Symantec security researcher Ollie Whitehouse has uncovered an apparent design flaw in Vista's User Account Control security system that he says could fool users into giving a malicious program access to their system. The problem lies with Vista's integrated RunLegacyCPLElevated.exe application, which is designed to allow legacy control panel software to run with elevated privileges, as well as the way UAC prompts have different color headers depending on their origin. An unsigned or unknown program requesting administrative privileges will display a UAC prompt with an orange header, while if a Windows application does the same, the resulting UAC prompt will have a blue-green header.
According to Whitehouse, a piece of malware running in restricted mode could write a malicious control panel DLL file to, say, a user's Documents directory and then call RunLegacyCPLElevated.exe to request administrative privileges. Since RunLegacyCPLElevated.exe is a Windows application, it would display a UAC prompt with a blue-green header saying "Windows needs your permission to continue," potentially fooling the user into thinking the control panel is trustworthy.
Whitehouse went to Microsoft with these concerns and was pointed to this document (Word .DOC) on Microsoft's website that says, "It's very important to remember that UAC prompts are not a security boundary - they don't offer direct protection. They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back." Whitehouse concludes by saying UAC is better than nothing, but that he doesn't believe a security system that presents unreliable information is good for user confidence. (Thanks to Neowin for the tip.)
|Motorola unveils affordable Moto G5 and G5 Plus handsets||13|
|Join us as we unbox AMD's Ryzen review kit live||62|
|HP Pro x2 612 G2 is a convertible you can upgrade||5|
|PlayStation VR steadily approaches one million units sold||8|
|Panasonic Toughbook CF-33 will crack the floor you drop it on||8|
|Lenovo Yoga 720 and 520 convertibles check all the right boxes||17|
|Huawei P10 phones mash more data together for better pictures||4|
|LG goes long with its upcoming G6 smartphone||31|
|In the lab: Asus' Tinker Board SBC||16|
|Best part of the article? We're flying home with Ryzen review samples as of this writing.||+46|