Microsoft backpedals on Vista security
In the past few months, Microsoft has been repeatedly touting its User Account Control (UAC) as one of the most important new security functions in Windows Vista. But now that the first problems in the concept surface, the software vendor is changing its tune. For instance, Microsoft's Mark Russinovich has explained the limitations of UAC in a long blog entry:
It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries.
He then adds:
Because elevations and ILs don't define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs.
If we take Mark's words literally, that means that if someone were to demonstrate tomorrow how easy it is to get around UAC or the restrictions of IE, Microsoft would not view the issue as a security problem and therefore not release a patch. We will probably have to wait until the first concrete demonstrations, if not contaminants, have been released with such functions to see if Microsoft will adhere to this policy.
Mark's statements have already caused security expert Joanna Rutkowska to ponder whether Vista's Security Model was just a big joke to begin with. Even before Mark's blog entry, she had pointed out that a process of the low Integrity Level (IL), the standard setting for IE, can send events for keystrokes (WM_KEYDOWN) to a process at a higher level, such as an administrative shell, thus allowing arbitrary commands to be executed with its privileges.
- Running Vista Every Day! by Joanna Rutkowska
- PsExec, User Account Control and Security Boundaries by Mark Russinovich of Microsoft
- Vista Security Model - A Big Joke? by Joanna Rutkowska