On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

February 4th, 2009

Microsoft's worst nightmare: Windows 7 deemed less secure than Vista

Posted by Mary Jo Foley @ 6:27 am

Categories: Corporate strategy, Security, Vista, Windows 7, Windows client

Tags: User Account Control, Microsoft Windows 7, Microsoft Windows Vista, Microsoft Corp., Microsoft Windows, Operating Systems, Software, Mary Jo Foley

While Microsoft officials won’t say it (at least not publicly), one of Windos 7’s main selling points is likely to be that it’s the “anti-Vista.” It will be faster, smaller, more reliable and… less secure?

If Microsoft continues on its current path regarding one of Windows 7’s components — the User Account Control (UAC) feature — the company might find itself in the regrettable place where Windows 7 could be less secure than Vista, according to some testers.

Two Windows enthusiast bloggers, Long Zheng and Rafael Rivera, have now discovered not one, but two, seemingly severe exploit channels in the UAC setting that is currently set as the default for Windows 7. The first exploit they publicized (after talking to Microsoft privately about it) allows malware to turn off UAC; the other allows malware to auto-elevate without notifying the user. To date, Microsoft’s response is that the new UAC default is set the way it is “by design” and isn’t problematic.

I asked Microsoft again on February 3 if it was still standing by its statement that the UAC default setting for Windows 7 is fine as is. Microsoft declined to let me speak to anyone directly and instead provided this statement (in the form of these bullet points):

  • “This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)”

I am not a security or a Windows internal expert. But I asked someone who knows a thing or two about how Windows works. He asked to remain anonymous. He said the current Windows 7 UAC setting is flawed in its design. It should not prompt only for non-Windows binaries (which is the default Windows 7 setting).

“The issue is that things, like the WSH (Windows Script Host), are part of windows and if a scripting host or other ‘Windows’ component, like WSH or Power Shell, can be used by malicious software to drive the UI, it is trivial to pull off an exploit like this. This is a major problem though as in its current form, Win 7 is potentially far less capable in its default configuration, at stopping drive-by malware when compared with Vista.”

In other words, if the UAC setting is allowed to stay as is, Windows 7 could be deemed less secure than Vista. Ouch.

If Microsoft’s current, wide-scale Windows 7 beta is a real beta (and not just one in name only, as I’ve argued in the past), it would follow that Microsoft is still planning to use tester feedback to alter Windows 7 in ways that will make it a better product. Yes, there is a risk that by having to go in and fix or change a feature could derail the well-finessed Windows 7 ship schedule. But isn’t the point of having outside testers look at your code to find potential problems? And isn’t improving the security of Windows still an overriding goal for the Windows team?

What’s your take? Does Microsoft need to rethink what it has done to UAC to make it less hated than it was in Vista?

Update: Bryant Zadegan of AeroXperience.org. adds more food for thought to the UAC discussion, concluding: “I love Windows 7, but when a team closes a report on a critical demonstrated security bug as ‘by design,’ I don’t know what to think.”

Mary Jo FoleyMary Jo has covered the tech industry for more than 20 years. Don't miss a single post. Subscribe via Email or RSS. You can also follow Mary Jo on Twitter.

Got a tip? Send Mary Jo your rants, rumors, tips and tattles. For disclosure on Mary Jo's industry affiliations, click here or to see Mary Jo's full profile click here.

