wastingtimewithforums said:ManipUni said:*snip*
1) This is complicated and error prone. OK, it might work, but.. not guaranteed, while the new UAC flaw works absolutely.
2) The attacker lost! He lost the chance to root the system.
"It can be bypassed and can be broken. But it is harder than UAC on the same account is"
By your method it's not really even harder, there is just the additonal password prompt, but if the user wants to elevate the infected process, he will anway. So what? And you wrote the keyword: harder. To make security brearches harder should be the goal of the OS maker. And by all means, Microsoft just made it EASIER to break the system with Win7.
I still don't see the point of the new UAC behaviour in Win7. It opened a serious addtional attack vector and, even worse, creates a false sense of security, since third party applications still get prompts, but, if the applications want to, they can circumvent them with ridiculous ease.
It doesn't open a new attack vector though. It just makes it easier to exploit one that already exists on Vista.