Comments on: Microsoft lists UAC hack as malware

By: zygote_overdrive21

zygote_overdrive21 — Wed, 18 Nov 2009 09:05:39 +0000

message to microsoft: just fix that security flaw!!

message to leo davidson: great job!

By: UAC Hack Malware - Huh? ~ IT Professionals

UAC Hack Malware - Huh? ~ IT Professionals — Thu, 06 Aug 2009 06:06:21 +0000

[...] even released yet and a significant flaw is already out there with regard to how Windows 7 handles white listing in the UAC…or something like that. On the plus side, it seems that this kind of issue is something that [...]

By: Jugalator

Jugalator — Sat, 01 Aug 2009 00:32:38 +0000

Haha, love that… “It’s not an exploit… but it’s malware!”

By: Leo Davidson

Leo Davidson — Fri, 31 Jul 2009 05:27:40 +0000

@Ali, the proof-of-concept application they are blocking doesn’t let you do much that you couldn’t already do using Explorer. The application was made to prove that an idea works rather than to be something which helps people use that idea.

If someone wanted to use the application in an automated way then they’d have to open its UI and send mouse/keyboard events to it. They could send mouse/keyboard events to Explorer to make it perform the same actions instead. (The fact that Explorer can be used to do this might be considered an issue but MSE isn’t detecting Explorer as malware… Maybe it should! )

The *concept* behind the application can be used to silently elevate things (under Win7’s default settings) without any user interface or UAC prompt being displayed but the application itself cannot (or at least cannot be used to do anything you couldn’t also do using Explorer instead). The app displays a UI and requires user input to tell it what to run. It’s left up to the user’s imagination to understand that something could do the same thing without displaying a user interface.

The source code and ideas behing the application could be used to easily create such a tool but, as mentioned, if you compile your own variant of the program then the resultant exe is not detected.

For me the question is this:

If bypassing UAC does make something malware then shouldn’t Explorer.exe on Win7 be detected and blocked as well?

By: Maurice

Maurice — Fri, 31 Jul 2009 04:34:03 +0000

@Ali, you don’t get the point. Issuing a security patch that fixes the flaw entirely is preferable, but security software should pick up any binary that executes the specific type of malicious code, not just “the one that started it all”. Especially since a recompilation of the same source can mask it.

By: Ali

Ali — Fri, 31 Jul 2009 04:25:10 +0000

@Bryant – even so, if I were a system administrator, I would obviously not want people to be able to just download and run this application.

By: Bryant

Bryant — Fri, 31 Jul 2009 04:19:22 +0000

@Robert, the thing is, that doesn’t actually have any effect on the point of the post. The point is that Microsoft still classifies the proof-of-concept as malware and, by extension, the flaw as a vulnerability. They went through the effort of categorizing it and naming it accordingly, which they wouldn’t have done if they didn’t consider it an exploit of some sort.

@Ali, the code can be compiled into any application and fly undetected at the moment. The current signature only looks for the proof-of-concept process.

By: Ali

Ali — Fri, 31 Jul 2009 04:15:27 +0000

This strikes me as a good idea. IIRC the proof of concept code was distributed freely on the web. This prevents script-kiddies from copying/pasting it and using it. Sure, it doesn’t solve the underlying problem, but it prevents a well-known and widely-publicized exploit from being easily used against a system.

By: Robert McLaws

Robert McLaws — Fri, 31 Jul 2009 03:24:12 +0000

OR someone could have submitted the file to SpyNet as malware and MS Security approved it…

By: Jason

Jason — Thu, 30 Jul 2009 23:41:59 +0000

This won’t go over too well.

they actually defined the proof of concept as malware… with its own name!