February 5th, 2009

Microsoft: UAC security setting not changing (for now)

Posted by Mary Jo Foley @ 7:43 am

Categories: Corporate strategy, Security, Vista, Windows 7, Windows client

Tags: User Account Control, Security, Microsoft Windows 7, Microsoft Corp., Microsoft Windows, Operating Systems, Software, Mary Jo Foley

Via a hefty (but uncharacteristically responsive and timely) post to the Engineering Windows 7 blog, Microsoft officials said that they believe the default User Account Control (UAC) security setting in Windows 7 is fine as it is.

(At least I think that is what the author of the post, Senior Vice President of the Windows Core Operating System Division Jon DeVaan, said. I’ve read this three times now and am still not entirely sure. I’m even more confused given this story from Computerworld that says Microsoft is going to change the UAC setting in the upcoming Windows 7 Release Candidate build, expected by testers to be available around April 2009.)

There has been growing controversy around how Microsoft is planning to change the UAC prompting with Windows 7. In Vista, UAC prompts were so onerous that many users turned UAC off. With Windows 7, Microsoft is offering users more levels of granularity. However, the default setting for Windows 7, as it currently stands, is overly permissive in some testers’ (and some Microsoft employees’) view.

(Rather than revisit the entire UAC security-setting controversy, I’ll just point to a few posts about it from Within Windows, Istartedsomething, and yours truly. )

In his February 5 posting, DeVaan said that Microsoft based its UAC default decision on tester feedback from its Milestone 3 (M3) pre-beta build. Microsoft has declined to say how many people had access to the Milestone builds of Windows 7, but it was not a large number. The company has made the current Windows 7 Beta release available to millions of people.

The comments on DeVaan’s post are worth a read. The bulk of them are critical of Microsoft’s stance and are suggesting that a fix to the auto-elevate risk with the UAC setting would be relatively trivial. From poster d_e:

“Jon, you’re missing the point. The people only want to see an UAC notification when the UAC level is changed. That’s all. You don’t have to change anything else.”

Within Windows’ Rafael Rivera — one of the individuals who first brought the UAC security issue to MIcrosoft’s attention — said he was concerned that Microsoft is relying too heavily on external security mechanisms in Windows 7. He said:

“With UAC weaker in Windows 7, I feel as if we’ve regressed back to having only a single layer of security. Once a border application becomes comprised, by Windows-7-targeted malware, it’s game over.”

I’ve asked Microsoft officials if they have any further clarification around the company’s UAC intentions. If I get any, I’ll update this post with it.

Update: Even though the DeVaan post does not say this, Microsoft officials are now confirming that the company has fixed the elevation-escalation issue in Windows 7.  Here is what is still murky:

1. Microsoft is saying the elevation issue has been addressed in post-Beta-1 “internal Windows 7 builds.” When will external testers see this fix? No one seems to be allowed to say. Microsoft is still not saying whether the Release Candidate — the next official “milestone” build — will go to only a smaller set of private testers or a larger group of public testers.  That means, unless Microsoft decides to offer further clarification, folks should not expect to see the UAC elevation prompt fix until Windows 7 is made generally available.

2. There may be more UAC modifications/fixes in the works. DeVaan’s rather cryptic comment that Microsoft is still “listening to user feedback” seems to mean that Microsoft might make other tweaks to how UAC works before the product is released.

Update 2: Microsoft went back to the drawing board and posted a new blog entry on February 5 that explains exactly what will be changing with UAC. There will be two UAC changes in the Win 7 Release Candidate — which seems as though it will be public, based on the new posting — that reflect user feedback.