<img alt="dcsimg" id="dcsimg" width="1" height="1" src="//www.qsstats.com/dcs8krshw00000cpvecvkz0uc_4g4q/njs.gif?dcsuri=/index.php/c/a/Business-Intelligence/Microsoft-UAC-Can-Be-Hijacked-by-Social-Engineering&amp;WT.js=No&amp;WT.tv=10.4.1&amp;dcssip=www.baselinemag.com&amp;WT.qs_dlk=XYYs84i44-qC@lW8xj4pPAAAAAA&amp;">

Microsoft: UAC Can Be Hijacked by Social Engineering

By Lisa Vaas  |  Posted 2007-02-26 Print this article Print

Security analysts assail Vista's User Account Control; Microsoft has admitted that yes, UAC is liable to social engineering.

Microsoft's UAC in its Vista operating system release was meant to signify that finally, the company has gotten serious about securing Windows by limiting a user's rights during day-to-day computer usage.

It's come to signify something much less than security or trust in the minds of some security experts, though. Security expert Joanna Rutkowska kicked off the dissection of UAC in her blog, and the latest salvo against User Account Control was heaved by Symantec Research Scientist Ollie Whitehouse with a Feb. 20 posting titled An Example of Why UAC Prompts in Vista Can't Always Be Trusted.

The upshot: Microsoft has admitted that yes, UAC is liable to social engineering.

The idea behind User Account Control is to limit user privileges as much as possible for most of a user's interaction with the desktop.

User rights are elevated only when necessary for administrative tasks, at which point a dialog box prompts the user to OK the escalation. Limiting normal permissions is a good thing, given that it reveals less operating system surface for an attacker to latch onto.

The problem, according to Whitehouse, is the level of trust granted to UAC prompts—a level of trust that he thinks is undeserved.

Read the full story on eWEEK.com: Microsoft: UAC Can Be Hijacked by Social Engineering

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.