longzheng said:
Charles said:
*snip*

Well I would assume developers/hackers haven't taken advantage of it yet because Windows 7 isn't a feasible target yet, there are relatively few users and they're rather technical - an unfavourable target. Because this only works on 7, it would be wise to wait after 7 is adopted in the mass market.

Whilst the most obvious method this vulnerability can be exploited is via a (unsigned) binary that a user executes, there is no restriction on it being implemented in just malware. Besides the remote code execution I mentioned above, legitmate applications too can take advantage of this vulnerability to silently elevate themselves, without malicious intent.

One developer has already said in public that they will be taking advantage of this vulnerability to make their application silently elevate.

"As a software developer I wouldn’t think twice of taking advantage of this vulnerability to save my users from having to go through the UAC prompt. You’re absolutely right about competitive advantage."
http://www.istartedsomething.com/20090611/uac-in-windows-7-still-broken-microsoft-wont-fix-code-injection-vulnerability/#comment-75629

I'm not technical enough to explain how the exploit works in its entirety, but I've personally tested the proof of concept and it works as described. If you're concerned about the validity of his claims, keep an eye out for the source code.

See my argument about remote code execution vulnerabilities. I don't decide to run the code that comes in through an exploit, yet with Win 7's UAC it can silently elevate.

As for there having been no attacks yet, that's a stupid argument. It advocates a purely reactionary approach to security, which is the exact opposite of "secure by default". In addition, 7's market penetration is still too low to make it a large target for attacks, and because it is still pre-release software, most people who are running it are technically proficient and therefore not likely to be prone to common attack strategies.