Code Signing and UAC–It Just Gets Better

Code Signing and UAC in Windows Vista havea relationship that should not be underestimated. Code Signing allowsUAC to provide a user with the details of an application's publisherand, thus, permits the user to ensure it is trusted before allowing itto elevate to full administrative privileges. Therefore, my recentobservation has left me dumbfounded.

The observation was this: if a signed binary is modified on diskand, thus, the code signing signature invalidated, you don’t get a bigklaxon going off with the computer screaming, “Danger Will Robinson!Danger!” Instead, the binary is simply treated as if it isn’t signed.Why is this an issue? The simple reason is that if, for example, youhave a world of poor file permissions (looking squarely at third-partysoftware here) and the user running as a restricted administrator canmodify a binary that is allowed to elevate, you could end up in asticky situation. That is, if a user is familiar with the fact that anapplication needs to elevate privileges, so is accustomed to acceptingthe UAC prompt, but doesn’t pay attention to the colour (due todistraction), they could authorize a modified binary to elevate. Whywould the binary have been modified? Well, the most likely scenario isthrough a file infecting virus.

Let me show an example of this. First, I take a binary that is signed with a valid signature.

Figure 1: Digital signature summary from Explorer’s File Properties under Windows Vista

The interesting thing to note about Figure 1 (which can be accessedby right-clicking on the file in question) is that it doesn’t show youif the signature is valid unless you click on the "Details" button(figure 2).

Figure 2: Digital signature details from Explorer’s File Properties under Windows Vista

When we run this binary we see the UAC prompt associated with thesigned executable (figure 3). We see this UAC prompt because themanifest file says the binary needs to run as administrator.

Figure 3: UAC prompt requesting elevation for signed executable

This is what we would normally expect. Now, if we take this binaryand modify it as a file infecting virus would (I just changed a coupleof bytes) and follow the same process, we will see a couple of things.First, there is no overt warning that the signature is invalid (figure4).

Figure 4: Digital signature summary from Explorer’s File Properties under Windows Vista for modified binary

Only when we click on the details screen as shown in Figure 5, can see that the signature is indeed invalid.

Figure 5: Digital signature details from Explorer’s File Properties under Windows Vista for modified binary

If we then run the application, we receive a UAC prompt because themanifest still says that binary needs to elevate. However, as statedpreviously, instead of receiving a warning that the signature doesn’tmatch and, thus, the file could pose a danger to the user, we insteadreceive the same UAC prompt as if the binary wasn’t signed at all(figure 6).

Figure 6: UAC prompt requesting elevation for a modified signed executable with an invalid signature

While this is the scariest of the UAC prompts with its menacingyellowy-orange header, nowhere does it say that this binary is signed,yet the signature doesn’t match. Personally, I would have expected itto make this quite clear and warn the user to proceed with extremecaution. That being said, all is not lost. There is a local securitypolicy setting that can be enabled, which would mitigate this (figure7).

Figure 7: Local security policy setting that can mitigate the threat of modified signed binaries

If enabled and you try to run a modified binary with a non-matchingsignature, you get presented with the helpful error message shown inFigure 8 below.

Figure 8: Error message received as a result of local security policy change

So while UAC isn’t a security boundary, the fact that certain keyinformation relating to the integrity of a binary is not communicatedto the user, could be seen as a shortcoming in its design when askingthe user to make a decision. However, there are mitigations available,although these are not turned on by default. In short, pay attention tothose UAC prompts every time you click "Allow."

Is this a big issue? No. Is it an issue that should have beenmitigated in my opinion? Yes. Why wasn’t this type of protectionimplemented? Don’t know.

Also, some feedback I received and acknowledge from the last blogabout UAC was that I should provide context. So here goes—this is onlygoing to pose an issue to users who run the default configuration andtheir account is an administrator. Therefore, this will primarilyaffect consumers and not enterprises since a majority of enterprisesdon't give out administrative permissions to all their users.