I decided to look at the issue closer and add my own opinion. The result is that this clearly is an over-hyped issue. What really makes this issue FUD is that the Symantec posting implies this is a serious issue and never really clarifies the actual risk. Then, so many news sources picked it up without really understanding the issue at hand. What further hurts the credibility of this post is that the Symantec post is probably not completely objective on this issue due to their own future competitive products.
What it really comes down to is that someone could trick Vista into displaying a teal banner on the UAC prompt rather than a "semi-scary yellowy orange" one. In doing so, they could possibly fool a user into allowing malicious code to run with Administrator rights if they decide to click on Continue based on the fact that the banner prompt is teal. While this certainly is a bug that Microsoft should fix, it is hardly an issue worth the hype when you consider all the mitigating circumstances: 1. A user would have to visit a malicious web site 2. That site would have to entice, bribe, or otherwise fool a user into clicking on the download URL for an executable file. 3. The user would have to click past one prompt that would ask the user to save or run the file. Whichever they choose will involve at least two additional confirmations. 4. The user would then have to run the program--a browser exploit in IE7 protected mode would not be able to do this properly. 5. Assuming the file is not already caught by an anti-virus application, the user will be prompted to "Run a legacy CPL elevated" and not be suspicious of that. 6. They have to know--and this is the key part--that a teal banner means something is coming from Vista and that yellow-orange means the code is not verified, and understand the difference between the two in order to have a false sense of trust. 7. The user would have to normally approve teal prompts and normally cancel orange-yellow prompts for there to be any difference here. 8. And finally, the user would enter the administrator credentials or already be running as an administrator. 9. And of course, even if the code ran as an administrator, if the application wanted to make any significant changes to the system there would likely be further prompts either by UAC or Windows Defender. Just the fact that all this really exploits is some presumed difference in user behavior between a teal prompt and a yellow-orange prompt shows how lame this really is. That assumption itself is questionable because if a user with admin credentials is smart enough to know the difference between the two colors and prudent enough to take different actions based on color would they really be lame enough to download an unknown file from an unknown web site, click past all the other prompts, including one asking them to "run a legacy CPL elevated?" I doubt it. And you can't say this is an issue for uneducated--AKA Jo(sephin)e--users because the issue here IS THE COLOR SWITCH and the implied trust of a teal banner. Uneducated users will not know the difference between the two banner colors and therefore will not make a security decision based on the banner color. Besides, with this type of user, all a program would have to do is say "Click Continue on all of the following prompts" and there is no protection from that type of a scenario anyway. Conversely, you also can't say this is an issue for well-educated users who do make security decisions based on banner color (whoever that is) because there are so many other security decisions that user must make incorrectly before getting to that point. You also can't say someone could exploit this via a browser exploit because anything exploited silently in IE would be set as low integrity and therefore couldn't even run RunLegacyCPLElevated.exe. MS Office has similar protections. Perhaps there are other attack vectors, but there will always be at least one UAC prompt and it still comes down to making a security decision based on banner color. Yes, it is an unexpected behavior and there should be better checking in RunLegacyCPLElevated.exe but this by no means puts users any more at risk than before. It is an issue of very minor significance. Mark Burnett http://xato.net/bl/2007/02/27/why-symantec-cannot-always-be-trusted/
