|
|
|
|
Windows Vista Top 10 Tips & Tricks |
Vista Daily News
Vista
user-privilege flaw revealed
A security firm has
discovered one of the first security
flaws to directly affect Windows Vista,
a bug that it claims allows local users
to escalate their privileges.
Friday, March 02 2007
A security firm has discovered one of
the first security flaws to directly
affect Windows Vista, a bug that it
claims allows local users to escalate
their privileges.
The flaw involves Windows' system for
managing user security levels, User
Account Control (UAC), which was
introduced with Vista. UAC is designed
to limit the damage that can be caused
by mass attacks such as worms by giving
standard users limited privileges, a
practice common with other operating
systems.
Combined with a remote vulnerability,
the newly discovered bug could
essentially render UAC useless,
escalating standard user privileges to
system-level access, according to eEye.
"A flaw exists within Windows Vista that
allows local privilege escalation to
System," eEye said in a note on its
website. The company said it reported
the bug to Microsoft in January, and
plans to disclose further details once a
fix is available.
According to eEye co-founder Marc
Maiffret, the flaw is similar to a
buffer overflow.
Microsoft said in a statement it is
aware of the report and is
investigating.
UAC is by far the most visible change in
Vista's security system, to the point
where some have criticised it as too
intrusive. At the same time, researchers
have already begun picking holes in the
system.
What's more, Microsoft recently made it
clear that it doesn't consider UAC a
security feature, since it has
deliberately left particular holes in
the system for ease of use. That means
bugs in UAC aren't security flaws,
Microsoft says.
"Neither UAC elevations nor Protected
Mode IE define new Windows security
boundaries," wrote Mark Russinovich, a
Technical Fellow in Microsoft's Platform
and Services Division, in a blog post
earlier this month. "Because elevations
and ILs (Integrity Levels) don’t define
a security boundary, potential avenues
of attack, regardless of ease or scope,
are not security bugs."
Instead of being a security barrier, UAC
is intended "to get us to a world where
everyone runs as standard user by
default and all software is written with
that assumption," Russinovich wrote |
Dream host 10.00 off
use prom code free ten dollars off
Dream host: just
$7.95/month. Host unlimited sites
With dream host you can have as many
web sites as you like just
$7.95/month
|
|
