Huge Security Flaw in Windows 7 User Account Control

Illustration for article titled Huge Security Flaw in Windows 7 User Account Control

User Account Control annoyed a lot of people in Vista, so Microsoft turned down the volume in Windows 7. But they've also opened up a massive security hole that leaves PCs exposed to nastywares.UPDATED.


Update: Microsoft has decided to patch the hole after all.

By default now, UAC no longer bugs you when you make changes to Windows settings, just when programs try to makes changes on your computer. Which, admittedly, results in a smoother overall experience. But if you tried to turn off UAC in Vista, it required several confirmation screens. That's no longer so with the new settings, since modifying UAC is considered a Windows settings. So, a script can turn off User Account Control entirely, leaving your computer totally exposed whatever dirty stuff malicious software wants to make your computer do.

Long Zheng's proof-of-concept script turns off UAC entirely, without prompting, by emulating a keyboard inputs. So all an attacker would have to do is turn off UAC with a similar script, force a reboot and have a program launch at startup with full admin access to do whatever unseemly things it wants.

The fix, as he points out, is simple: Just make UAC modifications always require a prompt. In the meantime, you might wanna slide your settings up a notch, if you're feeling paranoid. [I Started Something]


Listen, MS is damned if they do and damned if they don't.

They could make windows a fortress if they wanted to, but then people would complain about all the security restrictions and authorization pop-ups.

Or they could just leave the damn thing wide open, then people would complain they are getting virus' all the time.

Having said that.. I believe UAC setting should always require a confirmation AND password, period.