Feeds

Windows 7 UAC vuln not a vuln, MS repeats

Fixes it anyway

HP ProLiant Gen8: Integrated lifecycle automation

When is a Windows 7 vulnerability not a vulnerability? When the malware that's been written to exploit it can't be installed without the user's OK.

That's according to Microsoft's Windows core operating system division senior vice president Jon DeVaan, who felt moved to post a lengthy blog standing behind the security of Windows 7 and - particularly - User Access Controls (UACs).

He says there's been no report of a way for malware to make it on to a Windows 7 PC without first getting approval from the user. So far.

Curiously, in spite of his defense, Microsoft told us it has updated the Windows 7 code that will go in the final build to get around the UAC problems that have been raised.

What problems? Windows bloggers Long Zheng and Rafael Rivera claimed to have unearthed two flaws in the Windows 7 beta that could allow an attacker to gain full administrative privileges by sidestepping the UAC in the planned operating system.

The flaws are rooted in Microsoft's effort to make UAC less annoying to end users in Windows 7 than it's been in Windows Vista, which uses pop-up Windows to ask them whether they really want to download and install code. The number of pop-ups have been a source of distraction and annoyance to end users and also ISVs writing code that installs on Windows.

Under Windows 7, UAC will let certain digitally-signed code install without seeking the user's permission. Zheng said this would let cleared code execute a malicious payload.

Central to DeVaan's defense is the idea that reported vulnerabilities in Windows 7 concern the behavior of UAC only after malware has found its way on to the PC and started running. But malicious payloads cannot be get on the PC in the first place because there's a string of defenses that will bring them to the user's attention.

That security does not rest on UAC, he said.

There will also be Internet Explorer 8 with features such as SmartScreen Filter to tell a user when they are about to visit a site that contains malicious code. "Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place," DeVaan wrote.

"Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent," DeVaan said.

DeVaan, though, sought to justify why Microsoft's picked the UAC's "Notify me only when programs try to make changes to my computer" alert as a default setting instead of the higher "Always Notify" alert. This was based on detailed company research that - guess what? - found people find too many windows popping up were an annoyance.

What qualified as "too many"? More than two during a single session - measured as time between booting up and closing down, or a whole day, depending on which was shorter. "Always Notify" was nearly four times as likely to produce sessions with more than two prompts, he said.

So there you have it. Better unsecure than inconvenient. ®

Top three mobile application threats

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.