Windows UAC Bypass Permits Code Execution

msm1267 writes from a report via Threatpost: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk. The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC. An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up. Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Well duh

[fisted]

Easier to just rely on the luser to click "Allow" when the UAC prompt pops up.

Re:Well duh

No shit. Elevation prompts are security theater, and their only purpose is to allow MS to say they warned you when your dumb ass decides to go through the spam folder and open all the attachments.

One of the first things I do on a new windows install (well, "did", because after 10 windows is dead to me now) is disable UAC. The cumulative annoyance of years of useless, hysterical prompts for every trivial thing I want to do more than outweighs the work of fixing my shit the one time per decade (lifetime average) I go full-dumbass and screw myself.

(OTOH spamming the user with security prompts is also my biggest problem with Linux, which I now must get used to unfortunately. Though setting the root password to a single apostrophe so that typing it in amounts to fat-fingering the enter key has reduced the annoyance somewhat.)

Re: Well duh

what do you need root for on Linux all the time?
You can just keep a root terminal open though.

Re:Well duh

[The-Ixian]

Doesn't elevation in Linux just use sudo?

If so, all you need to do is visudo and add the NOPASSWD flag to the appropriate match rule.

In other news...

[Chir]

The sky is blue, water is still wet, and windows is still insecure. Wonder if Microsoft is colluding with the 3rd party software market to keep windows insecure? Would make for some nice kickback payoffs from the Anti-virus / Anti-malware vendors. Winception.... How deep down the money hole does it go.

Re:In other news...

[A10Mechanic]

Never attribute to malice that which may be explained by incompetence. (it's usually the latter)

Re:In other news...

The sky is blue, water is still wet, and windows is still insecure.

The sky is blue, water is still wet, and windows is still INTENTIONALLY insecure.

ftfy.

It has nothing to do with third party software makers as you put it. It is US government spying apparatus. So are Google and Facebook and Twitter and Cloudflare (yeah, those captchas), and Markmonitor and way more. (Slashdot is just HUMINT which is normally out of FBI area of expertise... they are SIGINT. This is why they look so stupid here.)

The US Gov forced Microsoft into spy servitude way back when they threatened to split Microsoft into two companies (and worse, but not published). So you have what you have right now.

Spies everywhere, protecting nothing, producing nothing, just buying sunglasses and hair grease looking slimy in Nordstrom Rack attire.

Re:In other news...

[Chir]

Unless they just want you to think its incompetence. Plausible deniability is all the rage.

Re:In other news...

[ruir]

I have yet to understand if cloudfare captchas are there to secure their service or to force us to downgrade our security, activating Javascript. It is a pity, because I had a very nice opinion of Cloudfare and recommend it several times before finding about that.

Re:In other news...

Force javascript at the captcha, and upon arrival to the site blocked by the captcha.

This enables browser fingerprinting because javascript is enabled. Your desktop colors, all that. See browserspy.dk or panopticlick.eff.org

It also forces a timelog, if your time is set correctly on your PC. I strongly advise everybody on Earth to set their PC clocks wrong on purpose while not needing to produce an outgoing timestamp (eg. email). This foils the US government monitoring default failsafe which is timelogging. How accurate is it? Just grab a copy of wireshark (formerly ethereal) and count decimal places.

Cloudflare also has the gateway ability at those captchas to direct you to your intended destination or to a spoofed mirror which can be whatever the US Government wants it to be.

Notable as well.. gstatic and google-analytics are there even on porn sites. That too is back-traceable, and even thus.. correlated to your other surfing and life dispositions. Yes, they want the ability to blackmail you and even ninja on you if you are a huge threat to their operations. Notice how Ed Snowden was helpful and honest but the US Government hate him? They are guilty of treason, he is not. Even on Slashdot (FBI as it is) they call Ed Snowden exiled when in fact he defected. Big hint, pay especially close attention to the minutiae.

Use Firefox 45.0 or earlier only. No Chrome, no IE. Harden a little bit with this:
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

Use NoScript and remove all from the big box under XSS. Also uncheck all boxes under ABE. Also install Adblock plus.

