anyweb Posted May 18, 2009 Report post Posted May 18, 2009 When you run Windows 7 with the default UAC level, a technique using code injection and several components in Windows 7 that can auto-elevate can totally own your system. Microsoft gave several components in Windows 7 special privileges (like notepad.exe and calc.exe) in order to reduce the amount of UAC prompts in Windows. The end result, however, is that these components can be used to bypass UAC completely, and basically get full access to your machine. This works even on the RC. The proof-of-concept exploit works by injecting its own code into the memory of another process, a process with auto-elevation capabilities. This is done using standard and documented APIs. The first proof-of-concept just copied a file to a location, but further editions could do all sorts of nasty things - and ASLR doesn't help either. This video should give you a good idea. Whiskey tango foxtrot, indeed. As the writer of the proof-of-concept code explains, the UAC API is a good API, but code does require refactoring to provide a good user experience; to not flood users with prompts. Microsoft did not do this right in Vista, and instead of addressing this issue properly in Windows 7, they took the easy way out by creating UAC backdoors for their own code and programs (the UAC whitelist) as to reduce the number of prompts. This list isn't configurable by the user. Full story and more via > http://www.osnews.com/story/21499/Why_Wind...UAC_Is_Insecure Share this post Link to post Share on other sites More sharing options...