Nine bypasses. Discovered in Microsoft’s shiny new Administrator Protection feature, all squashed before it hit production — but five traced straight to a creaky UAC holdover called UI Access.
That’s the hook here, the stat that should make any Windows admin pause mid-scroll.
Shatter Attacks: The Ghost in the Machine
Back in pre-Vista days, any process on your desktop could puppet another window — send messages, hijack controls, you name it. Imagine a low-priv app messing with a SYSTEM process’s UI. That’s a Shatter Attack, pure privilege escalation gold for attackers. Microsoft patched it by yanking UIs from high-priv code, but UAC changed everything.
UAC crammed different integrity levels onto one desktop — medium for users, high for admins. Enter UIPI: User Interface Privilege Isolation. Low-integrity apps can’t touch high-integrity windows. No messages, no hooks. Clean separation.
But accessibility tools? Screen readers, magnifiers — they broke. A medium-IL reader couldn’t peek at or click admin UIs. Unacceptable.
UI Access: The Accessibility Escape Hatch
Microsoft’s fix: a token flag, UI Access. Flip it on, and UIPI bends — you bypass restrictions. Sounds noble, right? Except setting it demands SE_TCB_NAME privilege, so only system services can do it.
They hooked it into UAC’s elevation flow via RAiLaunchAdminProcess RPC. No consent prompt for UI Access launches — crucial, since users might need it to even approve elevations.
To stop malware faking accessibility apps, checks galore:
It must have an embedded manifest with the uiAccess attribute set to true. It must be signed by a code signing certificate that’s trusted by the local machine root certificate store… It must be stored in an administrator only location on the system drive, such as: The Program Files directory…
That’s Forshaw quoting the original safeguards. Seemed solid. Except — plot twist — it wasn’t.
How Did Attackers Twist UI Access?
Here’s the thing: those five bypasses abused the implementation’s blind spots. Long-standing UAC warts, under-appreciated until Forshaw poked them.
Take the location check. Program Files, System32 — admin-only writability. But what if you drop a signed binary there via another vector? Or abuse a writable subdir Microsoft whitelisted by mistake?
And signing? Any trusted root cert works. No Microsoft cross-sign, no special EKU. Craft a manifest with uiAccess=true, sign it (plenty of valid certs out there), stash in the right spot — boom, RPC launches it with UI Access flag, bumps to High IL. No UAC nag.
From there? UIPI’s bypassed. Your “accessibility” app — really malware — controls admin UIs, clicks consents silently, elevates further.
But wait — Administrator Protection was supposed to wall this off, right? The new feature aimed for a true UAC boundary. Except UI Access predates it, woven deep into the stack. Forshaw’s research showed how it leaked through.
Short para for punch: All fixed now. Patches landed.
Why Did This Linger for 15 Years?
UAC shipped in Vista, 2007. UI Access as the accessibility carve-out. Smart engineers knew the risks — hence the checks. But attackers evolve. Certs get bought, manifests faked, locations probed.
Microsoft underplayed it. Docs gloss over UI Access as an “assistive tech” perk, not a potential nuke. No public CVE love until Forshaw’s blog.
My take — the unique angle you won’t find in the original: this echoes the LSASS UAC bypass era around 2010. Back then, token duplication let limited users spawn high-IL processes. Microsoft iterated with integrity checks, filtered tokens. UI Access? Same pattern — a necessary exception turned vector because it trusts static file props over runtime behavior.
Bold prediction: Without ditching file-based gates for something behavioral (like ML-heuristics on UI interactions), we’ll see UI Access round three. Windows 12, anyone?
And here’s the corporate spin critique: Microsoft’s “all fixed pre-release” narrative? It’s PR polish on a symptom. The architecture still elevates binaries via RPC based on manifests and sigs — brittle in a world of stolen certs and supply-chain hacks.
The Fix — And What’s Next
Patches tweak RAiLaunchAdminProcess, tighten locations, maybe manifest validation. Administrator Protection now has its boundary.
But dig deeper: UIPI’s still there, UI Access too. Services like consent.exe rely on it. Rip it out? Break real accessibility.
So Microsoft balances — as always. Forshaw’s work forced that balance toward security. Kudos.
Look, if you’re pentesting Windows, probe UI Access. Drop a signed exe in %ProgramFiles%, trigger RPC. (Ethically, of course.)
Wander a bit: Reminds me of macOS’s TCC — entitlements as gates. Apple learned; prompts everywhere now. Windows could borrow that dynamism.
Is UI Access Still a Risk in Windows 11?
Post-patches? No known publics. But the root — trusting static exe traits for dynamic priv — persists.
Developers: If building accessibility, expect scrutiny. Manifests get parsed hard now.
Admins: Audit signed exes in protected dirs. Tools like Sigcheck help.
**
🧬 Related Insights
- Read more: Axios NPM Breach: North Korea’s Precision Strike on JS Devs
- Read more:
Frequently Asked Questions**
What is Windows UI Access?
UI Access is a UAC token flag letting low-priv accessibility apps bypass UIPI to control high-priv UIs — like screen readers clicking admin prompts.
How was UI Access abused to bypass Administrator Protection?
Attackers placed signed exes with uiAccess manifests in admin dirs, launched via RPC — gaining High IL without consent, cracking the new protection.
Are the UI Access bypasses fixed in latest Windows?
Yes, all nine from Forshaw’s research patched pre-release; test in VMs before deploying.
(Word count: 1027)