In Adblock plus.. import this custom set for starters. Toggle the dialog box to CUSTOM FILTER.. and add it. Just copy it as a .txt file.
http://pasted.co/6aeed3e0

When you come across some bullshit, just add it according to the format used .. eg. ||facebook.com^ blocks everything that your browser tries to connect to at any facebook.com. They try to work around this by using numeric IP's. IPv6 is an even larger security hole, I don't suggest using it until the spies are fully dealt with. America is fed up with the government employees that ripped them off trillions.

http://www.usdebtclock
http://www.usdebtclock.org/world-debt-clock.html.org/

Re:In other news...

The sky is blue, water is still wet, and windows is still insecure.

Oh come on. If you bothered to read what was written you would see that this "exploit" requires an admin user to already have access to the machine and the bit that make it "insecure" is that you can go through this process and execute code without having to click "yes" in the UAC prompt. I'm sure attackers with admin access to machines find clicking "yes" really really burdensome.

Wonder if Microsoft is colluding with the 3rd party software market to keep windows insecure? Would make for some nice kickback payoffs from the Anti-virus / Anti-malware vendors. Winception.... How deep down the money hole does it go.

So when it's a exploit that (as I explained above) is not really a security vulnerability in any practical context anyway it is some big conspiracy theory but when it's a real privilege escalation bug that affects over 1 billion Linux devices that gets spun as a "benefit of open source".

Now I know the anti-Microsoft sentiment runs high here but it's getting a little retarded when you demonstrate you're so enraged that you can't even understand the simple concepts involved here.

Re:In other news...

[ruir]

At home I block things at DNS level...thanks for the links!

Ok moving on

Let's not worry about this right now. We need to get back to important topics... like Cortana, and how that bitch is going to save starving children in Africa. And Slashdot FBI. Can't forget Slashdot FBI.

OK BACK TO FBI NEWS @ SLASHDOT THEN I SEE.

>It's unclear how Microsoft will address this issue.

They already did. They had the FBI post how it is "somebody else bypassing the installer" besides Microsoft.

>bypasses the security feature meant to prevent unauthorized installs

There is only one feature to install in Windows. That is called Do you want to be spied on today.dll

Give it up FBI. Look at the fucking stupid sites it quotes in the summary.
threatpost.com
enigma0x3.net

Don't even click on the second one. Anybody who has been using the Internet for decades knows where to find valid bugs. That shit ain't it son.

One has to realize that the FBI now at Slashdot, never were Slashdotters before.

Re:OK BACK TO FBI NEWS @ SLASHDOT THEN I SEE.

how do you know its the FBI? Maybe its CIA. or NSA.

Or the FCC. Or the DNC. or EIEIO

Re:OK BACK TO FBI NEWS @ SLASHDOT THEN I SEE.

connections.

Re:OK BACK TO FBI NEWS @ SLASHDOT THEN I SEE.

[ls671]

That is called Do you want to be spied on today.dll

I especially like the spaces in the file name. It really makes you feel on Windows.

Re:OK BACK TO FBI NEWS @ SLASHDOT THEN I SEE.

Unix/Linux also have spaces. You use the \ or just tab-autocomplete in your shell.

Maybe you were thinking of MS~DOS ?

Am I reading this right?

[tomhath]

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action

So the attacker already pwns the machine. This is a threat?

Re:Am I reading this right?

STFU. We're trying to blow shit out of proportion here!

Re:Am I reading this right?

jesus christ it's unbelievable what kind of idiots are crawling around on /. nowadays

Re:Am I reading this right?

enigma0x3.net

^ according to that fucking site yeah. I won't click shit like that. Looks like goatse.cx.

Basically what the summary is getting at is , you need more FBI or else you are "pwned". Call it all lies.

Re:Am I reading this right?

Well when you are in the ghetto selling weed and somebody yells FEDS.. whoever sticks around are the idiots crawling around.

Slashdot is just agenda for like a month or two already. I don't even log in.

Re:Am I reading this right?

Not really. The attack can only work if the attacker is already in the position to read all your data, or hold it for ransom, and take over all your accounts, including e-mail and bank account, so you're just as fucked without this extra attack as you are with it.

Re:Am i reading this right?

[cbhacking]

No physical access required. Arbitrary code execution in a non-elevated context required, and then it can use that to elevate... if you're a member of the Administrators group, and still have the brain-dead UAC default "don't notify when I make changes to Windows settings" setting selected.

Re:Am i reading this right?

[hyperar]

No physical access required. Arbitrary code execution in a non-elevated context required, and then it can use that to elevate... if you're a member of the Administrators group, and still have the brain-dead UAC default "don't notify when I make changes to Windows settings" setting selected.

An attacker would already need to be on the machine to use this technique

That pretty much is physical access. Not to mention that we're talking about a improperly configured environment. Nevertheless, it is a vulnerability that must be addressed and Microsoft's response is unacceptable. P.S.: I'm pretty sure that UAC doesn't allow you to make changes without being notified by default.

Re:Am I reading this right?

Does elevation of privilege rings a bell to you? I wonder how that shit has been modded up.

Re:Am I reading this right?

This comment is stupid, not informative. Just because you're a user on the box doesn't mean you own it, FFS.

Re:Am I reading this right?

[The-Ixian]

All this exploit does is remove the "are you sure?" prompt that is displayed when a user that is ALREADY an administrator tries to do something in a high integrity context.

He is an idiot for pointing that out?

If it was just a standard user, this exploit would not work.

Also, this is not remotely exploitable... so, yeah, if you are already and administrator and have local access to the machine.... well, you can do whatever you want even without the exploit.

As a Windows admin, I find UAC to be useful, because it allows me to elevate in place without having to do a runas or switching users.

Re:Am I reading this right?

[exomondo]

So the attacker already pwns the machine. This is a threat?

Yes, apparently if you ask an attacker if they are sure they want to run malicious code then 99% of times they will click "no". So not presenting this dialog is a massive security problem...if you're a complete idiot.

Re:Am I reading this right?

This comment is stupid, not informative. Just because you're a user on the box doesn't mean you own it, FFS.

Read TFS, you're an admin user on the box so yes you do own it. This isn't about privilege escalation, you're already admin, it's about not having to click "yes" on the uac prompt.

Doesn't break what UAC is intended for.

[nuckfuts]

UAC isn't intended to be some kind of inviolable security mechanism. It's more of a simple alert that some process is trying to make changes to your system - a nice thing to know if you weren't expecting it. The fact that you can bypass the UAC prompt when already on the computer with administrative rights is pretty non-consequential.

Re:Doesn't break what UAC is intended for.

The rules are the same on both Linux and Windows:

Want to install an app just for yourself? Go right ahead.
Want to install an app for all users? You need to sudo or UAC.

The problem wasn't Windows. The problem was a lot of poorly written software that assumed that it could spooge its files all over %PROGRAMFILES%, modify system settings, install drivers, etc. Makers of poorly written software would just wave their hands and say, "Just run as an administrator and your problems are solved!" UAC was intended to push pressure on software vendors to clean up their shit while retaining a degree of backward compatibility.

Re:Doesn't break what UAC is intended for.

Then why are the prompts there at all for local admins? It isn't even an extra layer of security if this isn't fixed, since the attack is a complete bypass. (It works because the Event Viewer is a signed binary that auto-elevates, which opens a .msc file with whatever program is associated with it. Since you can change that to any command you want, including a malicious PowerShell or batch command, you've got yourself a full bypass.) It just gives a false sense of security.

Re: Doesn't break what UAC is intended for.

Security theater is all the rage.

Re:Doesn't break what UAC is intended for.

If it pop-ups when you're not expecting it then you know something is wrong. It's a warning. Most people run Windows as local admins, but they don't do admin things so they shouldn't see the prompts often. If they suddenly do see one, then they know (in theory) that something strange is going on.

Re:Doesn't break what UAC is intended for.

Still Microsoft does seem to have tightened UAC lately. Since a recent windows 10 update it's no longer possible to use setwindowshookex(which allows software to enter clicks for you) as administrator, when not using "run as administrator".

Re:Doesn't break what UAC is intended for.

or was it setwindowshook. Anyway, we found that in a windows update a few weeks back.

Re:Doesn't break what UAC is intended for.

[exomondo]

It isn't even an extra layer of security if this isn't fixed, since the attack is a complete bypass.

But if you're doing the attack why go through that process when you could just run your code and click "Allow" on the UAC dialog instead? You need to be admin to do this attack anyway so you already have the privileges to run whatever code you want.

Improving windows!

[jdavidb]

The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

Thank goodness! I've been looking for a way around those annoying popups ever since they first arrived in Windows, and I know I'm not the only one.

Re:Improving windows!

You know you can turn off UAC complately, right?

SSSSPEAKING OF SLASHDOT FBI

Where do you get YOUR torrents from, friends?

Re:SSSSPEAKING OF SLASHDOT FBI

Walmart. Aisle 6

Re:SSSSPEAKING OF SLASHDOT FBI

Tampons. Aisle 5

UAC has a differnt goal

UAC has a different goal than you think.

https://channel9.msdn.com/Forums/Coffeehouse/473037-UAC-controversy-the-last-episode/773c9d79f8df4fa8bc489deb00e05c3d

Its goal is to force us to actually fix our crap. UAC is not a bandaid to fix all security issues. There are many known work arounds to it. Including turning it off.

Sweet vindication!

[itsownreward]

All you folks still running Windows XP and being told it's a pile of insecure horseshit are vindicated!

Re:Sweet vindication!

All you folks still running Windows XP and being told it's a pile of insecure horseshit are vindicated!

the summary only mentions "Windows 7 and 10."

Re:Sweet vindication!

[itsownreward]

Whoosh!

Exactly. Only platforms that have UAC are affected. That's the joke.

Re:Sweet vindication!

XP bypasses UAC too, by default, because it doesn't have it.

Re:Sweet vindication!

[dbIII]

I've been saying that for ages. Some poor sods still have to run MS WinXP to get legacy software to work and their insecure environment (with Firefox instead of IE of course and Thunderbird instead of MS Outlook) is really not much worse than MS Win10 knee deep in the current malware swamp. The same third party antivirus software runs on both after all and the same real firewall upstream can protect them.
Treat both like a pile of insecure horseshit and you'll be better off instead of trusting whatever the wild web wants you to click on.
As seen with another article the obvious has happened with automated "cloud" advertising and even google advertising has become a malware vector due to no involvements of human beings - nobody is there to care about where the ad links go so a script kiddie got a cheap and trusted way to do damage.

Re:Sweet vindication!

It is actually possible to elevate your privilege on WinXP. XP have an equivalent UAC, but lighter and faster, therefore less buggy.

Re: Sweet vindication!

Windows XP has the ability to start up a process as a different user if you specify their credentials.
Windows Vista onward has UAC. This means that when a user in the admin group runs a process, by default that process doesn't get admin group permissions. You have to flag the exe headers as requiring admin, then windows displays the prompt. The prompt is displayed on a virtual desktop over the whole UI, which non-admin programs don't have access to.

Bypassing this is a privilege escalation bug, as it allows a process to have group permissions it shouldn't have.

Formerly known as WINDOWS ANNIVERSARY 10

Now known as Losedows Adversary 11

Really?

If this exploit requires admin rights on the box, then this is pointless. The box is already compromised and you have bigger issues.

Re:Really?

STOP STOP STOP you are ruining the FBI's day here.

You have to realize they are not used to tech literate people with experience.

Who runs Admin without UAC?

Who in their right mind runs Admin and turns off UAC? You deserve malware if your doing that.

Re:Who runs Admin without UAC?

[superwiz]

Who in their right mind runs Admin and turns off UAC?

Precisely.

You deserve malware if your doing that.

The described bypass (at least from my reading of the Slashdot summary) allows to bypass the UAC prompt even if UAC is turned on.

Just don't run as admin

[jader3rd]

If your current user isn't an Administrator, this doesn't provide the attacker any additional privileges.

Re:Just don't run as admin

[cbhacking]

It's actually even stupider than that. If you don't have UAC set to automatically elevate system binaries (like eventvwr.exe), this doesn't provide the attacker with anything either. UAC in Win7 introduced the idiotic notion that "trusted" programs would auto-elevate, rather than prompting, by default. There have been UAC bypasses based on this stupidity known for many years, this is just the latest in a long, long list.

