Search
Homepage This page's url is: -crn- Rankings and Research Companies Channelcast Marketing Matters CRNtv Events WOTC Jobs HPE Discover 2019 News Cisco Partner Summit 2019 News Cisco Wi-Fi 6 Newsroom Dell Technologies Newsroom Hitachi Vantara Newsroom HP Reinvent Newsroom IBM Newsroom Ingram Micro ONE 2019 News The IoT Integrator Juniper NXTWORK 2019 News Lenovo Newsroom Lexmark Newsroom NetApp Data Fabric NetApp Insight 2019 News Cisco Live Newsroom HPE Zone Intel Tech Provider Zone

Microsoft Relents, Will Change Windows 7 UAC

Microsoft has agreed to make changes in Windows 7 User Account Control aimed at fixing security flaws that beta testers have been reporting over the past week.

In a late Thursday blog post, Jon DeVaan, senior vice president of the Windows Core Operating System division at Microsoft, and Steven Sinofsky, senior vice president for the Windows and Windows Live Engineering Group, said the UAC changes will be included in the Windows 7 Release Candidate, which will follow the Windows 7 beta. Microsoft isn't commenting on the timing of the release.

In the past week, Windows 7 beta testers have discovered two security flaws in Windows 7 UAC: one that disables UAC in Windows 7 without any user interaction, the other that could allow attackers to create malware that piggybacks on Microsoft-signed applications and code that are designed to automatically elevate to administrative level to minimize UAC prompts.

To fix the second flaw, Microsoft will configure the Windows 7 UAC control panel to run in a high-integrity process, which requires elevation. Sinofsky and DeVaan acknowledged this as a bug fix that was already under development, and said Microsoft is aware of "a couple of others similar to that."

But Microsoft still doesn't appear to consider the first UAC flaw a vulnerability. Microsoft will alter Windows 7 UAC so that any changes to UAC's settings will prompt users for confirmation, but that change is simply Microsoft's response to user feedback, Sinofsky and DeVaan said.

Since the UAC flaws surfaced, Microsoft has denied that they qualify as actual security 'vulnerabilities' as defined by the security industry. Microsoft's stance is that malware would have to make its way onto PCs without users' consent in order for attackers to take advantage of the UAC issues, and Microsoft hasn't received any reports of that happening.

Still, Microsoft's decision will help silence critics who've begun to see parallels between its handling of the Windows 7 UAC reports and its handling of Windows Vista complaints. With Vista, Microsoft often attributed user difficulties to the design changes it had made to the OS.

However, there are still plenty of security experts who feel that UAC is a flawed concept that does little to enhance security, and who believe Microsoft needs to overhaul it or scrap it entirely.

Bruce Schneier, British Telecom's chief security technology officer, sees the Windows 7 UAC episode as an example of many PC users' mistaken assumption that security is something that should operate invisibly in the background.

"Security means it's going to be hard to use. If you're annoyed by having to take a key out of your pocket to unlock your door, and you remove the lock, you lose the security," said Schneier.

"Is there a better technological alternative to UAC? Yes, but it's going to cost money, and it's also going to be inconvenient, just in a different way."

Back to Top

Video

 

sponsored resources