Windows Vista's Achilles' Heel - the Start Menu

The Start Menu is Windows Vista Achilles' heel and it holds all the keys to the Vista castle. This conclusion was presented by Robert Paveza, a senior web application developer with Terralever, a web-based marketing corporation. Paveza is also the author of a two-stage attack method designed to take over Windows Vista, by exploiting weaknesses of the User Account Control and the operating system's shell.

The attack essentially involves making use of social engineering to drop a Trojan-horse program. This initial part of the attack, revolving around the interaction of the user, involves deploying the proxy infection tool, a process that does not require administrative privileges. The basic role of the proxy infection tool, or of a Trojan is to set up the stage for the actual attack that will compromise Windows Vista.

"The Start Menu interface, presents an opportunity for exploitation of users, as does the desktop and any other part of the user's directory structure. You see, all of the user folders - including the Desktop, parts of the Start Menu, Documents folder, Music, Videos, Application Data - each user folder is writable by the user to whom it belongs. Further, the Start Menu synthesizes the All Users and user-specific Start Menu folders are combined, with the user's folder taking precedence, to form the composited Start Menu presented by the shell," Paveza described.

The proxy infection tool, or Trojan will replace shortcuts from the desktop and the Start Menu folder in a manner similar to that of companion viruses. "The proxy infection tool, which is run by the user, writes to the user's Start menu folder and reads from the global Start menu folder without requesting elevated permissions. The program searches the global Start menu folder for all programs that require elevation, and creates duplicates in the user's folder that point to the malicious code," revealed Ron Bowes, Symantec Security Response Researcher.

All that the malicious program has to do now is to wait for the user to launch one of the malformed duplicates of the original legitimate programs on the Windows Vista machine via the Start Menu or the desktop. Only now will the user be presented with an elevation of privileges request from the UAC, but as the original program is genuine, administrative privileges will be granted without a second thought, thus completing the attack and the compromise of the operating system.