This article is hard to write without bias, as my public stance on the issue is clearly known
- however, I thought it was worth informing you all of:
In the world of hacking, there are two clear delineations - black hat and white hat. These two groups both pride themselves on learning and defeating system security, the only difference is what is then done with it. White hats will often email the sysadmins, explaining their points of entry and how to best correct it. Black hats will take the understanding and find out how many other things can be exploited with it. Neither is really big on broadcasting the flaws - that "honour" is apparently reserved for corporations like Symantec
Security researcher and blogger Ollie Whitehouse has published a blog post on Symantec's site entitled "An Example of Why UAC Prompts in Vista Can’t Always Be Trusted." In it, Ollie kindly explains how Vista's UAC functions, neatly illustrating the process and even including a flowchart. However, he doesn't stop there. As the article continues, he explains a point-for-point method (including coding) for calling rogue DLL files whilst using an unrelated legacy process.
Ollie mentions in his blog that he did indeed consult Microsoft before his posting. Redmond's response was simply that the UAC is not bulletproof, that it is meant to make you aware of what is going on in your computer and it's not to prevent you from ever taking a higher-level action. Apparently, there was comment on why it takes only one system process prompt required to run harmful executables, but three and a government security clearance to delete a year-old Word document.
All jokes aside, the post does fall slightly afoul of Symantec's supposed core purpose of providing security. Such a detailed and illustrated approach to cracking Vista's UAC may have been informative, but did it really need to be written? Would a security post saying that it is possible to exploit this and for general users to beware of UAC system process prompts have been any less sufficient?
Let us know your thoughts on Symantec's post in our forums