Update: added a link to the original exploit
I really, really hate having to interrupt a good series bashing Apple, but this has to be said.
Long has resumed his crusade on fixing UAC, and normally, I would tell him to give it up for the sake of saving his own time. However, even though Mark Russinovich might not see UAC as a security boundary, the original UAC team sure as hell did, which makes me want Long to see this all the way through. (check the sidebar on the left)
“User Account Control (UAC) is a core security feature in the next release of Windows Vista and Windows Server code name Longhorn.” –UAC Blog
Guys, just fix it. I don’t see why things have to be made so hard; the UAC team clearly calls it a security feature, so do them a favor, don’t make them feel like they’ve wasted their time, and fix the problem. Thanks, Long, for telling me that this can’t actually be fixed as it’s a design issue, so here’s a better solution: give the user the ability to chose which UAC setting he/she wants upon first run. Here are three good options:
- Always On
- Notify when programs try to change settings (give a warning with this option about the potential risk of compromise)
- Always Off (give a bigger warning with this option)
You’ll notice that I didn’t actually suggest the option which gets rid of the secure desktop: I personally believe that that particular option offers absolutely no benefit over having UAC off altogether.
I figured it had to be said.
(If you want to take this for a test run yourself, check Leo Davidson’s site for the original source code and binaries for the proof of concept exploit)
Mark & friends, I love you guys dearly, but I’ll be taking the original team’s word on this one. If you guys try editing it out, keep in mind the Internet Archive has a copy of the original statement.
Follow Bryant on Twitter! 
