Microsoft privilege escalation issue forces the debate: ‘When is something a security hole?’
This is where things get tricky. Reguly argued that this amounts to a security hole.
“With the proof-of-concept provided, we’re performing the action of launching an elevated command prompt. This could be done by an administrator, but they’d get a UAC prompt. Instead, we’re using a malicious technique, and you don’t get a UAC prompt,” Reguly said. “If UAC is a security feature and we’re running something that would normally require a UAC prompt without one, that sounds to me like a security feature bypass. Microsoft, traditionally, has fixed security feature bypasses, but, in this case, because of the wording of the Microsoft Security Servicing Criteria for Windows, they are not.”
That last line is indeed the thrust of the Microsoft argument. In their Security Service Criteria for Windows, Microsoft says “Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strongly isolated from the kernel boundary. Administrators are in control of the security of a device and can disable security features, uninstall security updates, and perform other actions that make kernel isolation ineffective. This includes actions which require Administrator permissions like registry tampering with HKEY_LOCAL_MACHINE and any attack where the attacker has Local or Domain Administrator access.”