Symantec: Vista's UAC warnings can hide a rat

It's supposed to make the operating system safer, but it can be spoofed

Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec researcher said Thursday.

Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

The process to spoof a UAC dialog is roundabout, but doable, said Whitehouse. It would start with a user falling for any one of the current hacker tricks. "The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser," he said in an interview.

Next, the malicious code would drop a malformed .dll file onto a part of the hard drive that the user, who would presumably be running as a restricted Standard User, was allowed to write to. Because the user has rights to write to the disk, a UAC wouldn't pop up at that point.

Finally, the malicious code would call the "RunLegacyCPLElevated.exe" -- the Vista executable that provides backward compatibility to older Windows Control Panel plug-ins -- which in turn runs the .dll. That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system. As soon as the user clicks the "Confirm" button, the malicious code is granted administrative privileges, giving the code -- and thus the attacker -- full access to and complete control of the machine.

"The different colors imply the level of trust," Whitehouse argued. "The green color signifies the warning is coming from Vista. Blue-gray means it's a third-party application, but it's signed. Yellowish-orange means it's not signed and the source can't be guaranteed." Vista also borders some UAC dialogs in red to note applications it's automatically blocked.

The bottom line then, said Whitehouse, is: "Would the user treat this UAC with the same amount of caution?" His answer: No. Users will, as Microsoft intended when it selected those colors, note the teal border of the spoofed UAC and likely click through without a second thought, he said.

"This does require some user interaction, but we can mask something [malicious] in a way that makes it look less alarming. UAC is just one of the tools that Microsoft architected into the OS to allow the user to make more informed judgments. But it's somewhat undermined" by this, he said.

Whitehouse said he contacted the Microsoft Security Response Center (MSRC) about two weeks ago to describe his findings. "They did not see it as an issue," he said. Instead, the MSRC pointed him to the "Security Best Practice Guidance for Consumers" (download document).

"It's very important to remember that UAC prompts are not a security boundary -- they don't offer direct protection," said Whitehouse. "They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back. So while Microsoft may use the word 'trust' in relation to UAC in some of their [other] documentation, in actual fact, even the data these UAC prompts provide you with can't be trusted."

Microsoft officials were not available for comment.

Symantec has regularly slammed Vista's security provisions -- including a public spat over the 64-bit version's new kernel-protection technology, dubbed "PatchGuard." Last month, Symantec executives talked up research it was doing on UAC, which may result in software to give users more control over how frequently Vista pops up the alerts.

Whitehouse denied that there was any connection between his research and possible UAC-related product plans.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?