UAC question

Discussion in 'other security issues & news' started by Dregg Heda, Sep 22, 2009.

Thread Status:
Not open for further replies.
  1. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Can UAC be bypassed?
     
  2. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Yes.

    A short question gets a short answer. :) Google can tell more. Basically, UAC cannot be relied upon to prevent malware attacks. It will prevent some very primitive attacks that are not aware that UAC exists, but better attacks can bypass UAC.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes a practical and a more theoretical means of passing uac

    Practical
    The elevation integrity mechanisme of Vista and Windows7 do not allow objects and processes of a lower integrity (rights) to change objects of a higher integrity level.

    Theoretical
    Elevation protection can be theoretically bypassed, because software is never 100% tested and water tight. This means that there will arise exploits which will be able to bypass elevation monitoring process.

    Bottem line
    UAC is not a HIPS, but when combined with Sully's PGS (default deny execute SRP, plus running internet facing software as limited user SRP) and IE8 protected mode features running in Vista/Windows7 with UAC (and others like cross site scripting protection, smart filter download+website control), it will raise the bar for malware to intrude your system.

    Some however argue that because it is not perfect, it is worthless protection (not my opinion ;) ).

    When your webbrowser runs with lowest rights (IE8 protected mode by default) or you force it to start with lowest rights (Psexec -l )in Vista/Win7, you only are vulnarable to side by side malware injections of lowest rights objects. This reduces the attack service for a malware writer so much, it practically means your well protected.
     
  4. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks for responding guys.

    If I have UAC set up with SRP enabled for both users and admins and browsers and my downloads file set as limited users, any malware via drive-by downloads wont be written to c:windows and c:program files right? And if it cant write to those folders it cant execute even if it attempts a privilege escalation exploit after it gets onto my system right? Can this be bypassed in any way?
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544

    Great tip Kees! Thanks i didn't know sully's SRP manager. I will have a look at it.

    Do not forget to enable DEP for all processes!
     
  6. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,437
    Microsoft should require users to create a standard password-protected account like on Mac OSX and Linux and then have users elevate permission to apply updates and to install new programs. Malware can't run if it can't be executed.
     
Loading...
Thread Status:
Not open for further replies.