Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft: UAC Can Be Hijacked by Social Engineering

    Written by

    Lisa Vaas
    Published February 26, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Microsofts UAC in its Vista operating system release was meant to signify that finally, the company has gotten serious about securing Windows by limiting a users rights during day-to-day computer usage.

      Its come to signify something much less than security or trust in the minds of some security experts, though. Security expert Joanna Rutkowska kicked off the dissection of UAC in her blog, and the latest salvo against User Account Control was heaved by Symantec Research Scientist Ollie Whitehouse with a Feb. 20 posting titled An Example of Why UAC Prompts in Vista Cant Always Be Trusted.

      The upshot: Microsoft has admitted that yes, UAC is liable to social engineering.

      The idea behind User Account Control is to limit user privileges as much as possible for most of a users interaction with the desktop.

      User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it reveals less operating system surface for an attacker to latch onto.

      The problem, according to Whitehouse, is the level of trust granted to UAC prompts—a level of trust that he thinks is undeserved.

      At issue are the types and colors of dialog boxes thrown up by UAC. They range in color from red to signal when an application has been blocked, to greenish-blue dialog boxes for applications that are supposedly a part of Vista, to a light gray color used for third-party applications, and finally to what Whitehouse describes as a “semi-scary yellowy orange” for unsigned third-party code.

      In fact, Microsofts own description of the colors used refers to color elevation that coincides with an applications diminishing presumed trustworthiness.

      However, Whitehouse discovered that an arbitrary file, produced by a random individual, could be made to appear as a legitimate part of Vistas core operating system, using the calming teal color to disguise its nefarious purpose.

      “The issue I discovered was that the binary RunLegacyCPLElevated.exe, which is signed by Microsoft, ships with Windows Vista by default with a manifest that says it needs to run elevated and is considered part of the core operating system, could be abused,” Whitehouse wrote in his blog.

      RunLegacyCPLElevated.exe, Whitehouse says, is designed to provide backward compatibility by allowing legacy Windows Control Panel plug-ins to run with full administrative privileges.

      The problem is that arbitrary CPL files can be written to disk areas that non-administrators can write to. I

      f a machine is infected by a Trojan, say, the malicious code runs as a restricted user, but can call RunLegacyCPLElevated.exe with the malicious CPL as a parameter.

      A UAC prompt then basically lies, claiming that Windows, not an unsigned third-party application, needs to elevate permissions. Given the apparently “safe” color of the dialog box and the prompts false identification as a Windows prompt, a user clicks OK, and the malicious code gains administrative privileges.

      The example was meant to demonstrate “that UAC serves a purpose—it prompts the user [before escalating privileges]—but the information the user relies on to judge whether the application should or shouldnt continue… can be undermined using this vector,” Whitehouse said in an interview with eWEEK.

      Wont the elevation of privileges prompt another UAC dialog box, one that will accurately reflect the requesting applications status of third party?

      No, Whitehouse said. “Once the user has accepted the UAC dialog box, there will be no other prompts to the user.”

      A Microsoft spokesperson told eWEEK that UAC is indeed liable to social engineering of this type, barring advanced security modes having been put in place by the user.

      “As with all types of social engineering methods, it is possible for a malicious attacker to spoof a UAC prompt so that it appears to look like its coming from Microsoft if the user has not enabled advanced security modes,” the spokesperson said.

      The spokesperson said that users can “significantly limit” the chance of spoofed UAC prompts by using the security option that requires the Control-Alt-Delete key sequence, to put the machine into a more secure mode, prior to prompting for credentials.

      “Microsofts goal for UAC is to enable customers to run as a standard user,” the spokesperson said. “While UAC prompts present customers with information about potential changes to the operating system, so that customers can make informed decisions, there is always potential for attack given no software is 100 percent secure, and that is why Windows Vista has defense-in-depth technologies.”

      A fundamental part of such an attack, Whitehouse told eWEEK, is that, over time, one would like to think that a user would learn to differentiate between Windows and a file downloaded over the Internet.

      However, in the short term, users will be susceptible to being led astray by a color alert system thats been subverted.

      “Whether Microsoft accepts it or not, users derive a certain level of trust based on color,” he said.

      One takeaway from the issue, Whitehouse said, is that UAC is not a security boundary.

      “UAC is not like a firewall, which is a hard security boundary, between your PC and the untrusted Internet,” he said. “UAC seems to be more of a security function but not a boundary. Its useful as a tool to help users but [shouldnt be] seen as impervious.”

      Microsoft has pointed those inquiring about the issue to a 15-page document that discusses consumer security best practices.

      The document recommends a number of configuration changes. You have to laugh at that, Whitehouse said: “If those are best practices, why doesnt it ship with those configurations by default? I suspect usability. One has to ask really, in the big wide world of ma and pa [Web sites], are they likely going to implement those when the UAC [is supposed to provide account control]?”

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×