Feeds

Windows 7 UAC vuln not a vuln, MS repeats

Fixes it anyway

Security for virtualized datacentres

When is a Windows 7 vulnerability not a vulnerability? When the malware that's been written to exploit it can't be installed without the user's OK.

That's according to Microsoft's Windows core operating system division senior vice president Jon DeVaan, who felt moved to post a lengthy blog standing behind the security of Windows 7 and - particularly - User Access Controls (UACs).

He says there's been no report of a way for malware to make it on to a Windows 7 PC without first getting approval from the user. So far.

Curiously, in spite of his defense, Microsoft told us it has updated the Windows 7 code that will go in the final build to get around the UAC problems that have been raised.

What problems? Windows bloggers Long Zheng and Rafael Rivera claimed to have unearthed two flaws in the Windows 7 beta that could allow an attacker to gain full administrative privileges by sidestepping the UAC in the planned operating system.

The flaws are rooted in Microsoft's effort to make UAC less annoying to end users in Windows 7 than it's been in Windows Vista, which uses pop-up Windows to ask them whether they really want to download and install code. The number of pop-ups have been a source of distraction and annoyance to end users and also ISVs writing code that installs on Windows.

Under Windows 7, UAC will let certain digitally-signed code install without seeking the user's permission. Zheng said this would let cleared code execute a malicious payload.

Central to DeVaan's defense is the idea that reported vulnerabilities in Windows 7 concern the behavior of UAC only after malware has found its way on to the PC and started running. But malicious payloads cannot be get on the PC in the first place because there's a string of defenses that will bring them to the user's attention.

That security does not rest on UAC, he said.

There will also be Internet Explorer 8 with features such as SmartScreen Filter to tell a user when they are about to visit a site that contains malicious code. "Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place," DeVaan wrote.

"Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent," DeVaan said.

DeVaan, though, sought to justify why Microsoft's picked the UAC's "Notify me only when programs try to make changes to my computer" alert as a default setting instead of the higher "Always Notify" alert. This was based on detailed company research that - guess what? - found people find too many windows popping up were an annoyance.

What qualified as "too many"? More than two during a single session - measured as time between booting up and closing down, or a whole day, depending on which was shorter. "Always Notify" was nearly four times as likely to produce sessions with more than two prompts, he said.

So there you have it. Better unsecure than inconvenient. ®

Internet Security Threat Report 2014

More from The Register

next story
ONE MILLION people already running Windows 10
A third of them are doing it in VMs, but early feedback focuses on frippery
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Ploppr: The #VultureTRENDING App of the Now
This organic crowd sourced viro- social fertiliser just got REAL
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.