Feeds

High-slider integrity planned for Windows 7 UAC

Microsoft spins on flack attack

The essential guide to IT transformation

Microsoft has promised changes to a frustrating Windows security feature inside Windows 7, following reported vulnerabilities and an avalanche of criticism.

The Windows 7 User Account Control (UAC) will feature improved protection, apparently intended to prevent unauthorized access and stop malicious from code piggybacking on approved code in the planned operating system.

Two senior Microsoft executives blogged late Thursday that the UAC control panel "will run in a high integrity process, which requires elevation." That means script running at medium integrity cannot manipulate the UAC panel's slider control, Microsoft told The Register.

Also, any changes made to the slider will prompt a pop-up that asks for user consent, even if your UAC alerts are set to "never notify," the company said.

The alerts and pop-up screens generated by UAC when new codes comes near Windows 7's predecessor, Windows Vista, have proved so frustrating that the internet is now full of advice on ways to hack the panel and turn off UAC.

Windows core operating system division senior vice president Jon DeVaan and senior vice president of the Windows and Windows Live engineering group Steven Sinofsky put their names to the post towards the end of a week that's seen Microsoft grapple with reported vulnerabilities in the UAC in beta versions of Windows 7 code.

For DeVaan, it was his second post on Windows 7's UAC and followed an earlier solo blog post on Microsoft's official IE7 blog that had the opposite effect of soothing jangled nerves on the apparent vulnerabilities.

DeVaan had tried to reassure Windows 7 testers that vulnerabilities exposed in Windows 7's UAC could not be considered "vulnerabilities" because the malicious code had to first install on the PC, and this would require the users' consent.

According to DeVaan, this could not happen and there had been no reported cases of malicious code getting past users.

Far from working, DeVaan's defense IE7 blog drew further heat, inspiring comments such as this from sroussey, which was cited in the DeVaan and Sinofsky effort:

You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one's that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?

Also, there was this from @Thack:

Jon,

Thanks for sharing your thoughts. I understand your points.

Now, I want add my voice to the call for one very simple change:

Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.

That is all we are asking. No other changes. Leave the default level as it is, and keep UAC as it is. We're just talking about the very specific case of CHANGES to the UAC prompting level.

It will NOT be a big nuisance - most people only ever change the UAC level once (if at all).

Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level.

The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument. Somebody WILL get past those other boundaries eventually.

Even if you aren't convinced by my argument, then the PR argument must be a no-brainer for Microsoft.

PLEASE, Jon, it's just a small change that will gain a LOT of user confidence and a LOT of good PR.

Thack

Sinofsky and DeVaan blamed the response to DeVaan's original post on "poor communication." They said the changes were already in the works before this "discussion".

"When we started the 'E7' blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren't sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we've managed to do both," the duo said late Thursday. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Linux Foundation says many Linux admins and engineers are certifiable
Floats exam program to help IT employers lock up talent
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.