Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft: UAC Can Be Hijacked by Social Engineering



 By: Lisa Vaas
2007-02-26
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Security analysts assail Vista's User Account Control; Microsoft has admitted that yes, UAC is liable to social engineering.

Microsofts UAC in its Vista operating system release was meant to signify that finally, the company has gotten serious about securing Windows by limiting a users rights during day-to-day computer usage.

Its come to signify something much less than security or trust in the minds of some security experts, though. Security expert Joanna Rutkowska kicked off the dissection of UAC in her blog, and the latest salvo against User Account Control was heaved by Symantec Research Scientist Ollie Whitehouse with a Feb. 20 posting titled An Example of Why UAC Prompts in Vista Cant Always Be Trusted.

The upshot: Microsoft has admitted that yes, UAC is liable to social engineering.

The idea behind User Account Control is to limit user privileges as much as possible for most of a users interaction with the desktop.

User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it reveals less operating system surface for an attacker to latch onto.

The problem, according to Whitehouse, is the level of trust granted to UAC prompts—a level of trust that he thinks is undeserved.

At issue are the types and colors of dialog boxes thrown up by UAC. They range in color from red to signal when an application has been blocked, to greenish-blue dialog boxes for applications that are supposedly a part of Vista, to a light gray color used for third-party applications, and finally to what Whitehouse describes as a "semi-scary yellowy orange" for unsigned third-party code.

Resource Library:
In fact, Microsofts own description of the colors used refers to color elevation that coincides with an applications diminishing presumed trustworthiness.

However, Whitehouse discovered that an arbitrary file, produced by a random individual, could be made to appear as a legitimate part of Vistas core operating system, using the calming teal color to disguise its nefarious purpose.

"The issue I discovered was that the binary RunLegacyCPLElevated.exe, which is signed by Microsoft, ships with Windows Vista by default with a manifest that says it needs to run elevated and is considered part of the core operating system, could be abused," Whitehouse wrote in his blog.

RunLegacyCPLElevated.exe, Whitehouse says, is designed to provide backward compatibility by allowing legacy Windows Control Panel plug-ins to run with full administrative privileges.

The problem is that arbitrary CPL files can be written to disk areas that non-administrators can write to. I

f a machine is infected by a Trojan, say, the malicious code runs as a restricted user, but can call RunLegacyCPLElevated.exe with the malicious CPL as a parameter.

A UAC prompt then basically lies, claiming that Windows, not an unsigned third-party application, needs to elevate permissions. Given the apparently "safe" color of the dialog box and the prompts false identification as a Windows prompt, a user clicks OK, and the malicious code gains administrative privileges.

The example was meant to demonstrate "that UAC serves a purpose—it prompts the user [before escalating privileges]—but the information the user relies on to judge whether the application should or shouldnt continue… can be undermined using this vector," Whitehouse said in an interview with eWEEK.

Wont the elevation of privileges prompt another UAC dialog box, one that will accurately reflect the requesting applications status of third party?

No, Whitehouse said. "Once the user has accepted the UAC dialog box, there will be no other prompts to the user."

A Microsoft spokesperson told eWEEK that UAC is indeed liable to social engineering of this type, barring advanced security modes having been put in place by the user.

"As with all types of social engineering methods, it is possible for a malicious attacker to spoof a UAC prompt so that it appears to look like its coming from Microsoft if the user has not enabled advanced security modes," the spokesperson said.

The spokesperson said that users can "significantly limit" the chance of spoofed UAC prompts by using the security option that requires the Control-Alt-Delete key sequence, to put the machine into a more secure mode, prior to prompting for credentials.

"Microsofts goal for UAC is to enable customers to run as a standard user," the spokesperson said. "While UAC prompts present customers with information about potential changes to the operating system, so that customers can make informed decisions, there is always potential for attack given no software is 100 percent secure, and that is why Windows Vista has defense-in-depth technologies."

A fundamental part of such an attack, Whitehouse told eWEEK, is that, over time, one would like to think that a user would learn to differentiate between Windows and a file downloaded over the Internet.

However, in the short term, users will be susceptible to being led astray by a color alert system thats been subverted.

"Whether Microsoft accepts it or not, users derive a certain level of trust based on color," he said.

One takeaway from the issue, Whitehouse said, is that UAC is not a security boundary.

"UAC is not like a firewall, which is a hard security boundary, between your PC and the untrusted Internet," he said. "UAC seems to be more of a security function but not a boundary. Its useful as a tool to help users but [shouldnt be] seen as impervious."

Microsoft has pointed those inquiring about the issue to a 15-page document that discusses consumer security best practices.

The document recommends a number of configuration changes. You have to laugh at that, Whitehouse said: "If those are best practices, why doesnt it ship with those configurations by default? I suspect usability. One has to ask really, in the big wide world of ma and pa [Web sites], are they likely going to implement those when the UAC [is supposed to provide account control]?"

