Microsofts UAC in its Vista operating system release was meant to signify that finally, the company has gotten serious about securing Windows by limiting a users rights during day-to-day computer usage.
Its come to signify something much less than security or trust in the minds of some security experts, though. Security expert Joanna Rutkowska kicked off the dissection of UAC in her blog, and the latest salvo against User Account Control was heaved by Symantec Research Scientist Ollie Whitehouse with a Feb. 20 posting titled An Example of Why UAC Prompts in Vista Cant Always Be Trusted.
The upshot: Microsoft has admitted that yes, UAC is liable to social engineering.
The idea behind User Account Control is to limit user privileges as much as possible for most of a users interaction with the desktop.
User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it reveals less operating system surface for an attacker to latch onto.
The problem, according to Whitehouse, is the level of trust granted to UAC prompts—a level of trust that he thinks is undeserved.
At issue are the types and colors of dialog boxes thrown up by UAC. They range in color from red to signal when an application has been blocked, to greenish-blue dialog boxes for applications that are supposedly a part of Vista, to a light gray color used for third-party applications, and finally to what Whitehouse describes as a “semi-scary yellowy orange” for unsigned third-party code.
In fact, Microsofts own description of the colors used refers to color elevation that coincides with an applications diminishing presumed trustworthiness.
However, Whitehouse discovered that an arbitrary file, produced by a random individual, could be made to appear as a legitimate part of Vistas core operating system, using the calming teal color to disguise its nefarious purpose.
“The issue I discovered was that the binary RunLegacyCPLElevated.exe, which is signed by Microsoft, ships with Windows Vista by default with a manifest that says it needs to run elevated and is considered part of the core operating system, could be abused,” Whitehouse wrote in his blog.
RunLegacyCPLElevated.exe, Whitehouse says, is designed to provide backward compatibility by allowing legacy Windows Control Panel plug-ins to run with full administrative privileges.
The problem is that arbitrary CPL files can be written to disk areas that non-administrators can write to. I
f a machine is infected by a Trojan, say, the malicious code runs as a restricted user, but can call RunLegacyCPLElevated.exe with the malicious CPL as a parameter.
A UAC prompt then basically lies, claiming that Windows, not an unsigned third-party application, needs to elevate permissions. Given the apparently “safe” color of the dialog box and the prompts false identification as a Windows prompt, a user clicks OK, and the malicious code gains administrative privileges.
The example was meant to demonstrate “that UAC serves a purpose—it prompts the user [before escalating privileges]—but the information the user relies on to judge whether the application should or shouldnt continue… can be undermined using this vector,” Whitehouse said in an interview with eWEEK.
Wont the elevation of privileges prompt another UAC dialog box, one that will accurately reflect the requesting applications status of third party?
No, Whitehouse said. “Once the user has accepted the UAC dialog box, there will be no other prompts to the user.”
A Microsoft spokesperson told eWEEK that UAC is indeed liable to social engineering of this type, barring advanced security modes having been put in place by the user.
“As with all types of social engineering methods, it is possible for a malicious attacker to spoof a UAC prompt so that it appears to look like its coming from Microsoft if the user has not enabled advanced security modes,” the spokesperson said.
The spokesperson said that users can “significantly limit” the chance of spoofed UAC prompts by using the security option that requires the Control-Alt-Delete key sequence, to put the machine into a more secure mode, prior to prompting for credentials.
“Microsofts goal for UAC is to enable customers to run as a standard user,” the spokesperson said. “While UAC prompts present customers with information about potential changes to the operating system, so that customers can make informed decisions, there is always potential for attack given no software is 100 percent secure, and that is why Windows Vista has defense-in-depth technologies.”
A fundamental part of such an attack, Whitehouse told eWEEK, is that, over time, one would like to think that a user would learn to differentiate between Windows and a file downloaded over the Internet.
However, in the short term, users will be susceptible to being led astray by a color alert system thats been subverted.
“Whether Microsoft accepts it or not, users derive a certain level of trust based on color,” he said.
One takeaway from the issue, Whitehouse said, is that UAC is not a security boundary.
“UAC is not like a firewall, which is a hard security boundary, between your PC and the untrusted Internet,” he said. “UAC seems to be more of a security function but not a boundary. Its useful as a tool to help users but [shouldnt be] seen as impervious.”
Microsoft has pointed those inquiring about the issue to a 15-page document that discusses consumer security best practices.
The document recommends a number of configuration changes. You have to laugh at that, Whitehouse said: “If those are best practices, why doesnt it ship with those configurations by default? I suspect usability. One has to ask really, in the big wide world of ma and pa [Web sites], are they likely going to implement those when the UAC [is supposed to provide account control]?”
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
