Symantec: Vista's UAC warnings can hide a rat

It's supposed to make the operating system safer, but it can be spoofed

Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec researcher said Thursday.

Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

The process to spoof a UAC dialog is roundabout, but doable, said Whitehouse. It would start with a user falling for any one of the current hacker tricks. "The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser," he said in an interview.

Next, the malicious code would drop a malformed .dll file onto a part of the hard drive that the user, who would presumably be running as a restricted Standard User, was allowed to write to. Because the user has rights to write to the disk, a UAC wouldn't pop up at that point.

Finally, the malicious code would call the "RunLegacyCPLElevated.exe" -- the Vista executable that provides backward compatibility to older Windows Control Panel plug-ins -- which in turn runs the .dll. That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system. As soon as the user clicks the "Confirm" button, the malicious code is granted administrative privileges, giving the code -- and thus the attacker -- full access to and complete control of the machine.

"The different colors imply the level of trust," Whitehouse argued. "The green color signifies the warning is coming from Vista. Blue-gray means it's a third-party application, but it's signed. Yellowish-orange means it's not signed and the source can't be guaranteed." Vista also borders some UAC dialogs in red to note applications it's automatically blocked.

The bottom line then, said Whitehouse, is: "Would the user treat this UAC with the same amount of caution?" His answer: No. Users will, as Microsoft intended when it selected those colors, note the teal border of the spoofed UAC and likely click through without a second thought, he said.

"This does require some user interaction, but we can mask something [malicious] in a way that makes it look less alarming. UAC is just one of the tools that Microsoft architected into the OS to allow the user to make more informed judgments. But it's somewhat undermined" by this, he said.

Whitehouse said he contacted the Microsoft Security Response Center (MSRC) about two weeks ago to describe his findings. "They did not see it as an issue," he said. Instead, the MSRC pointed him to the "Security Best Practice Guidance for Consumers" (download document).

"It's very important to remember that UAC prompts are not a security boundary -- they don't offer direct protection," said Whitehouse. "They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back. So while Microsoft may use the word 'trust' in relation to UAC in some of their [other] documentation, in actual fact, even the data these UAC prompts provide you with can't be trusted."

Microsoft officials were not available for comment.

Symantec has regularly slammed Vista's security provisions -- including a public spat over the 64-bit version's new kernel-protection technology, dubbed "PatchGuard." Last month, Symantec executives talked up research it was doing on UAC, which may result in software to give users more control over how frequently Vista pops up the alerts.

Whitehouse denied that there was any connection between his research and possible UAC-related product plans.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?