After initially describing the ability for code to change UAC (user account Control) levels on Windows 7 beta without generating a UAC prompt as “by design” Microsoft has now agreed to make changes to the Release Candidate code
to tighten up security with regards to this issue.
With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.
What’s interesting is that this change of heart comes only hours after Jon DeVaan
, senior vice president of the Windows Core Operating System Division, tries to assure readers of Microsoft’s Engineering 7 blog that the UAC problem is not a problem at all. The tone of this earlier post was very much one of we’re right, you’re wrong
We are very happy with the positive feedback we have received about UAC from beta testers and individual users overall. This helps us validate our “regular people” focus in terms of the trade-offs we continue to consider in this design choice. We will continue to monitor the feedback and our telemetry data to continue to improve our design choices on UAC.
A flurry of comments followed which seemed to have caused the change of heart.
To be honest, I’m not sure why it took so long for Microsoft to realize that being able to alter UAC levels without any kind of system feedback was a serious issue. It’s not the fact that a bug of this sort existed in Windows 7 beta that bothered me (after all, it’s a beta), it was Microsoft’s odd nothing to see, move along
reaction to it. I’m not sure whether this was down to Windows 7 being nearly done or a resistance to outside criticism of a change of policy that was OK-ed internally at Redmond, but in my mind it took far too much screaming from the crowds to get the problem acknowledged.
Needless to say, this is a victory (and vindication) for blogger Long Zheng
who first highlighted this issue. Microsoft backpedals on UAC flaw | Hardware 2.0 | ZDNet.com
All I have to say to M$ is WTF?