Closed a4004 closed 3 months ago
UAC as an admin user is also not considered a security boundary (regardless of Same-desktop) since there are millions of ways the current user can poison the environment that can hijack a high IL process.
If an Administrator is using the system and attempts to do the same task, there is only a warning prompt. That prompt is known as a āConsent Promptā because the administrator is only asked to agree to the action before proceeding. A weakness that would allow to bypass the āConsent Promptā is not considered a security vulnerability, since that is not considered a security boundary.
That sure is interesting that two different Microsoft docs contradict each other. I'd think if they are using the secure desktop by default - then, regardless whether it's vulnerable or not, it would be at least considered a security boundary of some kind. But no, I guess then it seems MSFT knowingly ship a UAC system that isn't even achieving its intended purpose by default. That is kind of funny, and scary at the same time.
It does achieve its intended purpose - which was bullying more programs into working without admin, so that enterprise administrators can actually take away admin from their users without crippling the workflow.
Hey @xaitax
Love your work, really awesome repo showcasing serious flaws in this new Recal "feature". When will MSFT ever learn? š
Just want to point something out to you though, you mentioned UAC is not a security boundary which is factually incorrect. The article you quoted from @Microsoft does mention that "Same-desktop Elevation is not a security boundary", however that refers to an insecure configuration of UAC whereby the allow/deny prompt is presented on the user's desktop rather than the secure desktop (where the screen dims). This configuration is not the default on Windows and must be manually configured for UAC to no longer function as a reliable security boundary.
I'm not necessarily saying that UAC is perfect, as there are ways to bypass it with varying degrees of success but I think it's important to get the context right when dealing with security issues that have great potential impact.