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Microsoft: UAC Can Be Hijacked by Social Engineering
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}v89hN;/ۑȶkڶ<wzwEB!);y}}ƭ.K:m["PU( Aȅ3!9)ٟ0O-Ij}ݻPAefAUM7 JԶO7RM3i /wGlJ{'AT{j! xL5MΚMH}ٚ7'x2)X$8z@'AjZ$6m(GJ|$ZB;$?*B43 \2HTߦuB){Te䆡;g? CKt/"(?c&cZ?9;z'f^B(ƻFՉziZgC2]hj:TN`Uƞfn m`㥨 aP`\9t} ^ G&lw&"ScOZ$ӡ%NfI% 0Q#@oڮSVHf̲;o tG ob}uק&[! bS 3MuN_FBS IgK[aW+)K ?GpA'ס"'ml_k| tns<$s~3 CoZeNDj% ?q7`JaC9LjZE>7 ؗCY͢aF3l˸+:4 HS+VWR\m(Ƒx`9ؖ3lTzEÝ|g4;ֿP)J=.#[w u5`(.'7~l@z;Q\`'HH7&LT*jZ*L@aBjLdAX{|\獒A7nJQn4E;J KHs = (21,4Yln\ :77~ :'77fٚY jiUd\]3-U5mw'gr=>sو&lXaV|YkUV1?!MXCEC0JCR ?#3p;|io]8螐$˷Y>_;BesU З?7g,Y`MIhM2Tc]NjoN\ hYKS7B3_?}p a4f@Lu&&h)5?&F`Mab&DJH?є6-`i˫ TE嗋mESq>]Q4{3Bɽ`g@ɋ BD?CC0!pl/\~_M.Qwڪ9Q[ k+\M흛ǘ\zLZgM{W~xD18,]evr`\\Է7ZϏRQ^Tr{h S2ud8԰1nұ>âxaAgIyG|FMk>ktI=DC#ɠ:ڴ\ZVS4!&mЀ?`Ai1[׏ <ۋJpIxZ3x͂=H:}mP`~5$'@ ̀=s'08ɽ5E05ݻ#i`y1&զAp{ Tg ,zC  lm^l}d`1 >5%G@i0xzOEا$D!-i]R@Az: -,rr ݑvZ)JPl=!ԑtNܡZ|MfJ9cb -d[b}IlΌ eV&vϏa[Lbo7], Slo3-muk{\V4Qç#&tc˰` @ }= 3ܲM҆%Ll;!9?a! s WQ'S: xCoBCEw{J`|Ͱ"̴b֜Eu4>dM)n,S˘ R g?f0-qڛuV<ۢfa* ,q;rׁfX8oȣ=p TfЬ||=厬m[_4@~T&](\uΩIJ&k:HY3j-ysDrm ֌Os1r@@SjqH1g0d0{V@q=137RtgZC+>q^i:[@\g˦zkfTؽ/ 7J@2KmVJ*,F6@1V_Xvo jQtTV(&АTtm6fXdžJ>]!1Ada:(HpSo{:!{jaaC+%UVG,mk9^a5sV@6@@7h?L TlVCax=Z'Awm=_T\|:;$8`ϟQ,C* R*}a3)403yb|Fȸ>qm?XĞ/t'L[Qz{=8`Tfha8lXb79HyäSI_(%UMHH~1:2.eX \k>Oa3,HnssQ*Jw+ )R;Oz^*k 5ǩUUR;*Z 7;z&9̓)V3G q'|}1Moř1ftIi -wAL}6݁ \r/,|pZEN[O`cQ av05;?UJ?"2ByQYhw\rR2 S#ݹY$g8 MGFi$]|;P vfȭN6N1L Ma}QD ϓ1W5% d,fqNg0cp&vN{579,3?t\J :=Fh=Нt;Ǻq7_-WE:&ϡRB71PU)ōfπiΈǖ mԆVNM&hh Z;zGd!= =%s?^ir=nz*Z-Yid {2t9t=d}kO?tyUUAS;:9&_P@hO \ ?88ŤD2I*"EeR8NY XLjj_řZkRWGF`"U!7TP>x_7)~(zC9muA>TU]~TmFRV%~萫iI#Ǹ"ZAY_Mkɒ8hs%p B0_\PF.