Connect with us


Micosoft Takes On the Elephant In the Room: Windows 7 and UAC



Much has been written about Long Zheng’s and Raphael Riviera’s reporting on UAC “vulnerabilities”. Up until today, Microsoft has not said much on the subject. On the Engineering Windows 7, Microsoft’s Jon DeVann takes the issue head in a very lengthy post – well worth reading….more below.

The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running. There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft’s position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent. Some people have taken the, ““it’s not a vulnerability” position to mean we aren’t taking the other parts of the issue seriously. Please know we take all of the feedback we receive seriously.

….Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place. In Windows 7 we have continued to focus on improving the ability to stop malware before it is installed or running on a PC.

The second issue to untangle is about the difference in behavior between different UAC settings. In Windows 7, we have four settings for the UAC feature: ““Never Notify,” ““Notify me only when programs try to make changes to my computer (without desktop dimming),” ““Notify me only when programs try to make changes to my computer (with desktop dimming),” and ““Always Notify.” In Windows Vista there were only two choices, the equivalent of ““Never Notify” and ““Always Notify.” The Vista UI made it difficult for people to choose ““Never Notify” and thus choosing between extremes in the implementation. Windows 7 offers you more choice and control over this feature, which is particularly interesting to many of you based on the feedback we have received.

1 Comment

1 Comment

  1. GoodThings2Life

    02/05/2009 at 4:59 pm

    I agree with Microsoft position that it’s not a vulnerability per se, but I would still prefer if they add a simple conditional argument in their code to require elevated confirmation of UAC setting changes, regardless of how UAC is currently configured.

Leave a Reply

Your email address will not be published.

As an Amazon Associate I earn from qualifying purchases.