Blogger finds security flaw in Windows 7 UAC

By on

uacbrokenwindows7

Blogger Long Zheng has found that a security flaw in Windows 7’s User Account Control (or UAC) that could allow anyone to change the setting of the UAC without any notification – even when disabling it. While it isn’t a big deal – it’s kind of important to show you what change you had made, or you could accidentally agree to something you don’t want to do.

Zheng writes: “Of course it’s not a security vulnerability if you have to coerce the user into disabling UAC themselves (although sweet candy is exceptionally persuasive), I had to think “bad thoughts” to come up with a way to disable UAC without the user’s interaction.”

“The solution was trivial, you could complete the whole process with just keyboard shortcuts so why not make an application that emulates a sequence of keyboard inputs.”

He has also brought up a "proof of concept”, with the help “side-kick” Rafael Rivera, to show you how the flaw works. While you do need to have an account on the “Administrative” user group and not the “Standard” user group, the “Administrative” user group is the default user group.

Image: Long Zheng

Join the Conversation