^l`^ASV<^ےCtK37A(6E&7 u Yx\ XLd;yX^5MtX"J7eNVzC`V$,: 7Cwd',BGI}? \%I's3ҿn BD0|7=#SGRiemRߓJ\Z 8ZrYç,D,_t2jU5+dPe\xO+tSN`+T.n߃B'GWƒ"'!M3,`jRUܘό&}g=J п"}QLaUv٩G#{?J{vO燤}@:k_v/>&~f?Н :w!aa="A`W{Zi\#-0MC~W_I7WR&FøDo9)P K #E1>bt߫]=/coۧݫ a= F["^9 K}{%d}һxG{ՑҽN zs=ADHC䄬W!yN.:FS̠o2XGX?ֈdȰ6 Z(Xťwsڹ̂KӜ4"z?N3bn qZsocs}uYLO1t|PV# (ʑ=`=` n)>\b/z$B 0F_Th)W4fuSxv9ݴ9S%j7 EW%'[' u{-:}mF1џW` e܃*׌Vzh'v?!9>48tyQG$ rFn1~xAZd}eԉ9%2 \(?m[ħ{, /䎱>F=:dSNM([wiQ-uyjtJ9S"\ 06H P6,OҼe=lI1 iK"ih$bbVȆRoݾڞ6<5ޥ]ƙBƗHΖe̗4.נݓE4V#["|-&GX!*VZZFZvl*'?v 81 = ](3vcvd\:Gw*b9,_}hrrӅ[`С{$smCgLرDݘ~zNhso. cgm:{@FP$"BQD=%,`*hM5nWKotA?GzҾtnH09Js duh#k7EO>4D]{GE Vz7ngm,da}?H/Fݖyc,OKSiϑ٘&BERTUjln$jYpJU_V {ld+NE$,n%P2vAK Js`ȾqG7b  oJP|}& ~W]?PI=뻿~=mҊ(r_6ZDNpw5U${II5)ps<-K`RToy^v} m$>?Gko D:*t'x||nƄ?mqh'pjox? r`f[!%; #)F'ú?Bozhbɼ߱-b@npq#!m ØE[qJC`^;3d0J0$BO?*QǣD,|#o  dn({0hM?p:/tg4Y`I <]PJз!g.`CQ|uY+ij5=ڳɌjtә.٭O/R A%Pq acRMF1`33n;=-QlmWoWK-{^=Ptu;+Dq;4̫ ]-9P^t"^Gɉ_g?U± Vv勒VKb'4l a+RY.hH#Zl. GGmJYk9^ A܃e@; ǹ&SDgPwwb̆5cV^1_CV旈Hyztȝ8QuT.5UxQ&GG/|vnŒ}M}vs,.CߺCU,ڵ`*ra@#;K 9^ DC$0$}vfvs'kg+E'S7K; y7777Tk%k@;S2irC 0ed>L`j~_gF+{=eZDo#ޏlmUK2c>X;IV7VpI-<PMRf0G8B{{cŵm/:=8fZk4t5?w}L{2(P {j闶UO}K-(Xm/'I*,b'rĥX,hELVÑBu}ų TQGj"8 ej!>᭑݃~OeS9x`G8P`܀*ZWIY 4s[z?=XNʳtqC(u[1~V~T 3,K?#"o?a驿G)1; _ F(oCu&n[{K珩lT= ? KL)PG%~/`hGExd¤ZYt'O|D2y( <7ǥ=[A=^l ܫ.O-x=s`Uňk)'>?WX15>^G? T*X\չ; 5|5XZÈ:2C[ƆmWc#kx|_Cyi."&MEe9L XIj*bdFyAx!Fv+{Kb+6Q$Idhkjj5R5AV^].1ckzzD,?t"RЮ(> Jl?QX2Lzmʹ<8?ԣzQ8gFSYh9ѥKncjFW`j5\.iU,VzUdI+2&/ czŇRO&Sj9椷 O=#TXU|iHU% & 0Zp>b\y z|;˳bfģ Zkah;Xÿ́kj=!vc`.қ≡37:USIY Ñ;w\S7Ɣ[E[TxSvXf 1!{xu;I(ۀ9Fɮtk6fLµA*d 8I֡SDc>oU"cmZ~RQ!y3`ԴzYy^ާBȍF.0k59 ՗>.,'c0/';`^hRg a}s td`Drb,G *6~Gy1S)c'+j w[ w=ktP[)D$ki㽻WԄo% Dc'l6wyrJg+vb"톮kmnAfz)&>#Թ|A+1/׷W'n +Kk_~=Ud[j,K$¨EJLa r;c±\~Q /Hk4Dj#lg :K;K.&e N_ňVSR>fDk9mDz&׈1|S|1E \ЭB9ϪͲ;IoP}sY?e=a ' 2u?|yBJZ]{FGȚZGt(J wKݲY8!K( 7d`(8Nщ?|dTkVyKb?