After the previous UAC security issue in Windows 7, here's another exploit which allows an unprivileged program to perform arbitrary privileged operations without prompting:
Microsoft would no doubt say the same as before, that UAC is not a security boundary - and that is true. However, it goes to show again that the default compromised setting in 7 is much less secure than Vista's default, and the problems caused by having a whitelist.
http://www.pretentiousname.com/misc/win7_uac_whitelist2.htmlMy proof-of-concept program is a standalone executable that is run as a normal unelevated process. [..]
The proof-of-concept works by directly copying (or injecting) part of its own code into the memory of another running processes and then telling that target process to run the code. This is done using standard, non-privileged APIs such as WriteProcessMemory and CreateRemoteThread.
If the target process is on [a list of Microsoft executables which can silently launch elevated COM objects] then our process gains the ability to create and control elevated COM objects from [a list of Microsoft COM objects] without triggering a UAC prompt or giving any indication to the user (under default Windows 7 beta settings).
Microsoft would no doubt say the same as before, that UAC is not a security boundary - and that is true. However, it goes to show again that the default compromised setting in 7 is much less secure than Vista's default, and the problems caused by having a whitelist.