  • Talkback
  • Most Recent of 310 Talkback(s)
RE: Microsoft's worst nightmare: Windows 7 deemed less secure than Vista
Mac FLV Converter,
VOB Converter Mac,
... (Read the rest)
Posted by: hqconverter Posted on: 04/14/09 You are currently: a Guest | | Terms of Use
Damned if you do...Damned if you don't (nt)  safesax2002 | 02/04/09
**AGREE** (nt)  CobraA1 | 02/04/09
I agree  jsaddison@... | 02/04/09
Wrong. DO UAC is the only option. Annoying Insecure nt  T1Oracle | 02/04/09
too many prompts kills the intent  eddyfaris | 02/05/09
control over UAC is bonus...  stone-cutter | 02/05/09
Agreed. Therefore err on the side of security. (nt)  ye | 02/04/09
They did that with Vista...most users hated it (NT)  Yax_to_the_Max | 02/04/09
UAC is the best part of Vista. MS should not give up on this. nt  T1Oracle | 02/04/09
That's a pretty good arguement for Linux  bernalillo | 02/05/09
...or a good argument against Linux..  TasteeWheat | 02/05/09
User or administrators?  jonbg@... | 02/05/09
UAC? Ha! Let It Die.  TechInsider | 02/09/09
Penny wise and pound foolish.  bernalillo | 02/05/09
My Thoughts Exactly!  Bob_BLC | 02/04/09
There's a better way  tmsbrdrs | 02/04/09
And?  custserv@... | 02/04/09
If you don't care  tmsbrdrs | 02/04/09
Message has been deleted.  tmsbrdrs | 02/04/09
You're comparing apples and oranges  Yax_to_the_Max | 02/04/09
people who use Linux  tmsbrdrs | 02/04/09
re: the answer to that one  Christian_<>< | 02/04/09
There's your answer  tmsbrdrs | 02/04/09
In the 2 months you've used Linux  tikigawd | 02/04/09
In the 2 months I've used Linux  tmsbrdrs | 02/04/09
I have this answer...  gsale51@... | 02/04/09
It is apples and oranges  wency | 02/04/09
Re: apples and oranges.. Wrong--  Christian_<>< | 02/04/09
Yup, apples and oranges.  rtk | 02/04/09
Old argument  tmsbrdrs | 02/04/09
Old but true.  rtk | 02/04/09
All this from someone who's only been using Linux for 2 months....  MGP2 | 02/05/09
This has been going on since 97  ceward_z | 02/05/09
re  jimk_z | 02/04/09
You're talking complete rubbish....  GOTBO | 02/05/09
The rubish part is right  CrashPad | 02/05/09
Market leaders  SpikeyMike | 02/05/09
Confusing server and desktop markets  rtk | 02/05/09
@RTK  SpikeyMike | 02/05/09
So  rtk | 02/05/09
@rtk - Just for you.  SpikeyMike | 02/05/09
@spikeymike  rtk | 02/05/09
I did  GAXXIS | 02/06/09
re  jimk_z | 02/04/09
MS damned themselves  MyMac | 02/04/09
Poor Copy-Cats  SpikeyMike | 02/04/09
That's the most ridiculous comment I've seen in a while...  TheOriginalHepcat | 02/04/09
You don't understand much...  SpikeyMike | 02/04/09
Typical snide nix snob  eggmanbubbagee@... | 02/04/09
Most complaints about UAC ...  mwagner@... | 02/04/09
too tough for you too?  SpikeyMike | 02/04/09
I'm the average computer user  tmsbrdrs | 02/04/09
You're still living in your mother's basement...  TheOriginalHepcat | 02/04/09
I get it just fine...  SpikeyMike | 02/04/09
Linux distro's are superior  Christian_<>< | 02/04/09
Not sure you've read the PCI requirements  rtk | 02/04/09
You Are Right  windozefreak | 02/04/09
Name one 'creative' Microsoft employee!  comp_indiana | 02/04/09
Because you don't know a single person!  windozefreak | 02/04/09
