as well as stated by TwelveBaud and I think a good explaination as well.
    But seriously if you are that concerned with having to click a prompt to allow a program to have elevated priveledges that’s lazy. Disabling it and still running as an administrative user is not a smart solution if you are not 100% sure of what you are doing at all times. I’ve had to many calls from users that disabled UAC by the advice of a self proclaimed guru. Sure enough, after installing their precious file sharing peers and whatever else they insist they need, they have every toolbar and every adware app known to mankind.
    I can admit it is a pain on a fresh install but after some tweaking works well enough to alert you of a possible malware attack.
    Microsoft may be making a bad judgment call with a whitelist due to all the complaints from users because they don’t like any type of inconvenience for the sake of security. Sounds to me more like they are trying to accomodate so its removal is less likely. Remember this is not to protect only your PC this protect everyone. If you don’t understand how or why you should remove your guru status.