Glaswegian

A vulnerability in Windows 7's User Account Control (UAC) feature has still not been claimed the blogger who first alerted Microsoft to the problem. However, the company continues to deny that such a breach exists.

Long Zheng, who writes the I Started Something blog, has posted a video online showing how UAC, a security feature first introduced in Windows Vista that sets user privileges on a PC in Windows 7, can be exploited.

Zheng also pointed to an instructional document by Microsoft Technical Fellow Mark Russinovich that attempts to explain UAC, saying it clearly states that Microsoft has no intention of fixing a change it made in the UAC in Windows 7 that leaves the new OS less secure because it allows someone to remotely turn the feature off without the user knowing.

Zheng first pointed out this change and the alleged vulnerability back in February. At the time he said that the new UAC "standard user" default setting, which does not notify a user when changes are made to Windows settings, is where the security risk lies. A change to UAC is seen as a change to a Windows setting, so a user will not be notified if UAC is disabled, which Zheng said he was able to do remotely with some keyboard shortcuts and code.

UAC has been a controversial feature since Microsoft introduced it in Windows Vista to improve its security and give people who are the primary users of a PC more control over its applications and settings. The features prevents users without administrative privileges from making unauthorised changes to a system.

In Russinovich's document, he does acknowledge that Zheng and others' observations about how third-party software can use the feature to gain administrative rights to a PC is accurate.

However, according to Zheng's blog post, Russinovich seemed to dismiss this possibility for remote code execution and offer no fix for it, because he said that there are other ways for malware to get into the system via UAC prompts.


http://www.techworld.com/security/ne...&NewsID=117663