Windows 8 UAC
- Thread starter Nikos751
- Start date
None whatsoever. They moved a few tasks around to no longer require admin privileges to perform to reduce the number of elevation requests you get, but other than that it is pretty much the same and still has the same vulnerabilities as UAC in Windows 7.
- Feb 1, 2013
- 969
Earth said:
I have it enabled, I just wanted to know if there is something new about it on Windows 8. I believe it's not easy to say what percent of malware can be prevented to infect the system just by proper use of UAC. Some say that most malware cannot bypass it while other people claim that there is a considerable amount of malware bypassing UAC.
And both are right. If you take all malware that exists in the world and you count the samples that are able to bypass UAC, the number of UAC bypassing malware will be insignificant compared to the overall number of malware. The problem though is that especially a few of the very wide spread malware families are UAC aware. So a large portion of the malware you encounter today in the wild and that is responsible for the majority of infections is able to bypass UAC. So both statements are true, depending on whether you look at the situation from a statistical or from a more pragmatical point of view.Nikos751 said:
Keep in mind though that you can fix the most widespread UAC bypasses by just changing the UAC setting to the highest available setting. So if you use UAC, use it on the highest setting or don't bother using it at all.
- Feb 1, 2013
- 969
Thanks!! So UAC seems to be a very good malware obstacle if properly used and on highest setting. Yes, I have it on the highest setting, but I have EAM 7 (won it some days ago via giveaway contest) along with it (edit: now only as a manual scanner as it is a bit resource heavy for real time) so there is no problem for me.Fabian Wosar said:
- Mar 15, 2011
- 13,070
UAC is a pretty much a basic user interaction of changing any systems without the administrative privilege and maximum protection is enough to everything undergone.
And yes some vulnerabilities managed to bypass even in default which a minus sign without improvements.
And yes some vulnerabilities managed to bypass even in default which a minus sign without improvements.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
Changes in UAC for Windows 8 you will probably not find if you Google because Microsoft is terrible listing changelogs in their products.
But the changes are there which includes many improvements.
To exactly what they are nobody seems to know but Microsoft.
After the vulnerability in Windows 7 UAC, Microsoft maybe reluctant to share what they changed to keep malware writers from finding a bypass.
But I totally disagree that nothing at all has changed in UAC.
The video that was released awhile back that showed a malware sample that could bypass UAC in Windows 8 was apparently ruled as a hoax by the security community.
Unless someone can provide that malware sample and do their own test of it, I would say it was just an effort to discredit UAC.
Even if there were malware samples available in the wild that could bypass UAC, it would be extremely rare to actually encounter one. If you did then you probably have to manually download the infected file and manually execute it. The file would not be digitally signed either which would give you a warning on execution.
UAC in Windows 8 is better then UAC in Windows 7, I just wished Microsoft would release changelog history to show what they did.
But besides of just UAC in Windows 8, they are improvements in Windows Defender, Windows Firewall, IE10 SmartScreen and Safe Boot.
All of the security features should be used together just not rely on one component.
Windows 8 also can be more easily repaired with Windows disk.
If your have an OEM version most have a partition recovery program that can easily repair it as well.
Enjoy!!
But the changes are there which includes many improvements.
To exactly what they are nobody seems to know but Microsoft.
After the vulnerability in Windows 7 UAC, Microsoft maybe reluctant to share what they changed to keep malware writers from finding a bypass.
But I totally disagree that nothing at all has changed in UAC.
The video that was released awhile back that showed a malware sample that could bypass UAC in Windows 8 was apparently ruled as a hoax by the security community.
Unless someone can provide that malware sample and do their own test of it, I would say it was just an effort to discredit UAC.
Even if there were malware samples available in the wild that could bypass UAC, it would be extremely rare to actually encounter one. If you did then you probably have to manually download the infected file and manually execute it. The file would not be digitally signed either which would give you a warning on execution.
UAC in Windows 8 is better then UAC in Windows 7, I just wished Microsoft would release changelog history to show what they did.
But besides of just UAC in Windows 8, they are improvements in Windows Defender, Windows Firewall, IE10 SmartScreen and Safe Boot.
All of the security features should be used together just not rely on one component.
Windows 8 also can be more easily repaired with Windows disk.
If your have an OEM version most have a partition recovery program that can easily repair it as well.
Enjoy!!
Well obviously you know that there are some. So what are your sources?Littlebits said:
No need to. The old PoC available here still works. I recorded a demo on a fully updated Windows 8 VM. You can find it here:Littlebits said:
http://tmp.emsisoft.com/fw/COM_Elevation_on_Windows_8.avi
You will need the VMware codec to play it correctly.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
Fabian Wosar said:Well obviously you know that there are some. So what are your sources?Littlebits said:
No need to. The old PoC available here still works. I recorded a demo on a fully updated Windows 8 VM. You can find it here:Littlebits said:
http://tmp.emsisoft.com/fw/COM_Elevation_on_Windows_8.avi
You will need the VMware codec to play it correctly.
