somebody caimed Windows 7's new UAC has a security vulnerability. But what is the problem anyway?

Microsoft dismisses Windows 7 UAC security flaw, continues to insist it is “by design”
Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code)

In the above site, a guy claimed Windows 7's new UAC behaviour has a security issue where if user choose "Don’t notify me when I make changes to Windows settings", a malware gained the administrator privileges, by simulating key input to change UAC setting.

So what is the problem anyway? It is the user who asked "Don't show that damn UAC prompt when i make changes to the Windows settings", and UAC level setting is a Windows setting, sure, Windows doesn't. The user still choose "notify always brainlessly" to prevent it. It's that simple and consistant.

This guy also claimed that, to fix this issue, Windows makes a exception so making changes to the UAC setting itself shows UAC prompt with Secure Desktop mode. But that's against the rule.

Microsoft officially said to this guy that "In order for malicious code to have gotten on to the box, something else has already been breached". True. Once bad program launched, it read user folder and send it to internet using default browser.(bypassing firewall and UAC doesn't work in this case)


No comments: