From c883f79c9cbe950c3b7bafb0be189b4d075f9f50 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Wed, 15 May 2019 13:03:16 +0200
Subject: ui: drop permissions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 attacksurface.md | 1 +
 1 file changed, 1 insertion(+)

(limited to 'attacksurface.md')

diff --git a/attacksurface.md b/attacksurface.md
index f843cc75..f2b56d08 100644
--- a/attacksurface.md
+++ b/attacksurface.md
@@ -36,6 +36,7 @@ The manager service is a userspace service running as Local System, responsible
 The UI is a process running for each user who is in the Administrators group (per the above), running with the elevated high integrity linked token. It exposes:
 
   - Since the UI process is executed with an elevated token, it runs at high integrity and should be immune to various shatter attacks, modulo the great variety of clever bypasses in the latest Windows release.
+  - It uses `AdjustTokenPrivileges` to remove all privileges.
   - It renders highlighted config files to a msftedit.dll control, which typically is capable of all sorts of OLE and RTF nastiness that we make some attempt to avoid.
 
 ### Updates
-- 
cgit v1.2.3-59-g8ed1b