Ray Ozzie  CrashPad | 02/05/09
And how many consumers ...  mwagner@... | 02/04/09
The power users? None. The clueless? All  SpikeyMike | 02/04/09
The average consumer is a "click-through" ...  mwagner@... | 02/04/09
Have tried both...  SpikeyMike | 02/04/09
It's not the apps in Windows which are repeatedly infected...  Mikael_z | 02/04/09
Explain Administering The System  windozefreak | 02/04/09
My definition of Administering a computer:  SpikeyMike | 02/05/09
How many consumers  tmsbrdrs | 02/04/09
MacOSX is far more than just UNIX.  mwagner@... | 02/04/09
Repeating myths doesn't make them more true  Mikael_z | 02/04/09
Most consumers, though, have insufficient skills to install or administer U  tmsbrdrs | 02/04/09
X11 is also included as an option when installing OS X. [nt]  olePigeon | 02/04/09
macosx  stevehabs | 02/05/09
If you like Linux but want to try UNIX on x86...  914four | 02/04/09
Still new  tmsbrdrs | 02/04/09
Most people...  gypkap@... | 03/05/09
Easy to use Unix  chromeronin | 02/04/09
In any practical sense, MacOSX is ...  mwagner@... | 02/04/09
HP is doing a pretty decent job with Linux. [nt]  olePigeon | 02/04/09
Actually...  914four | 02/04/09
Ask Dell  ibeapunker | 02/04/09
Yep. UNIX / Linux is not ...  mwagner@... | 02/04/09
I call FUD!  SpikeyMike | 02/04/09
Read my other posts  tmsbrdrs | 02/04/09
Wrong, wrong, wrong!  Ole Man | 02/04/09
And the truth comes out  CrashPad | 02/05/09
Nonsense  pkrdk | 02/05/09
Apathy rules  comp_indiana | 02/04/09
Now the subject has changed completely  windozefreak | 02/04/09
Poor copy cats  rcbarr83@... | 02/04/09
Message has been deleted.  transposeIT | 02/04/09
Message has been deleted.  SpikeyMike | 02/05/09
Why didnt I say that?  sbass@... | 02/04/09
Tolerance is waning.  SpikeyMike | 02/04/09
No they haven't.  Sleeper Service | 02/04/09
And you know this because...?  914four | 02/04/09
A market share of less than 2% isn't enough for you?  Sleeper Service | 02/04/09
Tell me  tmsbrdrs | 02/04/09
Corporate Unix Desktops  chromeronin | 02/04/09
Well, market share doesn't mean much...  914four | 02/04/09
90% functionality...  Sleeper Service | 02/05/09
I once heard a story...  914four | 02/05/09
You Haven't offered Any Proof  windozefreak | 02/04/09
He made a categorical statement:  914four | 02/05/09
SUSE linux Enterprise Desktop?  SpikeyMike | 02/04/09
And the install base is what?  TheOriginalHepcat | 02/04/09
If by productivity apps...  SpikeyMike | 02/04/09
Yeah, Spikey...  Sleeper Service | 02/04/09
@Sleepy  SpikeyMike | 02/04/09
Just to be a smart ass  Kaiwai | 02/04/09
Linux isn't ready for mainstream implementation in a corporate desktop envi  tmsbrdrs | 02/04/09
Linux-corporate mainstream, yep  rcbarr83@... | 02/04/09
POIDH  TheOriginalHepcat | 02/04/09
Pics, or it didn't happen?  SpikeyMike | 02/04/09
How's this.....factual information.  xuniL_z | 02/04/09
"Factual information"? Really?  914four | 02/04/09
As usual, you have everything backwards...  SpikeyMike | 02/05/09
And we are tired of you coming to a windows  windozefreak | 02/04/09
Clue for you...  SpikeyMike | 02/05/09
Microsoft doesn't believe in standards...  914four | 02/05/09
