Discussion in 'other security issues & news' started by Dregg Heda, Sep 22, 2009.
Can UAC be bypassed?
A short question gets a short answer. Google can tell more. Basically, UAC cannot be relied upon to prevent malware attacks. It will prevent some very primitive attacks that are not aware that UAC exists, but better attacks can bypass UAC.
Yes a practical and a more theoretical means of passing uac
The elevation integrity mechanisme of Vista and Windows7 do not allow objects and processes of a lower integrity (rights) to change objects of a higher integrity level.
Elevation protection can be theoretically bypassed, because software is never 100% tested and water tight. This means that there will arise exploits which will be able to bypass elevation monitoring process.
UAC is not a HIPS, but when combined with Sully's PGS (default deny execute SRP, plus running internet facing software as limited user SRP) and IE8 protected mode features running in Vista/Windows7 with UAC (and others like cross site scripting protection, smart filter download+website control), it will raise the bar for malware to intrude your system.
Some however argue that because it is not perfect, it is worthless protection (not my opinion ).
When your webbrowser runs with lowest rights (IE8 protected mode by default) or you force it to start with lowest rights (Psexec -l )in Vista/Win7, you only are vulnarable to side by side malware injections of lowest rights objects. This reduces the attack service for a malware writer so much, it practically means your well protected.
Thanks for responding guys.
If I have UAC set up with SRP enabled for both users and admins and browsers and my downloads file set as limited users, any malware via drive-by downloads wont be written to c:windows and crogram files right? And if it cant write to those folders it cant execute even if it attempts a privilege escalation exploit after it gets onto my system right? Can this be bypassed in any way?
Great tip Kees! Thanks i didn't know sully's SRP manager. I will have a look at it.
Do not forget to enable DEP for all processes!
Microsoft should require users to create a standard password-protected account like on Mac OSX and Linux and then have users elevate permission to apply updates and to install new programs. Malware can't run if it can't be executed.
Separate names with a comma.