To avert this, on Win7+, set UAC to "Always notify", rather than the default "Notify me when apps try to make changes to my computer (Don't notify me when I make changes to Windows settings)". In the UAC control panel, just move the slider to the top. (On Vista, the latter option doesn't exist; anything launching from a non-elevated context is required to prompt.) That will protect you against stupidities like an auto-elevated process reading a command to execute out of the non-elevated-writable HKCU registry hive (which is how this bypass works). Microsoft's idea in changing that default may have been good (reduce the number of prompts), but their execution was shit because none of their code (including the self-elevating stuff) is actually designed to treat non-elevated-same-user-writable locations as untrusted.

Note that there is *one* known UAC bypass that works even in "Always Notify" mode, because Microsoft is really bad at this stuff. It's far more complicated than this one, though. It also still doesn't work if you aren't a member of the Administrators group, though removing yourself from that group does introduce a lot of hassle.

Re:Just don't run as admin

UAC in Win7 introduced the idiotic notion that "trusted" programs would auto-elevate

Sssshhhh don't tell anyone, that's a feature and not a bug.

Please... kill UAC.

UAC was never about security. It was about covering one's ass. "You can't blame Microsoft. We showed you a confirmation prompt and you clicked yes."

Re:Please... kill UAC.

No it is about forcing developers to stop being fucking lazy C@#nts and demanding admin privileges when they are not necessary. apps that annoy users with prompts lose users and hence finally fix their shit that no amount of begging has been able to achieve.

Re:Please... kill UAC.

[superwiz]

Developers need admin privileges. You can't debug services without them.

'Experts' bypass UAC by disabling it

So called 'Windows Experts' know how they like their systems and disable UAC as one of the first things they do when setting up a system. To them I laugh when they call themselves 'Experts', especially in the security area.

Am i reading this right?

[hyperar]

Admin privileges?, Physical access?, big meh.

Windows can execute code?

[lusid1]

Seems newsworthy.

Do you let users run as root on Linux?

[Barlo_Mung_42]

No. I hope you do not. I don't run as admin on my Windows machines either. I run as Standard User so even if something bypasses UAC it can't do much because my account simply doesn't have those rights.

Re:Do you let users run as root on Linux?

[cbhacking]

There's only one known UAC bypass if you switch to "Always Notify" from the brain-dead default setting that auto-elevates many Windows binaries , and there's a work-around for that one (the exploit itself is far more complicated than this one, too). Not arguing that running as not-a-member-of-Administrators isn't a good idea anyhow, because (from a security standpoint) it definitely is, but it's also a *mostly*-needless hassle.

Re:Do you let users run as root on Linux?

[superwiz]

The issue is not that you don't run things as a root user. The issue is that you can limit what processes you run as root on Linux by only using sudo and only having it set to allow a limited set of commands. In Windows, an admin user is not running in a privileged mode by default (so all processes only have regular user privileges). The admin user can elevate to the privileged mode (and needs to answer in the affirmative to that UAC prompt if the policy is set to require UAC). But with this workaround, as soon as admin user logs in, a malicious process can elevate to admin level without ever presenting a UAC prompt. The sole act of an admin user logging in is enough for a malicious process to elevate and run in privileged mode. This downgrades Win 7 and Win 8 security to the security level of Win XP (in which all processes of the 1st logged in user run in the same session as the background services).

Re:Do you let users run as root on Linux?

[superwiz]

If you develop in Windows, you often need to run as a member of Administrators in order to debug services. It's either that or elevating the MSVS at the start (and I am not even sure that would work in allowing you to attach to services). If you do elevate MSVS though, you'll be creating files as a different user, so then you won't be able to edit them as your non-administrators user. So there is quite a bit of incentive to do all development as a member of administrators and have UAC turned on (both for 3rd parties' and for MS-authored software).

Not quite right, but it's stupid anyhow.