I'm more interested in the malware sample and test it myself against Windows 8 Final fully updated. I'm sorry I usually don't trust tests done by others. The link you posted says last tested on Windows 8 Developer Preview released on 13/Sep/2011. It says nothing about the final release fully updated. Unless someone can cough up these samples for people to individually test them, the reports are useless. The best way for these websites and testers to back up their claims is to make these samples public. I could care less about watching an old video that might not even be accurate or still apply.
I'm am aware that Windows 8 default security is giving a lot of paid security vendors headaches, therefore they are trying to discredit it however they can to earn some sells. Just about every report or test I have seen has been very deceptive or fake, therefore I require proof.
Thanks.
I already gave you the link to it. But just in case you ignored it the same way you ignored my question what your sources for your information regarding UAC are, here it is again:Littlebits said:
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html#release
Download it, test it yourself.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
Fabian Wosar said:
Are you talking about "Win7ElevateV2.zip" if it is that is not what I'm looking for, I want a malware sample that can bypass UAC on Windows 8.
Win7Elevate is just a hack tool that has to be manually executed to bypass UAC. I want a malware sample that actually can do this automatically.
Just because it can be done with a manual hack tool doesn't mean that malware use it. Only a small percentage of vulnerabilities are actually exploited.
Thanks.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
Fabian Wosar said:
I made a request here- http://malwaretips.com/Thread-UAC-bypass-sample-request
I have search before and was unable to find a single malware sample that could bypass UAC if one really exists. I'm sure Microsoft is not too concerned about a hack tool that can bypass UAC with some manual tweaking. It is blocked by UAC if you try to run it, also blocked by Windows Defender and Windows digital file checking on execution.
Thanks.
And of course if nobody does it for you it will be proof to you that there is no such malware, right? Even though I gave you a link to one location where Gapz has a dedicated thread directly on the first page. All you would have to do is register an account and download the samples.
Well, I think I call it EOD at this point.
Well, I think I call it EOD at this point.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
Fabian Wosar said:And of course if nobody does it for you it will be proof to you that there is no such malware, right? Even though I gave you a link to one location where Gapz has a dedicated thread directly on the first page. All you would have to do is register an account and download the samples.
Well, I think I call it EOD at this point.
I have already tested several variants of Bootkit: Win32/Gapz and none of them could bypass UAC.
That is why I made a request awhile back on many forums and still not a single one could bypass UAC.
If one does exists it is extremely hard to find if looking for it, what would be the chance of a user accidentally stumbling up on one?
Unless someone is paranoid why should anyone care?
I simply get tired of reading reports and tests that try to claim UAC has all of these vulnerabilities and not one single malware sample is available to exploit these so-called vulnerabilities. I'm sure if Microsoft Malware Protection Center was getting reports of malware exploiting UAC something would have already been done by now. They have partners and connections with many third-party security companies around the world. The simple truth is they are not getting any reports because no malware has been found to exploit UAC.
Like I said some third-party security companies and individuals try to discredit Microsoft and create paranoia any way they can.
Thanks.
- Feb 1, 2013
- 969
One question: Think what will happen to the world if Windows Defender+Smartscreen+UAC+Windows firewall will be considered as a safe combination.
I give you some words to help you:
information, users, security companies, financial problems, jobs, Microsoft.
I am not the specialist to judge the one side (Fabian Wosar) or the other (Littlebits) but it's good to make some forther thoughts.. What Littlebits says does not seem to me as a situation out of this world. It's pretty possible that things are like that.
I give you some words to help you:
information, users, security companies, financial problems, jobs, Microsoft.
I am not the specialist to judge the one side (Fabian Wosar) or the other (Littlebits) but it's good to make some forther thoughts.. What Littlebits says does not seem to me as a situation out of this world. It's pretty possible that things are like that.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
If it was proven that (Windows Defender+Smartscreen+UAC+Windows firewall) was just as effective protection as other solutions, then all of the third-party security software market would crash and it would be very bad for everyone. It is always good to have options in a market and those third-party options would probably no longer exists since they would have no funds. Many are now already having problems since freeware products are used more than paid products.
I'm sure Microsoft doesn't want this to happen either because it would hurt them as well. Probably the reason they usually don't say anything when these deceptive (fake) reports and tests are published.
Most users who have used Windows 8 default security already know that it offers excellent protection and others are started to learn that as well.
Thanks.
I'm sure Microsoft doesn't want this to happen either because it would hurt them as well. Probably the reason they usually don't say anything when these deceptive (fake) reports and tests are published.
Most users who have used Windows 8 default security already know that it offers excellent protection and others are started to learn that as well.
Thanks.
