We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft to change UAC in Windows 7

MS responds to user criticism

Microsoft yesterday said it will change the behaviour of User Account Control (UAC) in Windows 7's release candidate. The decision was taken in response to intense criticism of an important security feature in Windows 7, which is universally loathed in Windows Vista.

"We are going to deliver two changes to the Release Candidate that well all see," said John DeVaan and Steven Sinofsky, two Microsoft executives responsible for Windows' development, in the second of two posts to the Engineering Windows 7 blog.

"First, the UAC control panel will run in a high integrity process, which requires elevation," said DeVaan and Sinofsky. "Second, changing the level of the UAC will also prompt for confirmation."

The changes, they said, were prompted by feedback from users, including comments appended to an earlier post Thursday by DeVaan in which he defended the modifications Microsoft made to UAC in Windows 7.

See also: Windows 7 review

See also: Windows 7 video guide

"Our dialog [sic] is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed," DeVaan and Sinofsky said in the later blog post. "That's not the dialog we set out to have and we're going to do our best to improve."

The UAC feature, which debuted in 2007 as part of Windows Vista, but was altered to reduce the number of prompts in Windows 7, has been under fire since last week, when two Windows bloggers, Rafael Rivera and Long Zheng, first reported that it could easily be disabled by attackers.

Wednesday, they followed up with more information about how hackers could piggyback on UAC-approved applications to fool Windows 7 into giving a malicious payload full administrative rights.

"This is definitely the result we've been looking for," Long said in a email late Thursday. "[But] I'm a little bit shocked at just how quickly Microsoft has turned around, considering they made a post not 12 hours earlier stating that they would not change their position."

Rivera, Long, and others urged Microsoft to reconsider the default setting of UAC in Windows 7. That default, which DeVaan said Microsoft had selected because people running Windows balked at dealing with more than two security prompts per day, was to "notify me only when programs try to make changes to my computer".

Microsoft, however, won't be taking that tack. Instead, the next public version of Windows 7 - dubbed "RC" for release candidate - will prompt the user before allowing any changes to UAC settings. "The way we're going to think about this [is] that the UAC setting is something like a password, and to change your password you need to enter your old password," DeVaan and Sinofsky said Thursday.

Microsoft has not spelled out a Windows 7 RC timetable , but Sinofsky reiterated last week that the development process was moving straight from the public beta, which was launched Jan. 10, to the release candidate. In the past, the company has delivered multiple betas before moving to the RC milestone.

How to: How to: is your PC ready for Windows 7?

The other change to be implemented in Windows 7 RC will effectively render moot the proof-of-concept attack that Rivera and Long published last week, which silently disables UAC. "That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working," DeVaan and Sinofsky said.

They didn't issue an apology for the dust-up, but said Microsoft had erred when deciding how to implement UAC in Windows 7. "We said we thought we were bound to make a mistake in the process of designing and blogging about Windows 7."

"We want to continue the dialogue and hopefully everyone recognises that engineering, perhaps especially engineering Windows 7, is sometimes going to be a lively discussion with a broad spectrum of viewpoints," they said.

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews

One security professional praised Microsoft's move. "This goes back to what beta programs are supposed to provide, feedback from a real audience," said Andrew Storms, director of security operations at nCircle Network Security.

"This was an obvious design flaw, and for them to say they simply weren't going to fix it, that was the real problem," Storms said. "I think they realised that they needed to do something, more over the concern about their reaction than to the vulnerability itself."

Computerworld.com


IDG UK Sites

Samsung Galaxy Note 4 review: Great if you like big, expensive phones

IDG UK Sites

Why Sony's PS4 2.0 update is every gamer's dream (well, mine at least)

IDG UK Sites

This Grolsch ad combines stop-motion & CG for majestic results

IDG UK Sites

Apple rumours and predictions for 2015: What to expect from Apple in 2015