Feeds

Windows 7 UAC vuln not a vuln, MS repeats

Fixes it anyway

The Essential Guide to IT Transformation

When is a Windows 7 vulnerability not a vulnerability? When the malware that's been written to exploit it can't be installed without the user's OK.

That's according to Microsoft's Windows core operating system division senior vice president Jon DeVaan, who felt moved to post a lengthy blog standing behind the security of Windows 7 and - particularly - User Access Controls (UACs).

He says there's been no report of a way for malware to make it on to a Windows 7 PC without first getting approval from the user. So far.

Curiously, in spite of his defense, Microsoft told us it has updated the Windows 7 code that will go in the final build to get around the UAC problems that have been raised.

What problems? Windows bloggers Long Zheng and Rafael Rivera claimed to have unearthed two flaws in the Windows 7 beta that could allow an attacker to gain full administrative privileges by sidestepping the UAC in the planned operating system.

The flaws are rooted in Microsoft's effort to make UAC less annoying to end users in Windows 7 than it's been in Windows Vista, which uses pop-up Windows to ask them whether they really want to download and install code. The number of pop-ups have been a source of distraction and annoyance to end users and also ISVs writing code that installs on Windows.

Under Windows 7, UAC will let certain digitally-signed code install without seeking the user's permission. Zheng said this would let cleared code execute a malicious payload.

Central to DeVaan's defense is the idea that reported vulnerabilities in Windows 7 concern the behavior of UAC only after malware has found its way on to the PC and started running. But malicious payloads cannot be get on the PC in the first place because there's a string of defenses that will bring them to the user's attention.

That security does not rest on UAC, he said.

There will also be Internet Explorer 8 with features such as SmartScreen Filter to tell a user when they are about to visit a site that contains malicious code. "Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place," DeVaan wrote.

"Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent," DeVaan said.

DeVaan, though, sought to justify why Microsoft's picked the UAC's "Notify me only when programs try to make changes to my computer" alert as a default setting instead of the higher "Always Notify" alert. This was based on detailed company research that - guess what? - found people find too many windows popping up were an annoyance.

What qualified as "too many"? More than two during a single session - measured as time between booting up and closing down, or a whole day, depending on which was shorter. "Always Notify" was nearly four times as likely to produce sessions with more than two prompts, he said.

So there you have it. Better unsecure than inconvenient. ®

The Essential Guide to IT Transformation

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.