Feeds

High-slider integrity planned for Windows 7 UAC

Microsoft spins on flack attack

Seven Steps to Software Security

Microsoft has promised changes to a frustrating Windows security feature inside Windows 7, following reported vulnerabilities and an avalanche of criticism.

The Windows 7 User Account Control (UAC) will feature improved protection, apparently intended to prevent unauthorized access and stop malicious from code piggybacking on approved code in the planned operating system.

Two senior Microsoft executives blogged late Thursday that the UAC control panel "will run in a high integrity process, which requires elevation." That means script running at medium integrity cannot manipulate the UAC panel's slider control, Microsoft told The Register.

Also, any changes made to the slider will prompt a pop-up that asks for user consent, even if your UAC alerts are set to "never notify," the company said.

The alerts and pop-up screens generated by UAC when new codes comes near Windows 7's predecessor, Windows Vista, have proved so frustrating that the internet is now full of advice on ways to hack the panel and turn off UAC.

Windows core operating system division senior vice president Jon DeVaan and senior vice president of the Windows and Windows Live engineering group Steven Sinofsky put their names to the post towards the end of a week that's seen Microsoft grapple with reported vulnerabilities in the UAC in beta versions of Windows 7 code.

For DeVaan, it was his second post on Windows 7's UAC and followed an earlier solo blog post on Microsoft's official IE7 blog that had the opposite effect of soothing jangled nerves on the apparent vulnerabilities.

DeVaan had tried to reassure Windows 7 testers that vulnerabilities exposed in Windows 7's UAC could not be considered "vulnerabilities" because the malicious code had to first install on the PC, and this would require the users' consent.

According to DeVaan, this could not happen and there had been no reported cases of malicious code getting past users.

Far from working, DeVaan's defense IE7 blog drew further heat, inspiring comments such as this from sroussey, which was cited in the DeVaan and Sinofsky effort:

You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one's that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?

Also, there was this from @Thack:

Jon,

Thanks for sharing your thoughts. I understand your points.

Now, I want add my voice to the call for one very simple change:

Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.

That is all we are asking. No other changes. Leave the default level as it is, and keep UAC as it is. We're just talking about the very specific case of CHANGES to the UAC prompting level.

It will NOT be a big nuisance - most people only ever change the UAC level once (if at all).

Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level.

The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument. Somebody WILL get past those other boundaries eventually.

Even if you aren't convinced by my argument, then the PR argument must be a no-brainer for Microsoft.

PLEASE, Jon, it's just a small change that will gain a LOT of user confidence and a LOT of good PR.

Thack

Sinofsky and DeVaan blamed the response to DeVaan's original post on "poor communication." They said the changes were already in the works before this "discussion".

"When we started the 'E7' blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren't sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we've managed to do both," the duo said late Thursday. ®

Mobile application security vulnerability report

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.