UAC is arguably better than nothing but: it was designed to run at max level (the only available one in Vista, where it was introduced). Because the UX hindrance was too high MS added intermediate levels, but without evolving the whole design from a security model point of view. The result is so weak that MS simultaneously started to declare that UAC is not a security boundary, so they don't have to include comprehensive fixes in each security patch, only partial ones in system upgrades, when they feel like it.
https://github.com/hfiref0x/UACME currently references 8 unfixed bypasses. That's so high that I don't think this is reserved for targeted infection; it might very well happen in common malware.
UAC is merely a prompt that desensitizes users to more prompts. Whenever UAC shows up, for most people, the default reflex is just make the annoying prompt go away. Yes it to death.
Users simply should not log in as Administrators for day-to-day use. Anything requiring Administrator permissions should force a full log out, and change of identity. UAC doesn't educate users. Users should either be locked out of dangerous operations, or not locked out.
Administrators should take action only when there's the awareness that their decisions could result in the need to perform a full re-install of the system, without internet access.
This is the "nuke from orbit" gambit. It's the only way to be sure.
I recall at least one instance where my mom stopped at a UAC prompt wondering what it meant. Her calling me to verify what it was doing saved her from installing some malware. So anecdotally those prompts are not completely useless. She is not a tech literate person either, not much beyond referring to the browser as "the internet."
Well, I think this picture sums up a lot of thoughts on this subject: https://xkcd.com/1200/
In a nutshell, your user account has all your data, all your session cookies, all your logins and passwords, all your documents.... Everything.
And what can root/Administrator do? That's right, play with device drivers and systems stuffs. Once you have the primary user's account, unless it's a multiuser system, it's game over.
Just with user creds, I can start encrypting files to #evil_private_key , emailing browser data, keylogging, screencapping, data injection, and being a general nuisance.
The only good defense I've seen to this is what Qubes incorporates: Zones. It's virtual machines, with unique unspoofable borders, that you can configure to only allow the minimum amount of permission the container needs. Bank Zone only needs to talk to bank and financial websites. It doesn't need sound, or direct graphics access. Tor Zone allows talking through TCP on specified ports to and from, to allow Tor across system.
In that case, yes a specific system could be compromised, but using containers like that keeps damage limited.
Yes, exactly, I also have sudo no password on my linux boxes. If you're on my account you can keylog me or dump my keepass DB from memory. You may as well go ahead and have root too.
UAC is particularly bad in that it also produces problems with older applications and causes other applications to pop up UAC dialogs frequently. It's a huge annoyance with little security impact.
At worst it may make malware harder to remove if I do get infected - but in my experience, 99% of the malware you find kicking around on the internet isn't rootkit loaded 0 days - it's script kiddies crapping out iStealer to dump browser passwords or darkcomet to run DDoS botnets.
Lack of root makes being stealthy and covering tracks more difficult. Log clearing almost always requires elevation. If getting owned is a given (and it is) then the most important thing is detection after the fact.
That's because UAC in windows is worthless, it's a broken version of sudo that fails to do the one thing necessary, force a re-authentication of credentials. There's little point in popping up a warning than people can simply click right past without requiring admin credentials.
Yes, but then you aren't doing things in your own account with temporarily elevated privadledges which is the intent of UAC, it's supposed to be like sudo.
sudo as root is unnecessary, sudo only makes sense for non root accounts; and sudo prompts the user for his own password ensuring that even someone that walks up to your computer can't perform root actions just because you're logged in and ensuring the user can't simply click without thinking which is what everyone does on windows which is why UAC is so often disabled.
https://github.com/hfiref0x/UACME currently references 8 unfixed bypasses. That's so high that I don't think this is reserved for targeted infection; it might very well happen in common malware.