14 DAY TRIAL // Yes, Microsoft's latest operating system will do that to users... There is a thin line between a hacker and a fanatical user, when it comes to Windows Vista. And nobody comes to prove this more than Rob Paveza, an independent security researcher, self-entitled Vista fan and the author of an exploit targeting the operating system's User Account Control, detailed in the paper User-Prompted Elevation of Unintended Code in Windows Vista. Paveza, despite having authored an attack against the Windows Vista UAC, has only good things to say about Microsoft's most secure Windows platform to date.
"All told, I'm a big fan of Vista -- I've been using it since its release to MSDN subscribers in November. I'm very impressed with the hardening they've done, particularly in the implementation of ASLR (Address Space Layout Randomization) and the stack checks present in both .NET and the standard CRT. And I definitely run with UAC enabled. I just think that UAC is teaching the average user to constantly click "continue," and particularly for home users this could be a disaster," Paveza revealed.
The security researcher revisited the subject of the Vista UAC exploit, following its initial publication. The Vista attack is a two-stage exploit taking advantage of the operating system's standard user administrative model, and the elevation of privileges requests from the UAC. Targeting a weakness in the Windows Vista shell, namely the Start Menu interface, the attack is similar to that of Companion viruses. The exploit begins by replacing shortcuts from the Desktop and the user's Start Menu folder, after the delivery of a Trojan horse.
"Without requiring elevation -- running as a standard user -- the first stage of infection is completed: your Start Menu and Desktop and Quick Launch shortcuts have been redirected and stub executables have been generated. Malicious code isn't necessarily owning your computer at this point - it most certainly may be "owning" you, but since it's just you, and not any other users, you're probably okay. Now, this malicious code may sit there for weeks or months before it's activated," Paveza explained.
But there will be a time when the program, the legitimate program, will launch. However, the malicious code will be also executed at this stage, and it will only require that the user say "yes" to the UAC prompt. Considering that the UAC prompt can come from, let's say, Internet Explorer 7 for example, the user will accept it. And as the User Account Control does not actually deliver a security boundary, the infection of Vista would be complete.
"One of my main criticisms of Vista - and this has been true since the UAC dialogs were first presented - was that it instructs users (via classical conditioning) to simply accept any dialog box. I know Microsoft employs some number of psychologists to help work with focus groups and usability studies. I'm not sure where they dropped the ball, but this really is psych 101 stuff. "I want to run this program. It asks me if I want to go on or cancel... Cancel, it must be bad. Wait! My program didn't come up. (Punishment). I'll try again... I'll give it approval this time. Ah, there's my program! (Reinforcement)," Paveza added.