- Mar 16, 2013
- 582
"Win 7 UAC Code-Injection: How it works
In the quest to reduce the number of UAC prompts, for their code only, Microsoft have granted (at least) three groups of components special privileges:
Processes which anything else can run elevated without a UAC prompt.
This is the list of about 70 processes published on Rafael's Within Windows blog. (Update: New list for RC1 build 7100.) If you run a process on this list and it requires elevation then it -- the whole process -- will be given elevation without showing you a UAC prompt.
Discovery of this list is what lead to the earlier RunDll32.exe exploit where you could ask RunDll32.exe to run your code from within a DLL and it would do so with full elevation and no UAC prompt. Microsoft have since removed RunDll32.exe from the list but there are still plenty of other processes on the list, several of which can be exploited if you can copy files to the Windows folder.
Processes which can create certain elevated COM objects without a UAC prompt.
Programs on this second list are able, without being elevated themselves, to create certain elevated COM objects without triggering a UAC prompt. Once such an object has been created the processes can then tell it to perform actions which require administrator rights, such as copying files to System32 or Program Files.
This appears to be a superset of the first list. In fact, it seems to include all executables which come with Windows 7 and have a Microsoft authenticode certificate.
Unbelievably, as of build 7000 (and confirmed in RC1 build 7100), the list includes not only programs like Explorer.exe which use this feature (or potential security hole, if you like) but also programs such as Calc.exe, Notepad.exe and MSPaint.exe. Microsoft appear to have done nothing to minimize the attack surface and have arbitrarily granted almost all of their executables with this special privilege whether they actually use it or not. You can see evidence of this yourself by opening MSPaint, using the File Open dialog as a mini-file manager, and making changes within Program Files (e.g. create a folder or rename something); it'll let you do that without the UAC prompt that non-MS apps should trigger. I doubt that is intentional and it shows how little thought has gone into the UAC whitelist hacks MS have added to make their own apps seem better.
COM objects which can be created with elevation, by the things in list 2, without a UAC prompt.
Full enumeration of this list has not yet been done. The list is known to include IFileOperation and may simply be all Microsoft-signed COM objects that allow elevation at all.
It does not look like third-party COM objects can be elevated without triggering a UAC prompt, even by Microsoft processes, so the process and object must be on lists 2 and 3 respectively to bypass the UAC prompt. Given the number of processes which can be attacked and the fact that there are Microsoft COM objects to do many admin tasks, that isn't much of a consolation."
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html#release
Not sure the date on the above info.
Has Microsoft fixed the problem?
In the quest to reduce the number of UAC prompts, for their code only, Microsoft have granted (at least) three groups of components special privileges:
Processes which anything else can run elevated without a UAC prompt.
This is the list of about 70 processes published on Rafael's Within Windows blog. (Update: New list for RC1 build 7100.) If you run a process on this list and it requires elevation then it -- the whole process -- will be given elevation without showing you a UAC prompt.
Discovery of this list is what lead to the earlier RunDll32.exe exploit where you could ask RunDll32.exe to run your code from within a DLL and it would do so with full elevation and no UAC prompt. Microsoft have since removed RunDll32.exe from the list but there are still plenty of other processes on the list, several of which can be exploited if you can copy files to the Windows folder.
Processes which can create certain elevated COM objects without a UAC prompt.
Programs on this second list are able, without being elevated themselves, to create certain elevated COM objects without triggering a UAC prompt. Once such an object has been created the processes can then tell it to perform actions which require administrator rights, such as copying files to System32 or Program Files.
This appears to be a superset of the first list. In fact, it seems to include all executables which come with Windows 7 and have a Microsoft authenticode certificate.
Unbelievably, as of build 7000 (and confirmed in RC1 build 7100), the list includes not only programs like Explorer.exe which use this feature (or potential security hole, if you like) but also programs such as Calc.exe, Notepad.exe and MSPaint.exe. Microsoft appear to have done nothing to minimize the attack surface and have arbitrarily granted almost all of their executables with this special privilege whether they actually use it or not. You can see evidence of this yourself by opening MSPaint, using the File Open dialog as a mini-file manager, and making changes within Program Files (e.g. create a folder or rename something); it'll let you do that without the UAC prompt that non-MS apps should trigger. I doubt that is intentional and it shows how little thought has gone into the UAC whitelist hacks MS have added to make their own apps seem better.
COM objects which can be created with elevation, by the things in list 2, without a UAC prompt.
Full enumeration of this list has not yet been done. The list is known to include IFileOperation and may simply be all Microsoft-signed COM objects that allow elevation at all.
It does not look like third-party COM objects can be elevated without triggering a UAC prompt, even by Microsoft processes, so the process and object must be on lists 2 and 3 respectively to bypass the UAC prompt. Given the number of processes which can be attacked and the fact that there are Microsoft COM objects to do many admin tasks, that isn't much of a consolation."
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html#release
Not sure the date on the above info.
Has Microsoft fixed the problem?
Similar threads
