Coffeehouse Post

Single Post Permalink

View Thread: UAC controversy - the last episode!
  • User profile image

    longzheng said:
    Charles said:

    Charles, security boundaries and security features aside, do you agree with this definition of a vulnerabillity from Wikipedia?

    "vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system"

    If so, would you consider this application of code-injection scenario in Windows 7 a vulnerability?

    If not, how would you define vulnerabilities?

    Let's be very clear on this, it is not a vulnerability. A vulnerabilty exists when it's possible to cross a security boundary where you aren't supposed to be able to. UAC is not and has never been (nor should it be) a security boundary. These are loaded terms in security, so are best avoided unless you are using them in the exact context they are intended.

    UAC is a defense-in-depth security technology: the idea, much like ASLR, /gs, safeseh etc.

    On Windows Vista, UAC offers three integrity levels - low, medium and high. Very little runs in low integrity (just IE?) but we do at least get defense-in-depth because applications are still somewhat constrained by medium integrity. Yes a medium IL app can do damage, quite a lot, but not as much as a high IL app (which is why we see the UAC prompt).

    On Windows 7, the three integrity levels nominally exist, but it's so trivial to silently elevate from medium to high IL, that we can really only depend on there being two levels -  low and medium/high. Since IE is about the only thing running in low IL again, we've no real defense from UAC any more. The prompts are now a true annoyance, because they don't actually do anything. A compromised Medium IL app can now obliterate anything on the system, not just my files but the files of all the other users of my computer.