Coders claim bypass of Vista security feature

Developers at free-software firm NeoSmart claim Vista's User Account Control is 'easy to code around' and 'only there to give the impression of security'
Written by Tom Espiner, Contributor

Software developers from NeoSmart, a not-for-profit technology-development organisation, claim they have successfully bypassed User Account Control, a security feature in Windows Vista.

The developers suggested on their website on Sunday that the feature was "only there to give the impression of security". Critics, however, have said that, by coding around User Account Control (UAC), the developers had simply done what Microsoft had intended them to do.

UAC is a feature of Vista designed to stop users from installing or executing arbitrary code. Many see it as a hindrance to performing everyday tasks, as it requests confirmation for many actions where no user confirmation was needed in Vista's predecessor, XP. UAC does not request these confirmations from users with administrator privileges, but, in Vista, users do not by default have this status.

The NeoSmart developers are behind a tool, iReboot, that helps users choose which operating system they would like to reboot into. UAC had stopped the application from running at start-up, but the developers now claim to have bypassed UAC by splitting iReboot into two. One of the parts, running in the background, has privileged access to the operating system without requiring administrator approval each time the machine boots; the other part, running as a client program, interacts with this back-end service.

As the developers were able to grant the back-end part of the program privileges to run without express user approval every time the machine starts up, they claimed that Windows Vista's security limitations were "artificial at best, easy to code around, and only there to give the impression of security".

"Any program that UAC blocks from starting up 'for good security reasons' can be coded to work around these limitations with (relative) ease," wrote the developers in a blog post. "The 'architectural redesign' of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure operating system."

However, some individuals posting comments in reply to the blog post disagreed that UAC is an "artificial" security feature. "I feel your pain for having to split a simple program into two, but your ranting is way off the mark," wrote "steveg".

"You haven't coded around [UAC blocks]. Your users have granted your application administrator privileges during installation. Game over. All your base belong to us. Once you've acquired administrator rights, the machine is yours and UAC's role is done. If you had bypassed UAC without the user explicitly granting administrator rights, your rant would be completely justified; as it is, it's merely misinformed and wrong," steveg wrote.

Another poster, "Harry Johnston", said UAC had been expressly designed to force independent software developers to write code which would work in this way. "This is a perfect example of what UAC was actually invented for — to force developers to write software that works for people who aren't logged in as an administrator. Good thing too," he wrote.

These comments echoed earlier statements by Microsoft product unit manager David Cross, who said in a speech at the RSA Conference in San Francisco earlier this month that UAC was deliberately designed to "annoy users", in order to put pressure on third-party software makers to make their applications more secure.

Microsoft had not responded to a request for comment at the time of writing.

Editorial standards