Microsoft backpedals on UAC flaw

    Microsoft backpedals on UAC flaw


    Last Updated: 07 Feb 2009 at 19:36
    After initially describing the ability for code to change UAC (user account Control) levels on Windows 7 beta without generating a UAC prompt as “by design” Microsoft has now agreed to make changes to the Release Candidate code to tighten up security with regards to this issue.
    With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.
    What’s interesting is that this change of heart comes only hours after Jon DeVaan, senior vice president of the Windows Core Operating System Division, tries to assure readers of Microsoft’s Engineering 7 blog that the UAC problem is not a problem at all. The tone of this earlier post was very much one of we’re right, you’re wrong:
    We are very happy with the positive feedback we have received about UAC from beta testers and individual users overall. This helps us validate our “regular people” focus in terms of the trade-offs we continue to consider in this design choice. We will continue to monitor the feedback and our telemetry data to continue to improve our design choices on UAC.
    A flurry of comments followed which seemed to have caused the change of heart.
    To be honest, I’m not sure why it took so long for Microsoft to realize that being able to alter UAC levels without any kind of system feedback was a serious issue. It’s not the fact that a bug of this sort existed in Windows 7 beta that bothered me (after all, it’s a beta), it was Microsoft’s odd nothing to see, move along reaction to it. I’m not sure whether this was down to Windows 7 being nearly done or a resistance to outside criticism of a change of policy that was OK-ed internally at Redmond, but in my mind it took far too much screaming from the crowds to get the problem acknowledged.
    Needless to say, this is a victory (and vindication) for blogger Long Zheng who first highlighted this issue.

    Microsoft backpedals on UAC flaw | Hardware 2.0 | ZDNet.com

    All I have to say to M$ is WTF?
    djhallucn8's Avatar Posted By: djhallucn8
    07 Feb 2009



  2. garysgold
    Posts : 3,141
    Vista Ult 64 bit Seven Ult RTM x64
       New #1

    Thanks djhallucn8,

    Sounds like a reasonable way to handle things. Maybe turning UAC down a notch won't be so bad.

    Gary
      My Computer
    Quote Quote

  4. djhallucn8
    Posts : 307
    XP Pro, Windows 7 Ultimate 64 & 32 Build 7022
    Thread Starter
       New #2

    M$ really puts forth the effort in adding security so bad crap doesn't happen to your PC, but the UAC seems to have these flaws where using too much security has issues but not enough security will cause even bigger issues. Sure I like to be safe, but I also very aware of what sites to go to & where to DL stuff without making my machine crap out on me. Do you know what I mean Vern?
      My Computer
    Quote Quote

  5. djhallucn8
    Posts : 307
    XP Pro, Windows 7 Ultimate 64 & 32 Build 7022
    Thread Starter
       New #3

    BTW, I know your name is not Vern.
      My Computer
    Quote Quote

 

  Related Discussions
Read more at source: Microsoft promises fix for IE security flaw in next few days | Security & Privacy - CNET News Update: Microsoft Security Advisory (2757760): Vulnerability in Internet Explorer Could Allow Remote Code Execution See also:...
more: Microsoft insists UAC vulnerability is not a flaw
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 17:26.
Find Us