Microsoft rejects Windows 7 "security flaw"

 

Gallery

By Stuart Turton

Posted on 3 Feb 2009 at 11:12

Microsoft has denied that the User Account Control (UAC) exploit discovered by bloggers in Windows 7 represents a vulnerability in the operating system.

UAC was first introduced in Vista and prompts users to confirm that they want certain drivers and software to be installed.

The feature was swiftly derided by users due to its constant nagging, and has been subsequently turned down in Windows 7. However, blogger Rafael Rivera has argued that Microsoft has gone too far.

"Windows 7 now ships with UAC configured to hide prompts when users change Windows settings," noted Rivera on his blog. "While this mode still ensures normal applications can't overwrite your entire registry, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts.

"Yes, you can even change UAC settings, allow[ing] applications free reign in elevated mode, after the required restart," he says.

Rivera, together with fellow security expert Long Zheng, posted a script online showing how malware could quietly turn off UAC altogether, without alerting the user it had been done.

However, Microsoft has denied the feature is a flaw in the software.

"This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level," says a spokesperson for the company.

"Microsoft has received a great deal of usability feedback on UAC prompting behaviour in UAC, and has made changes in accordance with user feedback.

The company also argued that for the script to work as the bloggers intended, the user would have had to download and run it specifically.

"The only way this could be changed without the user's knowledge is by malicious code already running on the box. In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)."