Feeds

Windows 7 UAC vuln not a vuln, MS repeats

Fixes it anyway

Website security in corporate America

When is a Windows 7 vulnerability not a vulnerability? When the malware that's been written to exploit it can't be installed without the user's OK.

That's according to Microsoft's Windows core operating system division senior vice president Jon DeVaan, who felt moved to post a lengthy blog standing behind the security of Windows 7 and - particularly - User Access Controls (UACs).

He says there's been no report of a way for malware to make it on to a Windows 7 PC without first getting approval from the user. So far.

Curiously, in spite of his defense, Microsoft told us it has updated the Windows 7 code that will go in the final build to get around the UAC problems that have been raised.

What problems? Windows bloggers Long Zheng and Rafael Rivera claimed to have unearthed two flaws in the Windows 7 beta that could allow an attacker to gain full administrative privileges by sidestepping the UAC in the planned operating system.

The flaws are rooted in Microsoft's effort to make UAC less annoying to end users in Windows 7 than it's been in Windows Vista, which uses pop-up Windows to ask them whether they really want to download and install code. The number of pop-ups have been a source of distraction and annoyance to end users and also ISVs writing code that installs on Windows.

Under Windows 7, UAC will let certain digitally-signed code install without seeking the user's permission. Zheng said this would let cleared code execute a malicious payload.

Central to DeVaan's defense is the idea that reported vulnerabilities in Windows 7 concern the behavior of UAC only after malware has found its way on to the PC and started running. But malicious payloads cannot be get on the PC in the first place because there's a string of defenses that will bring them to the user's attention.

That security does not rest on UAC, he said.

There will also be Internet Explorer 8 with features such as SmartScreen Filter to tell a user when they are about to visit a site that contains malicious code. "Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place," DeVaan wrote.

"Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent," DeVaan said.

DeVaan, though, sought to justify why Microsoft's picked the UAC's "Notify me only when programs try to make changes to my computer" alert as a default setting instead of the higher "Always Notify" alert. This was based on detailed company research that - guess what? - found people find too many windows popping up were an annoyance.

What qualified as "too many"? More than two during a single session - measured as time between booting up and closing down, or a whole day, depending on which was shorter. "Always Notify" was nearly four times as likely to produce sessions with more than two prompts, he said.

So there you have it. Better unsecure than inconvenient. ®

Protecting against web application threats using SSL

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
Profitless Twitter: We're looking to raise $1.5... yes, billion
We'll spend the dosh on transactions, biz stuff 'n' sh*t
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.