Microsoft Roasted Over Response To UAC Flaws

Microsoft bloggers Long Zheng and Rafael Rivera recently unearthed two flaws in UAC, one that disables UAC in Windows 7 without any user interaction, and a second that stems from Windows being set up to automatically elevate Microsoft-signed applications and code to minimize UAC alerts. Both flaws have to do with efforts Microsoft made to placate Vista users who found UAC too annoying.

But Microsoft's stance is that these aren't actually vulnerabilities at all. In a Thursday post to the Windows 7 Engineering blog, Jon DeVaan, senior vice president of the Windows Core Operating System division at Microsoft, sought to dispel "a set of misperceptions" about UAC in Windows 7.

DeVaan said the feedback Microsoft has received thus far on UAC assumes that malware has already made its way onto PCs without users' consent, but Microsoft hasn't heard of this happening to any Windows 7 testers.

"Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent," DeVaan wrote. "In Windows 7 we have continued to focus on improving the ability to stop malware before it is installed or running on a PC."

Sponsored post

While Windows Vista had just two UAC settings -- 'Always Notify' and 'Never Notify,' Windows 7 gives users more control over UAC with four notification options, and that's a direct response to the feedback Microsoft heard from users who found Vista UAC to be overly chatty, according to DeVaan.

"We choose our default settings to serve a broad range of customers, based on the feedback we have received about improving UAC as a whole," wrote DeVaan.

In other words, Microsoft is simply giving users what they want, something for which users should probably be grateful. But DeVaan's statements sound a lot like the rationalizations Microsoft used to explain away many of Windows Vista users' complaints. And this wasn't lost on some readers who responded to DeVaan's claims in the blog's comments section.

"The Microsoft response to this issue is really shaking my faith [in] the quality of Windows 7. Vista was full of [this] sort of obtuse thinking," wrote one reader.

"I'm just [going] back to Vista so I can at least feel safe and confident that UAC will work as it should. If these UAC issues aren't resolved by RTM, I simply won't be upgrading to 7 and I won't be recommending it to anyone," wrote another reader.

Given Microsoft's lackluster security track record, the company would be better served by using a more conciliatory tone in addressing the Windows 7 UAC issues, said Gordon Scobel, CEO of Qualitech, a solution provider in Bingham Farms, Mich.

"I don't understand why Microsoft doesn't say 'We're going to fix it,' instead of telling users that they don't understand UAC. They seem to be getting more and more recalcitrant," Scobel said.

DeVaan also noted that although UAC helps improve security for Windows users, it's not a security boundary. But in the opinion of security solution providers who see and understand this distinction, Microsoft is fighting an uphill battle in arguing this point.

"UAC is just a fundamentally flawed concept," said Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based solution provider.

"There may be cases where UAC has benefit, but most users would be better to disable UAC, and get a reliable third-party antimalware/antivirus product, a firewall that includes intrusion prevention, and a script blocker for their browser."