17 comments

[ 3.5 ms ] story [ 52.3 ms ] thread
Wouldn't an attacker that is able to edit the registry (to "initialize" the exploit) already have the privileges that the exploit would give them?
It’s in HKEY_CURRENT_USER as per the dzone article, so no.
(comment deleted)
It references a 2017 DZone article. Is this vulnerability still present?
The point the article is making is that this is a 2017 vulnerability and is still present on the lastest release of Windows 10
IMHO it's not a problem as you should treat Windows as a single-user OS anyway, and UAC is just a nuisance that gets in the way.
A separation between root/Administrator and your normal user account is useful. On Windows, you often can't help but run semi-trusted proprietary software, so multi-user security technology (especially when combined with some type of mandatory access control) is very useful. I think that macOS Catalina does a better job of this: untrusted software running as your user account cannot read every file in your home directory by default.
Interesting - this only applies if your user account is already running as an administrator, but the risk here is that administrative functions could be run without user interaction or UAC prompts.

I just tested this on my Windows 10 machine (running the latest 20H2 version of Win10), and I could successfully launch diskpart.exe and other executables without any UAC prompt. Although Windows Defender did block me from launching cmd.exe or regedit.exe.

I would agree with the author that this is a risk that should be fixed.

What's your UAC setting?
It's the default Windows 10 setting - "Notify me only when programs try to make changes to my computer"
Thanks! Seems I bumped it up to "always" at some point, though guess I should just make a separate admin user.
Who's surprised?

How can anyone assume Windows to be secure or have reasonable defaults? Have you looked at it?