This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on the areas of User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine these attacks to gain full control over the machine from low integrity, low privilege process.
Windows Vista is a radical departure from prior versions of the Windows operating system. With its introduction, enhancements have been made to virtually all aspects of the Windows security model. These changes should decrease the ease by which the operating system can be compromised.
In this research, Symantec researchers evaluated the security of the Windows Vista February 2006 CTP build. During this research we discovered a number of implementation flaws that continued to allow a full machine compromise to occur. By exploiting these flaws, a low privilege, low integrity level process can bypass User Account Protection, and ultimately execute code at a high privilege, high integrity level.
Since the conclusion of our initial phase of research, several new Windows Vista builds have been released. We recently re-evaluated our findings on the publicly released Windows Vista Beta 2 build 5384 and observed certain exploit paths have been fixed. Where applicable, we will indicate where our initial findings differ from the public Windows Vista Beta 2.
Windows Vista is a work in progress and it should be expected that security issues, including those discussed in this paper, will continue to be addressed until its final release.
Click here to download the full paper