Possible trouble with SuRun elevations

Posted by MrBrian on wilderssecurity today: SuRun elevations can allow malware to elevate in a standard account (example with elevated command prompt).

Paul

I don't really see anything surprsing there. For me, elevating a process to Administrator level via SuRun is always intentional. It's like installing a program on the REAL system - you'll need Administrator level access to do this most of the time (in order for the program to install properly).

However, as far as I understand it, this issue with SuRun would only apply if malware already got on to the REAL system and was able to execute in the Limited User Account (and then wait to associate itself to a SuRun-elevated process).

ssj100 wrote:I don't really see anything surprsing there. For me, elevating a process to Administrator level via SuRun is always intentional.

If I understand everything correctly, then the surprising thing is that not only the process you intended to elevate is elevated.
P.S.: I NEVER elevate anything in my limited account. If I get an alert while testing, I pretend not to know the admin password. Otherwise everything is set up in such a way that I (and all other limited users on this computer) will NOT get any UAC alerts at all.

Paul

p2u wrote:If I understand everything correctly, then the surprising thing is that not only the process you intended to elevate is elevated.

For me, I always "felt" that SuRun potentially created a "hole" for malicious processes to elevate themselves. However, this "hole" essentially becomes irrelevant with the use of Sandboxie + SRP.

ssj100 wrote:However, as far as I understand it, this issue with SuRun would only apply if malware already got on to the REAL system and was able to execute in the Limited User Account (and then wait to associate itself to a SuRun-elevated process).

That's correct. Using SRP or similar is highly recommended. As p2u noted, never elevating by any means is the safest thing to do.

MrBrian wrote:As p2u noted, never elevating by any means is the safest thing to do.

Yes indeed, but then convenience/usability would be lost (particularly on XP). But as I mentioned, having a good security setup/approach essentially makes this issue irrelevant, and regardless, the "risk" is on the same level as mistakenly installing a malicious program on the REAL system with Administrator rights.

ssj100 wrote:

MrBrian wrote:As p2u noted, never elevating by any means is the safest thing to do.

Yes indeed, but then convenience/usability would be lost (particularly on XP).

Not necessarily. It all depends on what your every-day tasks are. I often see people unnecessarily elevate while they would be better off just giving "write" permissions to authenticated users for certain folders/files only.
P.S.: On XP, I used to disable RunAs and made it unavailable for users. Besides, Secondary Logon and Fast User Switching were disabled. I can't do that on Vista, since Parental Control depends on UAC, and UAC depends on RunAs...

Paul

p2u wrote:Not necessarily. It all depends on what your every-day tasks are.

Yes of course, but then my "every-day tasks" are not typical of the "every-day" user haha. But for many people, they should not need to elevate (particularly on Vista/7) on most days.