Despite all the anti-malware roadblocks built into Windows Vista, a senior Microsoft official is lowering the security expectations, warning that viruses, password-stealing Trojans and rootkits will continue to thrive as malware authors adapt to the new operating system.

Mark Russinovich (left), technical fellow in Microsoft's Platform and Services Division, used the spotlight of the CanSecWest security conference in Vancouver to discuss the implementation of UAC (User Account Control) in Windows Vista and made it clear that the feature is not meant to be a security barrier.

"It's a best effort to raise the bar and stop malware from making changes to the operating system but it's not a security boundary," Russinovich said of UAC, the oft-criticized mechanism that requires that all users run without full admin rights.

In a straightforward assessment of the threat landscape in a Vista world, Russinovich described malware authors as ISVs that will code for a standard user environment.

"There is no guarantee that malware can't hijack the elevation process or compromise an elevated application," Russinovich said after providing a blow-by-blow description of how UAC works in tandem with Internet Explorer (with Protected Mode) to limit the damage from malicious files.

Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access.

"We'll see malware developing its own elevation techniques," Russinovich said.  He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.

Send via e-mail | Submit to Digg | Add to Live Favorites