Symantec security researcher Ollie Whitehouse has uncovered an apparent design flaw in Vista's User Account Control security system that he says could fool users into giving a malicious program access to their system. The problem lies with Vista's integrated RunLegacyCPLElevated.exe application, which is designed to allow legacy control panel software to run with elevated privileges, as well as the way UAC prompts have different color headers depending on their origin. An unsigned or unknown program requesting administrative privileges will display a UAC prompt with an orange header, while if a Windows application does the same, the resulting UAC prompt will have a blue-green header.
According to Whitehouse, a piece of malware running in restricted mode could write a malicious control panel DLL file to, say, a user's Documents directory and then call RunLegacyCPLElevated.exe to request administrative privileges. Since RunLegacyCPLElevated.exe is a Windows application, it would display a UAC prompt with a blue-green header saying "Windows needs your permission to continue," potentially fooling the user into thinking the control panel is trustworthy.
Whitehouse went to Microsoft with these concerns and was pointed to this document (Word .DOC) on Microsoft's website that says, "It's very important to remember that UAC prompts are not a security boundary - they don't offer direct protection. They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back." Whitehouse concludes by saying UAC is better than nothing, but that he doesn't believe a security system that presents unreliable information is good for user confidence. (Thanks to Neowin for the tip.)
|Cherry MX Low Profile RGB switches arrive in the Ducky Blade Air||6|
|Nothing Day Shortbread||6|
|Here's all of TR's CES 2018 coverage in one place||7|
|Intel Core i5-8500 appears in SiSoft database||0|
|Tuesday deals: cheap SSDs, motherboards, and a sweet laptop||11|
|Report: Intel TLC SSD 760p and QLC SSD 660p on the way soon||14|
|be quiet! displays its Dark Rock 4 and Dark Rock Pro 4 coolers||20|
|Gigabyte, Asus, and MSI prep updates against Meltdown and Spectre||41|
|EVGA teases its 2200-W power supply and Z10 keyboard at CES||25|
|There's finally an SSD with a Quad-Damage feature! Unfortunately it's self-inflicted quad damage.||+21|