So, share some details of these "observations"  MGP2 | 02/04/09
Some links  SpikeyMike | 02/05/09
To calrify a few points...  MGP2 | 02/05/09
Bullocks  CrashPad | 02/05/09
If you're a criminal... sure!  SpikeyMike | 02/05/09
Yes, and Harley Davison is the brand...  914four | 02/05/09
polling people  rcbarr83@... | 02/04/09
Here's the problem  rtk | 02/04/09
Really?  SpikeyMike | 02/05/09
really  rtk | 02/05/09
Glad to meet you..  sjbinaz | 02/05/09
fundamental shift in strategy needed  gdstark13 | 02/04/09
We tried that.  Worth2Cents | 02/04/09
RE: We tried that.  gdstark13 | 02/04/09
ROM-based hardware  tmsbrdrs | 02/04/09
RE: ROM-based hardware  gdstark13 | 02/04/09
Try again  tmsbrdrs | 02/04/09
RE: Try again  gdstark13 | 02/04/09
Still not getting it  tmsbrdrs | 02/04/09
RE: Still not getting it  gdstark13 | 02/04/09
And yet you persist  tmsbrdrs | 02/04/09
RE: And yet you persist  gdstark13 | 02/04/09
Hacking  tmsbrdrs | 02/04/09
RE: Hacking  gdstark13 | 02/04/09
I've given valid reasons  tmsbrdrs | 02/04/09
RE: I've given valid reasons  gdstark13 | 02/04/09
just stop  tmsbrdrs | 02/04/09
RE: just stop  gdstark13 | 02/05/09
You are right. That is not new.  sjbinaz | 02/04/09
RE: You are right. That is not new.  gdstark13 | 02/05/09
See this is the problem  windozefreak | 02/04/09
RE: See this is the problem  gdstark13 | 02/05/09
Microsoft can't win  jscott418 | 02/04/09
Now I have heard everything!  comp_indiana | 02/04/09
Read the other posts  tmsbrdrs | 02/04/09
Damned if you don't do it right!  rarsa | 02/04/09
Gesh, am I the only one who got this?  914four | 02/04/09
what about Vista?  Randalllind | 02/04/09
Sorry, I can't comment on Vista  914four | 02/04/09
That is not true. There are good implementations  SamCPP | 02/04/09
What?????  rcbarr83@... | 02/04/09
Damned if you do...Damned if you don't  windozefreak | 02/04/09
I also agree  jimk_z | 02/04/09
Looking at it the wrong way  Chad_z | 02/05/09
RE: Microsoft  FearTheDonut | 02/04/09
RE" WHY is that a problem?  cromwellryan@... | 02/04/09
Re: Vista UAC problem wasn't frequency  Edesw88 | 02/04/09
There is no irony, it's a flaw in logic.  914four | 02/04/09
Frequency of UAC  tmsbrdrs | 02/04/09
enough of the 27 prompts  rtk | 02/04/09
differences  tmsbrdrs | 02/04/09
Incorrect  rtk | 02/04/09
re: Why  Badgered | 02/04/09
So let them prompt for EVERY copy and change  hardrivn@... | 02/04/09
re: So let them  Badgered | 02/04/09
Really how is Linux and Mac different?  BroGnorik | 02/04/09
No difference between root and admin  comp_indiana | 02/04/09
This is really a non-issue...  unsivil_audio | 02/04/09
Anti-virus is irrelevant.  Within Rafael | 02/04/09
All antiviruses have a poor detection rate!  qmlscycrajg | 02/04/09
Oh right...  Sleeper Service | 02/04/09
You should read that article Sleepy...  914four | 02/04/09
Why? Firefox already performs the best.  Sleeper Service | 02/04/09
Reply to Sleeper Service  914four | 02/04/09
That is bad  Christian_<>< | 02/04/09
slight problem there  tmsbrdrs | 02/04/09
No rights to install software  SpikeyMike | 02/05/09
The UAC prompt only appears when...  ye | 02/04/09
Someone who gets it.  Within Rafael | 02/04/09
Think of it this way...  Within Rafael | 02/04/09
