Vista's UAC Warnings Can't Be Trusted, Symantec Says

Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec researcher said on Wednesday.

Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

Spoofing a UAC Dialog, Step by Step

The process to spoof a UAC dialog is roundabout, but doable, said Whitehouse. It would start with a user falling for any one of the current hacker tricks. "The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser," he said in an interview.

Next, the malicious code would drop a malformed .dll file onto a part of the hard drive that the user, who would presumably be running as a restricted Standard User, was allowed to write to. Because the user has rights to write to the disk, a UAC wouldn't pop up at that point.

Finally, the malicious code would call the "RunLegacyCPLElevated.exe" -- the Vista executable that provides backward compatibility to older Windows Control Panel plug-ins -- which in turn runs the .dll. That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system. As soon as the user clicks the "Confirm" button, the malicious code is granted administrative privileges, giving the code -- and thus the attacker -- full access to and complete control of the machine.

Colors Key to Trust

"The different colors imply the level of trust," Whitehouse argued. "The green color signifies the warning is coming from Vista. Blue-gray means it's a third-party application, but it's signed. Yellowish-orange means it's not signed and the source can't be guaranteed." Vista also borders some UAC dialogs in red to note applications it's automatically blocked.

The bottom line then, said Whitehouse, is: "Would the user treat this UAC with the same amount of caution?" His answer: No. Users will, as Microsoft intended when it selected those colors, note the teal border of the spoofed UAC and likely click through without a second thought, he said.

"This does require some user interaction, but we can mask something [malicious] in a way that makes it look less alarming. UAC is just one of the tools that Microsoft architected into the OS to allow the user to make more informed judgments. But it's somewhat undermined" by this, he said.

Microsoft: Not an Issue

Whitehouse said he contacted the Microsoft Security Response Center (MSRC) about two weeks ago to describe his findings. "They did not see it as an issue," he said. Instead, the MSRC pointed him to the "Security Best Practice Guidance for Consumers."

"It's very important to remember that UAC prompts are not a security boundary -- they don't offer direct protection," said Whitehouse. "They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back. So while Microsoft may use the word 'trust' in relation to UAC in some of their [other] documentation, in actual fact, even the data these UAC prompts provide you with can't be trusted."

Microsoft officials were not available for comment.

Symantec has regularly slammed Vista's security provisions -- including a public spat over the 64-bit version's new kernel-protection technology, dubbed PatchGuard. Last month, Symantec executives talked up research it was doing on UAC, which may result in software to give users more control over how frequently Vista pops up the alerts.

Whitehouse denied that there was any connection between his research and possible UAC-related product plans.