Researcher Reveals 2-Step Vista UAC Hack

Short Description
Researcher Reveals 2-Step Vista UAC Hack. The technique uses social engineering to trick the victim … noted in “Writing Secure Code for Windows Vista.” …

Website: www.physorg.com | Filesize: 9kb

Content
Researcher Reveals 2-Step Vista UAC Hack
The technique uses social engineering to trick the victim into downloading an innocent-looking file
that includes a Trojan horse attack.
A Web application developer has uncovered a two-step process (PDF) for exploiting Windows Vista’s User
Account Control, essentially by having a Trojan piggyback on what could be a legitimate download.
Robert Paveza, a senior Web application developer with Terralever, a Web-based marketing company
based in Tempe, Ariz., published details of the vulnerability in a paper titled “User-Prompted Elevation of
Unintended Code in Windows Vista.”
Paveza said in the paper that the vulnerability uses a two-part attack vector against a default Vista
installation. The first step requires that malware called a proxy infection tool be downloaded and run
without elevation. That software can behave as the victim expects it to while it sets up a second malicious
payload in the background.
“For instance, if users believe they are downloading a ‘Pac-Man’ clone, such a game could be run while the
malicious software did its work in the background,” Paveza said. He noted that the infection succeeds, for
all intents and purposes, with the installation…