RE: Damned if you do... Damned if you don't (nt)  cromwellryan@... | 02/04/09
Mind boggling stupidity when it comes to 'default' settings  Custard_over_2x_Pie | 02/04/09
FALSE  qmlscycrajg | 02/04/09
So these problems didn't exist before Vista?  Custard_over_2x_Pie | 02/04/09
Corrections  threedaysdwn | 02/04/09
slight correction  Scott Kitts | 02/04/09
Hmm, which version of Win7 are you using?  Custard_over_2x_Pie | 02/04/09
Darn straight  wolf_z | 02/04/09
Agree  ridingthewind | 02/04/09
Fix it the right way  tmsbrdrs | 02/04/09
Plain old sensationalism and FUD reporting...  Heatlesssun | 02/04/09
Think of home users.  Within Rafael | 02/04/09
During setup/install Windows 7 should help create a statndard user account  Heatlesssun | 02/04/09
Administrator and Standard User accounts in Windows 7  Gruffydd | 02/04/09
the problem with this  tmsbrdrs | 02/04/09
Message has been deleted.  qmlscycrajg | 02/04/09
And this has what to do with windows?!  Stuka | 02/04/09
sudo access  Christian_<>< | 02/04/09
ZDNet, F**k THE PORNOGRAPHIC ADVERTISEMENT!!!  Grayson Peddie | 02/04/09
While thats not computer related...  Stuka | 02/04/09
Depends on what era you live in  LegendsOfBatman | 02/04/09
Did someone say "sexy leg"?  MGP2 | 02/04/09
Weight loss ads are pornographic?  B.O.F.H. | 02/04/09
Maybe It's A Hint For You Fat IT People  itanalyst2@... | 02/04/09
Once you hit 50...  djchandler | 02/04/09
Ads?  Linux User 147560 | 02/05/09
What Ads, OH I use IE8 and even MSN but  sjbinaz | 02/05/09
Best UAC settings  croberts | 02/04/09
Why did you edit the registry?  ye | 02/04/09
More options than control panel  croberts | 02/04/09
Can not have cake and eat it too?  lundp@... | 02/04/09
Four suggestions I can think of to reduce UAC prompts:  ye | 02/04/09
Now wait a minute. this is an intercepter flaw; by bianary design.  rtirman37@... | 02/04/09
You can't bring up XP in a discussion on the UAC  pebear | 02/04/09
the only good about UAC  magallanes | 02/04/09
Untrue  croberts | 02/04/09
RE: Microsoft  john@... | 02/04/09
No, it's not less secure, unless you want it to be  archer75 | 02/04/09
UAC itself is not less secure. It's the default configuration that is.  ye | 02/04/09
Windows 7 Security  Cal Woosnam | 02/04/09
Agree.  Gruffydd | 02/04/09
Does NOT require malicious code already on the box.  LeoD | 02/04/09
Little problem with that  Lerianis | 02/04/09
win 7 less secure user setting?  varick | 02/04/09
Can we change the name of this site for ZDNet to  No_Ax_to_Grind | 02/04/09
No criticism allowed?  LeoD | 02/04/09
bashing vs. constructively criticizing  Mary Jo FoleyZDNet Moderator | 02/04/09
Constructive Criticism  sparkfarmer | 02/04/09
But Even If You Assumptions Were Right  windozefreak | 02/04/09
This is quite upsetting  NonZealot | 02/04/09
OK - so now it's the Microsoft haters' fault?  No More Microsoft Software Ever! | 02/04/09
But it's faster!!  sbass@... | 02/04/09
So is DOS  comp_indiana | 02/04/09
RE: But it's faster!!  GAXXIS | 02/07/09
Security is more important than glossy icons  Christian_<>< | 02/04/09
This particular bug...  914four | 02/04/09
We want Midori!!  sbass@... | 02/04/09
Midori  Mary Jo FoleyZDNet Moderator | 02/04/09
