Microsoft On Windows 7 UAC Security Hole: ‘This is Not a Vulnerability’

Microsoft On Windows 7 UAC Security Hole: ‘This is Not a Vulnerability’

Even though the gaping breach in Windows 7’s User Account Control feature seems, to all eyes, like a pretty easy fix, Microsoft appears to be in denial mode with MS expert Mary Jo Foley.

As we’ve reported, various Windows security hounds have found that the new, less-naggy User Account Control (which doesn’t bug you as often when potentially malicious apps get their fingers in your system) can be easily exploited to bring the nastiness to your PC. Many of said hounds have concluded that, with the UAC hole, Windows 7 is significantly less secure than Vista.

But for some reason, Microsoft won’t fess up. When Mary Jo pressed them on the issue, they came back with this statement, which seems to contradict many of the observations of those publicising the exploit:

* “This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
* Microsoft has received a great deal of usability feedback on UAC prompting behaviour in UAC, and has made changes in accordance with user feedback.
* UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
* The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
* In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)”

Windows 7 is, of course, still in beta, but the tone of denial here is troubling. Hopefully a change of tune is in order, as it would be a shame to see security be the downfall of an otherwise fantastic improvement over Vista. For more analysis check out Mary Jo Foley’s blog: [All About Microsoft]