Today I’d like to dispel a myth about Windows Vista which says that User Account Control (UAC) will not protect users because they will just click “Continue” or “Allow” on the dialogs that ask them for permission for an application to run with Administrator privileges.
Is it a problem that users are often too willing to click Allow or Continue buttons without knowing the full consequences of their action? Certainly. Please don’t think I am contending otherwise. However, consider the following scenario:
- Joe User starts up his Windows Vista machine and logs into an Administrator account with UAC enabled.
- Joe opens up Mail Program Express* - which automatically runs with reduced privileges because of UAC.
- Joe clicks on a malicious HTML e-mail message that triggers a buffer overrun exploit against Mail Program Express, which executes some malicious code. Perhaps this code includes instructions to delete important system files, muck with the registry, or access sensitive information about your computer or other users of the machine.
- The attack against Mail Program Express succeeds, and the code is run - but the code fails to have any impact on the system because it is running in the context of Mail Program Express - which does not have Administrator privileges.
At no point during this example is a UAC dialog thrown.
Could a more sophisticated attack cause an attempt at privilege escalation? Depending on the nature of the attack, it’s possible. But in such a case, the user would be presented with a UAC dialog completely out-of-the-blue. It would probably be an unsigned app (scarier dialog), and the user would probably say no.
So what does this mean? It means that UAC is a lot more than just another warning dialog. Don’t turn it off. It just might save you a lot of heartache one day.
* this could be any benign application you use daily, especially internet-connected ones like mail readers, web browsers, chat clients, etc.
