Davey Winder
Friday, 06 February 2009 15:24
IT Industry -
Market
Page 2 of 3
Jon DeVaan was also quick to point out why the UAC issue was not a vulnerability at all. "The word 'vulnerability' has a very specific meaning in the security area"
he said "...the recent feedback does not represent a vulnerability since it does not allow the malicious software to reach the computer in the first place."
What's more, DeVaan insisted that "...if anyone says something like, “UAC is broken,” it is easy to see they are mischaracterizing the feedback."
Yet, according to
Long Zheng that is exactly the case. He explains in some detail how the original UAC security flaw he had uncovered (and for which the VBScript proof-of-concept was created) was actually just "one piece in a string of dominoes that fell much earlier when the new tiered-UAC system was introduced in Windows 7."
Indeed, Zheng goes on to show how the
Windows 7 Beta security configuration default allows malicious applications to elevate themselves to full administrative privileges, autonomously and without any UAC prompts.
What's more, there is not even any need to disable UAC using the first vulnerability method. Zheng made the discovery public after privately notifying Microsoft and getting no official response.
"If and until a patch is available, I feel obliged to outline the elevated risk (pun) to the millions of Windows 7 beta user running Windows 7 beta in its default UAC policy of “notify me of changes by program, not of Windows changes” which does not adequately enforce the privilege system, arguably an essential factor to a safe operating system" Zheng explains.
He also advises that Windows 7 beta testers change the UAC setting to high until the issue is resolved in a new build or by a security patch.
But what of Microsoft, did someone mention a truly amazing confession? Find out what Microsoft has to say officially about the UAC non-vulnerability now on page 3...
STORY CONTINUES
