Vista UAC isn’t just annoying and stupid; it’s insecure too!

! Warning: this post hasn't been updated in over three years and so may contain out of date information.

One of the more annoying features of Vista is User Access/ Account Control (UAC). In theory, it’s a great idea: make the user aware of changes to the system to prevent malware taking hold. In practice it’s hideous. Even if your user account has local machine administrator rights, you still get the prompts and must select “Run as Administrator” (despite being so already) when you want want to do things like change the desktop font size (I kid you not!)

Vista needs your permission

As a consequence of being so annoying and difficult to work with, I – like many Vista users – just turn it off in frustration. This leaves us open to the charge of being irresponsible, due to making our machines insecure. A little utility – iReboot – looks set to rebuff that charge by showing that bypassing UAC is a very easy and so any protection it claims to offer is likely just smoke and mirrors. The makers of iReboot state that

…Windows Vista’s newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security. Any program that UAC blocks from starting up “for good security reasons” can be coded to work around these limitations with (relative) ease. The “architectural redesign” of Vista’s security framework isn’t so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure OS…

They split their application in half. One half runs as a service (with full admin privileges), the other as a GUI with normal user privileges. The GUI talks to the service – bypassing UAC – and does what it wants with full, unrestricted access to the machine. And the whole lot installs and runs at start-up without a single UAC prompt (just the same request for an admin password as XP had). Nice one Microsoft!

Read the full details of how NeoSmart bypassed UCA to get their iRebbot product working with Vista.

2 thoughts on “Vista UAC isn’t just annoying and stupid; it’s insecure too!

Comments are closed.