Jump to content

Microsoft: UAC Can Be Hijacked by Social Engineering


Recommended Posts


By Lisa Vaas

{there's more to read click on the link at the bottom of the page to learn more about the artical}

Microsoft's UAC in its Vista operating system release was meant to signify that finally, the company has gotten serious about securing Windows by limiting a user's rights during day-to-day computer usage.

It's come to signify something much less than security or trust in the minds of some security experts, though.

Security expert Joanna Rutkowska kicked off the dissection of UAC in her blog, and the latest salvo against User Account Control was heaved by Symantec Research Scientist Ollie Whitehouse with a Feb. 20 posting titled An Example of Why UAC Prompts in Vista Can't Always Be Trusted.

The upshot: Microsoft has admitted that yes, UAC is liable to social engineering.

The idea behind User Account Control is to limit user privileges as much as possible for most of a user's interaction with the desktop.

User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it reveals less operating system surface for an attacker to latch onto.

The problem, according to Whitehouse, is the level of trust granted to UAC prompts—a level of trust that he thinks is undeserved.

At issue are the types and colors of dialog boxes thrown up by UAC. They range in color from red to signal when an application has been blocked, to greenish-blue dialog boxes for applications that are supposedly a part of Vista, to a light gray color used for third-party applications, and finally to what Whitehouse describes as a "semi-scary yellowy orange" for unsigned third-party code.

In fact, Microsoft's own description of the colors used refers to color elevation that coincides with an application's diminishing presumed trustworthiness.

However, Whitehouse discovered that an arbitrary file, produced by a random individual, could be made to appear as a legitimate part of Vista's core operating system, using the calming teal color to disguise its nefarious purpose.

Source: eweek

Link to comment
Share on other sites

  • Replies 1
  • Views 1.8k
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...