[cbhacking]

Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat. Of course, in this case, it's just enabled by a really moronic default that Microsoft added to UAC in Win7 (and has persisted since), which auto-elevates some "trusted" Windows binaries (like eventvwr.exe). If you remove that particular stupidity (in the UAC control panel, move the slider all the way up to "Always Notify"), this attack (and the long, long list of similar things, many known for years, like it) won't work.

Re:Not quite right, but it's stupid anyhow.

[Gadget_Guy]

Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat.

This doesn't do that. You have to already be already running as an Administrator for this so-called exploit to work. If you are not in the Local Administrators group then you will get the prompt requiring a password.

Re:Not quite right, but it's stupid anyhow.

[exomondo]

Elevation from limited-user access to "root" (Administrators-level access) is definitely a threat.

Of course it is, but if you actually read the article - or even the summary - you will see that that is not what is happening here:

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code

So without this technique the only difference would be that the attacker would have to click 'Allow' in the UAC prompt.

wow

[superwiz]

A security boundary not worth considering? For real? UAC and FS/registry virtualization are the only OS-level security paradigms added to Win 7 over Win XP. Without it, any background process running with administrative privileges can do what a logged-in administrator can do. This includes installing new software and doing essentially anything that a local TrustedInstaller user can do. Worse yet, if this ever happens when an admin user is logged in, the process would not even need to authenticate itself. It would just run it in the session of the logged-in admin user without the admin user ever knowing about it, with the admin user's full confidence that nothing can installed under his credentials (because he has UAC turned on and not allowing any installation to happen without first presenting a "may I, mother?" prompt). If they don't think the session security improvements are worth anything, why don't just start to openly support Win XP again? This is somewhat disturbing.

Re:Let me get this straight...

[superwiz]

Not quite physical access. He just needs an admin to log in. So there is an admin user session running.

You new here, or just completely ignorant?

[cbhacking]

OK, 7-digit ID or not, are you really so new here you think that Slashdot summaries (or even articles) are an always-accurate representation of the world? Out here in the real world, where I've been working in information security longer than you've been on this site (and nearly as long as I have, actually), we understand the difference between "the attacker needs to physically or remotely accessing the machine" and "the attacker needs to have code executing on the machine". It's a very important difference. The fact that the summary implies direct access is required is stupid, but the fact that you (and, apparently, a significant number of other people) took that implication as fact says much more about you all than it does about the exploit.

Try reading the actual exploit writeup rather than dumbed-down ThreatPost article, and you'll see that no such claim is made. There's not a single step of the process that requires the level of access you'd need to approve a UAC prompt. Hell, even in the ThreatPost article, it doesn't say (or even imply) anything about physical access.

“This is a post-exploitation technique, so an attacker would need to already be on the system.”

You can do this exploit if you get non-elevated arbitrary code execution (via remote compromise, or Trojan download, or anything else of that sort) in the account of a member of the Administrators group. You cannot click "Allow" via non-elevated code execution; UAC is very carefully designed to not allow non-elevated code to approve its prompts.

Please don't run your mouth when you don't know what you're talking about. This exploit, and the UAC default in Win7+, are both stupid enough already; you don't have to turn it into a three-way race. Think first, then post!

Re:You new here, or just completely ignorant?

[exomondo]

OK, 7-digit ID or not, are you really so new here you think that Slashdot summaries (or even articles) are an always-accurate representation of the world? Out here in the real world, where I've been working in information security longer than you've been on this site

Yes ok your life revolves significantly around this site, I get that but not everybody's does.

The fact that the summary implies direct access is required is stupid, but the fact that you (and, apparently, a significant number of other people) took that implication as fact says much more about you all than it does about the exploit.

I don't think I said or implied "direct access". I quoted "on the machine" which could be remote, it could be by proxy.

Try reading the actual exploit writeup rather than dumbed-down ThreatPost article, and you'll see that no such claim is made.

So the claim I didn't make is also not made by Threatpost, well glad we cleared that up.

Hell, even in the ThreatPost article, it doesn't say (or even imply) anything about physical access.

Neither did I.

You can do this exploit if you get non-elevated arbitrary code execution (via remote compromise, or Trojan download, or anything else of that sort) in the account of a member of the Administrators group. You cannot click "Allow" via non-elevated code execution

If you have already achieved that you don't really need this exploit.