A separation between root/Administrator and your normal user account is useful. On Windows, you often can't help but run semi-trusted proprietary software, so multi-user security technology (especially when combined with some type of mandatory access control) is very useful. I think that macOS Catalina does a better job of this: untrusted software running as your user account cannot read every file in your home directory by default.
Interesting - this only applies if your user account is already running as an administrator, but the risk here is that administrative functions could be run without user interaction or UAC prompts.
I just tested this on my Windows 10 machine (running the latest 20H2 version of Win10), and I could successfully launch diskpart.exe and other executables without any UAC prompt. Although Windows Defender did block me from launching cmd.exe or regedit.exe.
I would agree with the author that this is a risk that should be fixed.
17 comments
[ 3.5 ms ] story [ 52.3 ms ] threadAs Larry Osterman noted, UAC is not a security feature.
I just tested this on my Windows 10 machine (running the latest 20H2 version of Win10), and I could successfully launch diskpart.exe and other executables without any UAC prompt. Although Windows Defender did block me from launching cmd.exe or regedit.exe.
I would agree with the author that this is a risk that should be fixed.
There are many similar such UAC bypasses, e.g. https://github.com/rootm0s/WinPwnage#uac-bypass-techniques and https://github.com/hfiref0x/UACME.
How can anyone assume Windows to be secure or have reasonable defaults? Have you looked at it?