Feeds

Windows 7 UAC vuln not a vuln, MS repeats

Fixes it anyway

Next gen security for virtualised datacentres

When is a Windows 7 vulnerability not a vulnerability? When the malware that's been written to exploit it can't be installed without the user's OK.

That's according to Microsoft's Windows core operating system division senior vice president Jon DeVaan, who felt moved to post a lengthy blog standing behind the security of Windows 7 and - particularly - User Access Controls (UACs).

He says there's been no report of a way for malware to make it on to a Windows 7 PC without first getting approval from the user. So far.

Curiously, in spite of his defense, Microsoft told us it has updated the Windows 7 code that will go in the final build to get around the UAC problems that have been raised.

What problems? Windows bloggers Long Zheng and Rafael Rivera claimed to have unearthed two flaws in the Windows 7 beta that could allow an attacker to gain full administrative privileges by sidestepping the UAC in the planned operating system.

The flaws are rooted in Microsoft's effort to make UAC less annoying to end users in Windows 7 than it's been in Windows Vista, which uses pop-up Windows to ask them whether they really want to download and install code. The number of pop-ups have been a source of distraction and annoyance to end users and also ISVs writing code that installs on Windows.

Under Windows 7, UAC will let certain digitally-signed code install without seeking the user's permission. Zheng said this would let cleared code execute a malicious payload.

Central to DeVaan's defense is the idea that reported vulnerabilities in Windows 7 concern the behavior of UAC only after malware has found its way on to the PC and started running. But malicious payloads cannot be get on the PC in the first place because there's a string of defenses that will bring them to the user's attention.

That security does not rest on UAC, he said.

There will also be Internet Explorer 8 with features such as SmartScreen Filter to tell a user when they are about to visit a site that contains malicious code. "Much of the recent feedback has failed to take into account the ways that Windows 7 is better than Windows Vista at preventing malware from reaching the PC in the first place," DeVaan wrote.

"Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent," DeVaan said.

DeVaan, though, sought to justify why Microsoft's picked the UAC's "Notify me only when programs try to make changes to my computer" alert as a default setting instead of the higher "Always Notify" alert. This was based on detailed company research that - guess what? - found people find too many windows popping up were an annoyance.

What qualified as "too many"? More than two during a single session - measured as time between booting up and closing down, or a whole day, depending on which was shorter. "Always Notify" was nearly four times as likely to produce sessions with more than two prompts, he said.

So there you have it. Better unsecure than inconvenient. ®

The essential guide to IT transformation

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
HANA has SAP cuddling up to 'smaller partners'
Wanted: algorithm wranglers, not systems giants
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.