14 DAY TRIAL // There is an intimate connection between Code Signing and User Account Control in Windows Vista. Via Code Signing, the UAC determines if the publisher of an application can or cannot be trusted. In accordance with the details of Code Signing, the user will be able to elevate a process to full administrative privileges. Symantec has warned that Windows Vista issues no warning whatsoever when code signatures are invalidated.
"Instead, the binary is simply treated as if it isn't signed. Why is this an issue? The simple reason is that if, for example, you have a world of poor file permissions (looking squarely at third-party software here) and the user running as a restricted administrator can modify a binary that is allowed to elevate, you could end up in a sticky situation," revealed Ollie Whitehouse, Symantec Security Response Researcher.
A sticky situation translates to the user accepting a UAC prompt and simultaneously allowing a malformed application to elevate privileges. A file infecting virus could do the trick and modify a binary. Windows Vista does not show any indication of the validity or invalidity of the digital signature information with the exception of the Details section of the Properties. In this respect, the fact that an invalid digital signature generates no alert can lead to potential risks for the end user.
Running an application with an invalid Code Signature will also generate no warning, due to the fact that Windows Vista detects such an application as simply unsigned. "So while UAC isn't a security boundary, the fact that certain key information relating to the integrity of a binary is not communicated to the user, could be seen as a shortcoming in its design when asking the user to make a decision. However, there are mitigations available, although these are not turned on by default. In short, pay attention to those UAC prompts every time you click "Allow"," Whitehouse added.