Shameless Plug

[Skywing]

Again, you should not be elevating programs run from a location where a plain user can write to them.  Modifying the main .exe might cause the signature check to fail, but this not something you should be relying on exclusively (consider that, for instance, a dependent DLL in the same directory could be altered).

If you continue to view UAC as something designed to provide complete protection against malware, then yes, you'll have no difficulty in finding holes by virtue of design decisions.

[iago]

I think that it should be more publicized that UAC doesn't provide complete protection against malware, because I got the opposite impression from marketing stuff. I wonder if they'll make token moves to try to fix this type of issue as it comes up?

But the idea behind the attack I just mentioned is that it would wait until you downloaded a file, such as setup.exe, from some site. Somewhere between downloading it and running it, the virus would infect setup.exe.

I can't think of any way that UAC could protect against that type of attack, it's pretty much hosed there.

[Skywing]

I agree with you completely; good luck in getting Marketing@Microsoft to take the correct approach, however, especially after the fact.

[iago]

I wrote another blog about a similar issue with Sudo, and, in general, about why it is hopeless to prevent malware this way. Once this goes through, I might write a third blog talking about why, in more abstract terms, this problem won't be solved on the current user-separation paradigm. PR has the blog right now, hopefully they'll approve it (I'm sure they will), then I'll post a link to it here.

[Joe]

Well, it's two days now. Any word back from them? That'd be an interesting read, since I tend to care more about Linux than Vista.

[iago]

They haven't said no yet, so it's likely good to go. We post one/day and I'll let you know when mine gets to the top.