User-privilege flaw hits Vista

Security firm discovers security flaw that affects user-privileges in Vista

A security firm has discovered one of the first security flaws to directly affect Windows Vista, a bug that it claims allows local users to escalate their privileges.

The flaw involves Windows' system for managing user security levels, User Account Control (UAC), which was introduced with Vista. UAC is designed to limit the damage that can be caused by mass attacks such as worms by giving standard users limited privileges, a practice common with other operating systems.

Combined with a remote vulnerability, the newly discovered bug could essentially render UAC useless, escalating standard user privileges to system-level access, according to eEye.

"A flaw exists within Windows Vista that allows local privilege escalation to System," eEye said in a note on its website. The company said it reported the bug to Microsoft on Jan. 19, and plans to disclose further details once a fix is available.

According to eEye co-founder Marc Maiffret, the flaw is similar to a buffer overflow.

Microsoft said in a statement it is aware of the report and is investigating. "The company is not aware of any public discussion of the report itself," Microsoft stated.

UAC is by far the most visible change in Vista's security system, to the point where some have criticized it as too intrusive. At the same time, researchers have already begun picking holes in the system.

What's more, Microsoft recently made it clear that it doesn't consider UAC a security feature, since it has deliberately left particular holes in the system for ease of use. That means bugs in UAC aren't security flaws, Microsoft says.

"Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," wrote Mark Russinovich, a Technical Fellow in Microsoft's Platform and Services Division, in a blog post earlier this month. "Because elevations and ILs (Integrity Levels) don't define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."

Instead of being a security barrier, UAC is intended "to get us to a world where everyone runs as standard user by default and all software is written with that assumption," Russinovich wrote.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?