Microsoft Argues UAC Isn't A Vulnerability - InformationWeek
Software // Operating Systems
06:45 PM
Connect Directly
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Microsoft Argues UAC Isn't A Vulnerability

One of the criticisms of the User Account Control under Windows Vista is that its warning prompts are annoying.

Microsoft on Thursday moved to clarify what it characterized as "misconceptions" about its Windows User Account Control, a security feature introduced in Windows Vista to control the privilege level at which software can operate.

Last month, Microsoft published a blog post explaining changes to the way UAC will work under Windows 7. It said the company's forthcoming operating system would have fewer UAC warning prompts and offer users greater control over UAC. One of the criticisms of UAC under Windows Vista is that its warning prompts are annoying.

In the past week, Windows bloggers Rafael Rivera and Long Zheng have published several posts claiming that UAC is flawed because the effort to make UAC less annoying makes it more vulnerable to being disabled by malware.

On Thursday, Microsoft's Jon DeVaan, senior VP of the Windows Core Operating System Division, published a blog post to address UAC's detractors.

"The first issue to untangle is about the difference between malware making it onto a PC and being run, versus what it can do once it is running," he said. "There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running. Microsoft's position that the reports about UAC do not constitute a vulnerability is because the reports have not shown a way for malware to get onto the machine in the first place without express consent."

DeVaan also tried to convey that UAC under Windows 7 will be more functional than under Vista because it will offer users more settings. In Vista, he said, there were only two choices: never being notified and always being notified. To avoid the annoyance of constant notification, Windows users couldn't dial down the volume; they had to set UAC to never notify them about system changes. And this prevented UAC from informing users about risks.

Because UAC in Windows 7 includes four notification options, DeVaan expects it will prove more functional.

DeVaan concludes his post with a plea for understanding. "While we cannot implement features the way each and every one of you might wish, we are listening and making a sincere effort to properly weigh all points of view," he said. "Our goal is to create a useful, usable, and secure Windows for all types of people."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll