Software // Operating Systems
06:45 PM
Connect Directly
Repost This

Microsoft Argues UAC Isn't A Vulnerability

One of the criticisms of the User Account Control under Windows Vista is that its warning prompts are annoying.

Microsoft on Thursday moved to clarify what it characterized as "misconceptions" about its Windows User Account Control, a security feature introduced in Windows Vista to control the privilege level at which software can operate.

Last month, Microsoft published a blog post explaining changes to the way UAC will work under Windows 7. It said the company's forthcoming operating system would have fewer UAC warning prompts and offer users greater control over UAC. One of the criticisms of UAC under Windows Vista is that its warning prompts are annoying.

In the past week, Windows bloggers Rafael Rivera and Long Zheng have published several posts claiming that UAC is flawed because the effort to make UAC less annoying makes it more vulnerable to being disabled by malware.

On Thursday, Microsoft's Jon DeVaan, senior VP of the Windows Core Operating System Division, published a blog post to address UAC's detractors.

"The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running," he said. "There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent."

DeVaan also tried to convey that UAC under Windows 7 will be more functional than under Vista because it will offer users more settings. In Vista, he said, there were only two choices: never being notified and always being notified. To avoid the annoyance of constant notification, Windows users couldn't dial down the volume; they had to set UAC to never notify them about system changes. And this prevented UAC from informing users about risks.

Because UAC in Windows 7 includes four notification options, DeVaan expects it will prove more functional.

DeVaan concludes his post with a plea for understanding. "While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view," he said. "Our goal is to create a useful, usable, and secure Windows for all types of people."

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
Protecting Critical Infrastructure: A New Approach NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.