Monday, 20 December 2010

Avecto: Filling in the UAC gaps

As I had to put on my "Security Cap" on for last week's Patch Tuesday update,  which was the largest (but not necessarily the scariest) series of updates from Microsoft to date. As part of my briefing for that report, I reviewed a Zero-day flaw that bypassed the Microsoft User Account Control (UAC) security mechanism.

As the author (Chester) outlines in his blog entry;

"The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users."

On it's own this bug does not allow for remote code execution, but it does allow users to execute code as if they were an administrator.

As it happens, I was also speaking with Tony Bolland from Avecto about their security product Privilege Guard. Tony is a real veteran of the industry  and it looks like their company is doing great things. Avecto's Privilege Guard effectively delivers a super-set of the security and control functionality   offered by Microsoft's built-in UAC functionality. 

Drawing, from the Avecto website, Privilege Guard delivers the following benefits;
  • Enables users to logon with standard user rights without compromising their ability to perform their job function
  • Enables users to run legacy applications or any other applications that require admin rights
  • Enables users to perform approved computer configuration tasks, such as adding local printers and changing the time
  • Restricts users to installing and running only trusted applications
  • Enables server administrators to work under least privilege, with an audit trail of privileged operations
  • Works seamlessly with User Account Control (UAC) and eliminates or replaces inappropriate UAC prompts

From what I understand about the product, Privilege Guard would have prevented any further impact/damage to the user or workstation environment  by managing the restricted access to all system level components. It looks like we will see an increasing need for these security "add-ons" to the basic UAC security model in the future as these Zero-day security exploits continue to proliferate.

I plan to have more of a play with the Avecto product in the new year, and I will keep you posted.

You can find out more about the Avecto Privilege Guard product here:

The AOK December Patch Tuesday Impact Analysis Report is located here:

No comments: