1. Actually, the malicious code described at the point you mentioned has no elevated rights and thus can only do limited damage to the system. This is the extra line of defense given by UAC. The _real_ problem the author points out is that the UAC pop-up can easily be turned “green”, which is supposed to be a hint of its trustworthiness. If the user clicks that, then the trojan has full access to the system. To me, that seems a pretty big hole in the “color trust” UAC bits. No chicken-egg problems here, this is a real attack vector to get elevated rights.

    Not really that trivial if you realize most people go nuts over the times they have to press “continue” on the UAC boxes. They get conditioned to press the button and move on, especially if it’s green.


  2. It is even worse. I expect applications that mimic the screen graying out and showing the box that asks for an administrator password. You know, that dialog you get when you run as a non-administrator and UAC kicks in…


  3. I still do not see the point, I do not look at the colors of the pop-up. I am not interested in “what color do you want to see today” The pop-up makes me think about what I am doing. I realise this is not the case with most users,but to that attitude there is no defence.
    You do not get into your car without realising you have to be aware of the dangers around you (well most drivers do it like this) If you have an accident, do you blame the manufacturer of your car?


  4. Microsoft did _want_ to make you think about different colors for the pop-up to indicate how dangerous it is to continue. The ability to easily spoof this may not be misleading to you, but it is to people who actually use this extra information as a hint of trustworthiness. If Microsoft did not intend that “green” is any more legit than “orange” or “red”, then I think they should not have implemented this feature in the first place, and certainly not make it so easy to get the hint green.

    If you want to compare it with cars (although this is a bit strange), I’d compare it with a traffic light. You are at a crossroads and the traffic light is green, yet when you cross the road you get an accident because the light was wrong. Then it is your fault too, because you are supposed not to trust the traffic lights and always look 6 times before you cross the road. But realistically, I’d think _most_ people would actually blame this on the traffic light.

    Peter Hendriks

Comments are closed.