AndyC said:
longzheng said:
*snip*

Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.

 

But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

Yes, sure, processes can be poisoned but only if they escalate AFTER the initial execution. If you dump them to an admin session right from the inital launch it would be impossible for an application within another session to poison them.

My point is, that if Microsoft wants to turn UAC into a security boundary then they have to leave UAC in place in the mean time in order to get application developers used to writing code that either runs in User or Admin scopes.