February 6th, 2009
Microsoft backpedals on UAC flaw
After initially describing the ability for code to change UAC (user account Control) levels on Windows 7 beta without generating a UAC prompt as “by design” Microsoft has now agreed to make changes to the Release Candidate code to tighten up security with regards to this issue.
With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.
What’s interesting is that this change of heart comes only hours after Jon DeVaan, senior vice president of the Windows Core Operating System Division, tries to assure readers of Microsoft’s Engineering 7 blog that the UAC problem is not a problem at all. The tone of this earlier post was very much one of we’re right, you’re wrong:
We are very happy with the positive feedback we have received about UAC from beta testers and individual users overall. This helps us validate our “regular people” focus in terms of the trade-offs we continue to consider in this design choice. We will continue to monitor the feedback and our telemetry data to continue to improve our design choices on UAC.
A flurry of comments followed which seemed to have caused the change of heart.
To be honest, I’m not sure why it took so long for Microsoft to realize that being able to alter UAC levels without any kind of system feedback was a serious issue. It’s not the fact that a bug of this sort existed in Windows 7 beta that bothered me (after all, it’s a beta), it was Microsoft’s odd nothing to see, move along reaction to it. I’m not sure whether this was down to Windows 7 being nearly done or a resistance to outside criticism of a change of policy that was OK-ed internally at Redmond, but in my mind it took far too much screaming from the crowds to get the problem acknowledged.
Needless to say, this is a victory (and vindication) for blogger Long Zheng who first highlighted this issue.
Adrian is a technology journalist and author who has devoted over a decade to helping users get the most from technology. He also runs a popular blog called The PC Doctor. See his full profile and disclosure of his industry affiliations
Want to get in touch? Got a tip? Feel free to drop me a note! I ALWAYS respect anonymity. I'm also on Twitter (@the_pc_doc)
Right to Reply: Should any industry representatives wish to comment on any posts on Hardware 2.0, I will be happy to publish their reply verbatim on this blog.
Subscribe to Hardware 2.0 via Email alerts or RSS.
| 02/06/09
