Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Microsoft On Windows 7 UAC Security Hole: "This is Not a Vulnerability"

Illustration for article titled Microsoft On Windows 7 UAC Security Hole: This is Not a Vulnerability

Even though the gaping breach in Windows 7's User Account Control feature seems, to all eyes, like a pretty easy fix, Microsoft appears to be in denial mode with MS expert Mary Jo Foley.

Advertisement

As we've reported, various Windows security hounds have found that the new, less-naggy User Account Control (which doesn't bug you as often when potentially malicious apps get their fingers in your system) can be easily exploited to bring the nastiness to your PC. Many of said hounds have concluded that, with the UAC hole, Windows 7 is significantly less secure than Vista.

Advertisement

But for some reason, Microsoft won't fess up. When Mary Jo pressed them on the issue, they came back with this statement, which seems to contradict many of the observations of those publicizing the exploit:

* “This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
* Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
* UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
* The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
* In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)”

Windows 7 is, of course, still in beta, but the tone of denial here is troubling. Hopefully a change of tune is in order, as it would be a shame to see security be the downfall of an otherwise fantastic improvement over Vista. For more analysis check out Mary Jo Foley's blog: [All About Microsoft]

Share This Story

Get our newsletter

DISCUSSION

methodanarchy-old
MethodAnarchy

This is getting stupid.

Either the OS grants you the freedom to do what you want. With that freedom comes the disadvantage of being able to screw yourself if you do something stupid (XP & Win7).

OR

You can be strapped down to a chair and be fed irradiated applesauce (Vista).

How is this such a big exploit anyway? If someone is going to put a hack in to lower UAC, how long do you think it will be before the same hack supress (or programatically click) your oh so secure request for a user prompt?

Besides, do you really thing the same people that click ok to every prompt without hesitation in the XP, Win7 example will do anything different with a stupid UAC message?