I'll I have to say is:  avluis | 02/04/09
I was getting really worried for a moment ...  xenophanes | 02/04/09
RE: Microsoft  lennycald@... | 02/04/09
ROTFLMAO!!!!  i8thecat | 02/04/09
How about Both?  Cosmic1 | 02/04/09
Users are getting what they asked for  tech_walker | 02/04/09
RE: Microsoft  DavidPope | 02/04/09
IT IS SO SIMPLE!  eggmanbubbagee@... | 02/04/09
Hide the jewelry!  mwagner@... | 02/04/09
close  rtk | 02/04/09
Windows 7 is Still "Beta"  cnfrisch | 02/04/09
RE: Microsoft  GTX11 | 02/04/09
Re: before or after Conflicker?  Christian_<>< | 02/04/09
RE: Microsoft  DonBurnett | 02/04/09
No such thing as a secure Microsoft Product  bmobile40 | 02/04/09
NO such thing as a secure Unix, Linux or Mac product either...  transposeIT | 02/04/09
No such thing as a secure Microsoft Product  GAXXIS | 02/07/09
Here's a thought...  Henrik Moller | 02/04/09
RE: Microsoft  ator1940 | 02/04/09
And, That's the way it outobe  windozefreak | 02/04/09
The AntiVista  comp_indiana | 02/04/09
great post  rtk | 02/04/09
And yet it is 2009  comp_indiana | 02/04/09
Yup, it's 2009  rtk | 02/04/09
RE: Microsoft  Randalllind | 02/04/09
UAC is useless against Conflicker FACT  Christian_<>< | 02/04/09
Conficker is a non-starter with a default Vista install.  ye | 02/04/09
Please don't use facts...  MGP2 | 02/04/09
conficker  GAXXIS | 02/07/09
We need a UN takeover of Microsoft  BALTHOR | 02/04/09
DONE, now when you get ready to connect...  Christian_<>< | 02/04/09
$399 USD retail...  Dave32265 | 02/05/09
Agree!  Gnack | 02/04/09
RE: Microsoft  sirwulfe2003 | 02/04/09
"By Design" doesn't mean it's not a bug  odenni | 02/04/09
Windows 7 less secure?  cboquin | 02/04/09
It's pretty simple  whisperycat | 02/04/09
Strange  rtk | 02/04/09
No strings on me wink  whisperycat | 02/05/09
OpenSuSE 11.0  Linux User 147560 | 02/05/09
WASTE OF MONEY  Christian_<>< | 02/04/09
Well  windozefreak | 02/04/09
Classic freetard thinking...Free crap is better. Yeah, right...  transposeIT | 02/04/09
RE: Microsoft  Peter66 | 02/04/09
Win7 UAC = Vista UAC + Options  mikefarinha | 02/04/09
How quaint  schmandel@... | 02/04/09
re: how quaint  rtk | 02/04/09
RE: UAC security in Windows 7  norm.smith@... | 02/04/09
Oh for the love of God.  jimk_z | 02/04/09
Most are responding to the exploit of Win7's relaxed UAC  Custard_over_2x_Pie | 02/05/09
RE: Microsoft  jimk_z | 02/04/09
Look at the MS bashers go. These basement dwellers with a lot of time on  transposeIT | 02/05/09
Not a problem.  alf@... | 02/05/09
RE: Microsoft  stubie | 02/05/09
RE: Microsoft  whizxp | 02/05/09
Oh right, let's review beta software  StraussWylde | 02/05/09
UAC and "Windows Settings"...  D. W. Bierbaum | 02/05/09
RE: Microsoft  ItchyFingers | 02/05/09
What is the big deal?  Bob in Atlanta | 02/05/09
RE: Microsoft  jemd@... | 02/06/09
The fact remains....  stubie | 02/07/09
RE: Microsoft's worst nightmare: Windows 7 deemed less secure than Vista  hqconverter | 04/14/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Order Microsoft 2.0

Pre-order Microsoft 2.0

Order 'Microsoft 2.0' by Mary Jo Foley at Amazon.com.

Recent Entries

advertisement

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here