Vista's UAC warnings can hide a rat, Symantec says

21.02.2007
Windows Vista's User Account Control (UAC), a system that Microsoft Corp. says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec Corp. researcher said today.

Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.

The process to spoof a UAC dialog is roundabout, but doable, said Whitehouse. It would start with a user falling for any one of the current hacker tricks. "The most likely scenario is that a user gets compromised by malicious code, from a Trojan [horse] or a vulnerability in a third-party application like Office or a browser," he said in an interview.

Next, the malicious code would drop a malformed .dll file onto a part of the hard drive that the user, who would presumably be running as a restricted Standard User, was allowed to write to. Because the user has rights to write to the disk, a UAC wouldn't pop up at that point.

Finally, the malicious code would call the "RunLegacyCPLElevated.exe" -- the Vista executable that provides backward compatibility to older Windows Control Panel plug-ins -- which in turn runs the .dll. That pops up a UAC dialog, but because RunLegacyCPLElevated.exe is set to run those Control Panel plug-ins with full administrative privileges, the dialog is bordered by Vista's own greenish color to signify the file is part of the operating system. As soon as the user clicks the "Confirm" button, the malicious code is granted administrative privileges, giving the code -- and thus the attacker -- full access to and complete control of the machine.

"The different colors imply the level of trust," Whitehouse argued. "The green color signifies the warning is coming from Vista. Blue-gray means it's a third-party application, but it's signed. Yellowish-orange means it's not signed and the source can't be guaranteed." Vista also borders some UAC dialogs in red to note applications it's automatically blocked.