Charles said:
longzheng said:
*snip*

Well, my position is simple. YOU are in control of what is allowed to execute on your system. If you choose to run arbitrary unsigned binaries, that's your decision. On Windows 7, you run as standard user by default. How many attacks have their been that exploit the UAC vulnerability you are touting? I've yet to hear about a single instance. If UAC is so flawed, then why haven't hackers used it as an attack vector? Win 7 UAC has been in the wild for quite some time to date. Lots and lots of folks are running Win7 RC. Can you elaborate on the vulnerability?

C

Well I would assume developers/hackers haven't taken advantage of it yet because Windows 7 isn't a feasible target yet, there are relatively few users and they're rather technical - an unfavourable target. Because this only works on 7, it would be wise to wait after 7 is adopted in the mass market.

Whilst the most obvious method this vulnerability can be exploited is via a (unsigned) binary that a user executes, there is no restriction on it being implemented in just malware. Besides the remote code execution I mentioned above, legitmate applications too can take advantage of this vulnerability to silently elevate themselves, without malicious intent.

One developer has already said in public that they will be taking advantage of this vulnerability to make their application silently elevate.

"As a software developer I wouldn’t think twice of taking advantage of this vulnerability to save my users from having to go through the UAC prompt. You’re absolutely right about competitive advantage."
http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/#comment-75629

I'm not technical enough to explain how the exploit works in its entirety, but I've personally tested the proof of concept and it works as described. If you're concerned about the validity of his claims, keep an eye out for the source code.