Huge Security Flaw in Windows 7 User Account Control

User Account Control annoyed a lot of people in Vista, so Microsoft turned down the volume in Windows 7. But they've also opened up a massive security hole that leaves PCs exposed to nastywares.UPDATED.

Update: Microsoft has decided to patch the hole after all.

By default now, UAC no longer bugs you when you make changes to Windows settings, just when programs try to makes changes on your computer. Which, admittedly, results in a smoother overall experience. But if you tried to turn off UAC in Vista, it required several confirmation screens. That's no longer so with the new settings, since modifying UAC is considered a Windows settings. So, a script can turn off User Account Control entirely, leaving your computer totally exposed whatever dirty stuff malicious software wants to make your computer do.

Long Zheng's proof-of-concept script turns off UAC entirely, without prompting, by emulating a keyboard inputs. So all an attacker would have to do is turn off UAC with a similar script, force a reboot and have a program launch at startup with full admin access to do whatever unseemly things it wants.

The fix, as he points out, is simple: Just make UAC modifications always require a prompt. In the meantime, you might wanna slide your settings up a notch, if you're feeling paranoid. [I Started Something]