AndyC said:
longzheng said:

Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.


I understand and accept the potential malicious capabilities of medium-level applications, however, that should not be a reason to allow them to do more damage as a high-level application.