A web application developer has found a way to hack Windows Vista through its User Account Control (UAC) feature. The two-step attack allows malicious code to infect Vista systems even from accounts running under the limited privileges afforded by UAC.

Robert Paveza, a web application developer with marketing firm Terralever, has published a paper titled “User-Prompted Elevation of Unintended Code in Windows Vista” illustrating a two-step process for exploiting Windows Vista’s User Account Control.

The technique uses social engineering to trick the victim into downloading an innocent-looking file that includes a Trojan horse attack.

Paveza said the first step requires that malware called a proxy infection tool be downloaded and run without any elevated privileges needed. That software can behave as advertised while it sets up a second malicious payload in the background.

“For instance, if users believe they are downloading a ‘Pac-Man’ clone, such a game could be run while the malicious software did its work in the background,” Paveza said. “This pattern of infection follows the typical Trojan horse model, piggybacking on what may be otherwise legitimate software,” he added.

Meanwhile, the malicious software could create an “executable stub” pointing to a target program that runs at a higher level. The stub would be stored in a place such as the Start menu where the user would click on it thinking to run the original, legitimate higher-level program.

When the user eventually clicks on the stub, the higher-level program is launched and the malicious software is loaded into the process and run in parallel, Paveza explained. By authorizing the higher-level program the user also authorizes the malicious code, he said.

Microsoft in a statement downplayed the risk, pointing out that the attack claimed by Paveza is of actions an attacker can take on a system that already has been compromised by another means.

“With this in mind, it is important to note that user interaction is required for the initial infection of the Trojan to occur,” the spokesperson said. “The user must open the attacker’s malicious executable. Furthermore, the successive social engineering attempt will only be successful if the user inadvertently clicks on the malicious shortcut. In fact, at this point, the user must be part of the local administrator’s group or provide administrator credentials at the UAC prompt.”

However, Microsoft spokesperson said that UAC was indeed susceptible to social engineering attacks.

Back in February, Mark Russinovich, a Technical Fellow in Microsoft’s Platform and Services Division, explained that UAC is not to be considered a security mechanism. Rather, it is a way of prompting developers to build more secure applications, he said.

---

Related:

Microsoft security claims on Vista can lull users into false sense of security

$10K hack challenge winner says Vista’s code more secure than Mac’s

Vista hack allows early downloads of SP1

Gates reveals Vista is far less popular than Microsoft would like

Vista SP1 fails to stop software pirates

Entry was posted on Monday, May 21st, 2007 at 2:57 pm under Security, Vista.  Print This Post

Read more entries by Ruben Francia.