Skip to main content

Microsoft Apologises; To Fix Win 7 UAC Flaw

Earlier this week, Tom's Hardware reported that there was an inherent security flaw in the newly renovated User Account Control (UAC) built into the current Windows 7 beta build 7000. Microsoft has listened to the critics and has released details of their fix to address the problem.

At first Microsoft brushed off the issue as "by design," that is, it won't prompt users as much as in Vista which is what it was aiming for. But because the default UAC setting prevents changes to UAC from causing a secure desktop prompt, malicious code can alter the settings and even disable UAC without the user knowing it. Viruses and other malware can then run wild on the system with full administrative rights.

Who makes changes to UAC so often that they will be constantly pummelled with prompts? It wouldn't damage Microsoft's quieter UAC policy too badly to make an exception to the rule in this case for the sake of security. Fortunately, that is what it has now decided to do.

After a negative outcry from the community on their blog post defending the "problem", Microsoft's Jon DeVaan and Steven Sinofsky followed up with another post responding to community feedback.

“Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed. That’s not the dialog we set out to have and we’re going to do our best to improve,” they said.

According to the blog post, two changes will be made to the Release Candidate regarding UAC. Firstly, the UAC control panel will run in a "high integrity" process that requires permissions elevation. The blog states that this first change was already being worked on before this issue came to light. The second change will force prompts for confirmation to changes to UAC settings, which is the "simple" fix that Long Zheng mentioned in his blog when the problem was first publicised.

While it may take a fair amount of persuasion, it's good to see that Microsoft responds to user feedback positively.

  • Master Exon
    "released their its to address the problem."
    Reply
  • gsteacy
    Master Exon"released their its to address the problem."Whoops, I re-arranged that opening paragraph a few too many times. It's "fixed" ;)
    Reply
  • So what about grammar? honestly. Also there shouldn't of never been an article about the security flaw; it was a "bug" and will be lots of them in the beta.
    Reply
  • randomizer
    No, it wasn't a "bug". It was part of the design. Microsoft planned to leave it wide open like that, because they were afraid people would care if UAC settings changes caused prompts. They didn't consider the flip side where people consider security more important than sticking to their new UAC paradigm of less prompts.
    Reply
  • Tindytim
    Smitty6123So what about grammar? honestly. Also there shouldn't of never been an article about the security flaw; it was a "bug" and will be lots of them in the beta.You aren't not a hypocrite.
    Reply
  • truehighroller
    I have been seeing a lot of whining about grammar lately.
    Reply
  • BallistaMan
    This is exactly what Microsoft needed to do. Personally I would have preferred it without the initial "we did it on purpose" rigmarole, but they admitted their mistake in the end.

    What they still need to do is allow you to make UAC exceptions for programs. Just have it so that when an exception is made, a prompt pops up. It'll be vaguely annoying when you're adding the exception on purpose, but quite effective at keeping any nasties from doing it remotely.
    Reply
  • Tindytim
    BallistaManWhat they still need to do is allow you to make UAC exceptions for programs. Just have it so that when an exception is made, a prompt pops up. It'll be vaguely annoying when you're adding the exception on purpose, but quite effective at keeping any nasties from doing it remotely.And what about fullscreen applications? You can either minimize them (which is extremely annoying, and can cause some problems with the program) or let a the prompt sit there, unnoticeable until the fullscreen app exits.

    An overlay would be nice, but I'm not so sure if that could keep compatibility with every application.
    Reply
  • enforcer22
    truehighrollerI have been seeing a lot of whining about grammar lately.
    Its because people need to grab those giant sticks and yank them out of thier anal (no phun intended) ass's. And other which to ignore even a informative messege (which im not saying this is) because a period is out of place. Personaly i ignore both partys becuase they are more annoying then a fly that keeps buzzing in your face. (actualy thats alot more pleasant)
    Reply
  • frozenlead
    BallistaManWhat they still need to do is allow you to make UAC exceptions for programs. Just have it so that when an exception is made, a prompt pops up. It'll be vaguely annoying when you're adding the exception on purpose, but quite effective at keeping any nasties from doing it remotely.
    ...which is essentially circumventing the entire UAC. This is a bad idea - malicious programs will be written to automatically make themselves exceptions.
    Reply