{rU &̋,HKt<.:G>m{A=~ExLLROf\NL! CVY`Oh$}b\d-SWldb"C36tD:iuX C{A:`й飇U #HNLp@=wtq,/y<,b5LXAx<`(brL)Q]ԅي?#7,>-l \Zp4pBfPJIݽa?ÈGs{VWZ"saZ1ш@Q>ɹgM:ӔpxXҚ0!,YC) \ߢ"n#BLk<3DD^r {fĔtH A_c{%%H"V|8snj}J"r[7 tR*tQ:.( oIYPXP؟S?pkSSJLmn$t:fsh8uXg- .E.Ӈ;qw6+פ5:0 1YG7`C[5E9Y|obL<`A~BBj @̐0(ˏIJ uXZFB(s 6J 76úޛZF v`p3W VjMDO"ӡRs]j%u]]ÀqnV?-4W PRx 4 V cvFCd2`f:,B}}}nHt:rӽt{WsѻT֚E_gԝ駓U{5dDxB3f&SRo4U9šmL6Wc\]sxYx鎾(ah,.6.]<J*Q^e=DM@+:ۦ [tHO!~kJjm9Gj:ٙ%oGN\3G MPЦ?h1cBjsg' )ns9UЊLjV}Q}xS SS~7Ox?彜rSi'O6}r>?@B뼻{ZhuOsʡݜ{S~K?\~/rl׺K2K{CKe}./?/s2?QFrsϡs ro+ׇ9}}̡---m:Iʙ#gk\8=JW ~TA__y+%YNysYU~vïUX^йZ*ϑ*Sҿw2~2A^N aqʍz^S_xڙ閽pLڭe]9hwp_l(^c/K^浽ɤ<$xE£B+gٔ@#X{#uO'NW6#ﹺKd^)WsU}Ӊ{Z?Ś/Yy<qLkbžȁ>kv|,y|8SNt17 }^1B8 gvt{zUtKn ] x[[ %>  #r75iSoxg?9/yd֦WVFZkp'k͠6KֈH>Y7 xg5PxZLܸҕpoQ^"#"5 b0=0ŸeZ 7㌰6ևɇ{MC:7Wu}=tf}ET,lKeBghXc$+"79<R9g)螩z$_ M+ 7\zќ{vP7maIH5ZUj{_  = O1Q5YUdN*jUQ)&K<# .=m^et fMȡ!p<@fJ5G P }:`l*iۼx`TS;7i5@9$Lo9Xj-/#2gQ+<6ǝC+4Xpou1R {{[1g7ډe:ɇ`\I8ӄwY!Dۼx4@{4Dr(9Pų l1@ҙ z3 9oٔ^^gCf ΅*˗ X627\$s˸ [2lZ jXJr ;M.-˃a-Cwm`bʜ#3<0 ;VW.a犆L$0y.eƤe @ @:cşI փMΊژqvu98𰙄i׌̯⻀f@L V$I?>t zS,glbErl9GuZCQ8ۈqeA(we6Lm (~%.,wbsS@yȅ=y G~PqE- 6L ;W ^{#D3dƨ49HٍڈY{N6 )4MHβR؍?SzOmÜz)JJ)@bފRΥJvM^ }c*u b9?v"ㅰx/!ZQy|XT ,sD<>K:;33U)֒_./gwǁ;K{K9[((& ]a1W%4}HRä_*9"% oPmJ0G`w ,CQ6L`>NA>Xڎ!/;v2gR*4%NSЊxc&xEyV?ĵ #6 Mwخ;Oq^'d9a7 p1$+nvGT g>5'ك|2=hM(ْ[0F/z >D/7ag} r@cbܢ_\nP\jӟf͙J.RTnbbq 8gf;i : Ǣ8&U]#6sQ/uOׂ}Q'0w0o>`5/#=^&c`H؂{XiW1JpC)tO˰CNt3#׀5V`=H_3(|9N]RnãÍGXx; [+ Iy>p <Щ0T\bX%e܌MF.E]hT4-**S77 9/ߵS7qݼ®"AtG؅nlTxI;s_߀@>{~w1Ǹ 0rczzY?קg[8KiZ epCikZ+ (DqS XǢVWITR6!;دD?8 ciĬ;acXJ,oԟ'TS*4.v>Ͻn,]2xDx\N\oL x6U`AvzU]Z-^cdX$_֬=LE")0OΊ= zBk|FXK]s.&tԵa}ar8Lt4Q3|JKm)g3 ߂ i=`#hxj"nh1)d'k%I''R&la,!r3 یEj f.3R0yqBQəȩ8v}_|JѬd;j +sʧ3~q ĸ(3Vt*NO ' <] e!$o~V;~v?;JwD a ѸT\ƓvkOz,lݸ_>\JQEeiAђuz7,!ջnvާ+e={`os g~oUAYfSժZ-Ni|ӷۊ#iQg8&rYOJ^R۽wz"f/ROa6%s|N1Kikn^ϦO*L kq>lgLp -ϱeRZ`l/ZU|zQ(