4

I was recently told that if your UAC level is anything less than the maximum (always notify) then malicious programs can programatically lower your UAC settings, thereby rendering UAC useless.

Now, I remember this being an issue in the Windows 7 beta, but that is was fixed in the RC:

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation. (source)

So, which one of us is outdated? Is it me that haven't caught the new rootkits available or is it the other guy that didn't pay attention to things being fixed in the RC?

Is there a working way to lower UAC levels without the UAC prompt?

henriksen
  • 273
  • 2
  • 7

1 Answers1

1

On a standard Windows 7 system, the answer is no with a couple of buts.

The UAC control panel is a High Integrity Process and MS has said in the blog post you cite that the UAC interface will always require elevation, but...

  1. If you are running as the built-in Administrator account, which is disabled by default in most installs, all processes and the desktop run at high integrity so there are no UAC prompts. It was designed for system installs and upgrades, but letting your clients run day to day in this mode is BAD practice. It's basically like running Windows XP as an admin, in this scenario an attacker wouldn't need to modify UAC since it would never appear.
  2. Even with the changes MS put in place, an attacker can still write a program that can circumvent UAC. At the default UAC level the OS exempts many binaries signed Microsoft, and an attacker could create malicious programs that fool the OS into thinking they were trusted. Turning up UAC to "always notify" will force prompts for all administrative actions whether the app is signed or not.
Bob
  • 2,569
  • 3
  • 26
  • 22