UAC in Windows 7 still porous
Microsoft is again having to focus its attention on the vulnerability in user account control (UAC) in the beta version of Windows 7, supposedly fixed back in February. A revised exploit means that it is still possible to obtain administrator privileges on a system, without a UAC prompt requiring user confirmation being displayed. Attackers could exploit this to embed malware deep within a system – exactly what UAC is actually supposed to prevent.
Microsoft has made efforts to substantially reduce the number of UAC security queries in Windows 7 compared to Vista. To achieve this, the company has introduced a number of interim levels in which Windows automatically waves through system changes made by programs. In the beta version of Windows 7, however, security experts demonstrated that a malicious script could exploit this to deactivate UAC with no user interaction. Swiftly followed by a demonstration of how a program could obtain unlimited administrator privileges for its own activities.
Microsoft initially denied that this represented a security problem, stating that UAC was, in fact, designed to work that way. However, their resistance rapidly crumbled and the software giant soon announced that it was revising UAC. Although the old attack no longer works in RC1, the new exploit now published shows that the problem has only superficially been dealt with. A quick test by the heise Security editorial team showed that it was still possible to bring up a command prompt with administrator privileges, without triggering a UAC prompt. The exploit utilises DLL injection into unprivileged running processes, such as explorer.exe and taskhost.exe.
Microsoft has reportedly been informed of the problem and is examining whether a response is required. Certainly if the company wants to hit the RTM (release to manufacturing) milestone in the second half of July, it's going to have to get its skates on. Blogger Long Zengh has published a video which illustrates the UAC problems on his website.