(Source: New York Times)

UAC for Windows 7 will no longer expose its users' systems to takeovers, thanks to a reversal in policy by Microsoft based on feedback.  (Source: Started Something)
Microsoft wins points with the tech community by reversing its decision to ignore a critical security flaw

DailyTech recently reported on how a critical security flaw found in the beta of Microsoft's upcoming Windows 7 OS could allow attackers to easily disable the integral User Account Control (UAC) security component and gain control of systems.  The flaw was first discovered by Windows blogger Long Zheng, and was also independently detailed by blogger Rafael Rivera.  The pair followed up with additional information yesterday on how the flaw could be used to give a malicious payload full execution rights.

Microsoft's reaction to the flaw initially was to totally deny that it was a problem, choosing to instead refer to it as "by design".  In a blog post, Jon DeVaan, the senior vice president responsible for Windows' architecture and core components defended the move saying it was necessary to prevent user annoyance.

Stated Mr. DeVaan, "If people see more than two prompts in a session they feel that the prompts are irritating and interfering with their use of the computer.  We are very happy with the positive feedback we have received about UAC."

His blog post was met with a firestorm of criticism from experienced Windows users in the community.  However, rather than casting a blind eye to the criticism, Microsoft has apparently listened to its community and customers, today announcing a swift and dramatic reversal on its UAC stance. 

Microsoft announced that it will implement the seemingly obvious solution to the problem.  It will warn users before any changes to the UAC.  Previously this was only done in safe mode.  The change preserves Microsoft's certification system, which provides less irritating warnings, while now safeguarding the UAC.

Jon DeVaan and Steven Sinofsky, two Microsoft executives responsible for Windows' development, released a joint statement today.  The pair writes, "Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed.  That's not the dialog we set out to have and we're going to do our best to improve."

They attempt to placate critics, stating, "We said we thought we were bound to make a mistake in the process of designing and blogging about Windows 7.   We want to continue the dialog and hopefully everyone recognizes that engineering, perhaps especially engineering Windows 7, is sometimes going to be a lively discussion with a broad spectrum of viewpoints."

Most importantly, they reveal, "We are going to deliver two changes to the Release Candidate that we'll all see.  First, the UAC control panel will run in a high integrity process, which requires elevation.  Second, changing the level of the UAC will also prompt for confirmation."

The upcoming Release Candidate of Windows 7, which features these changes, will mark almost the last step before Windows 7 goes on sale.  The pair’s remarks may be significant as they seem to indicate that the RC will be coming soon, which would be a sign that Windows 7 is well on-track for its target launch of the second half of 2009.

The move by Microsoft to accept and deal with the criticism constructively is already being praised by some in the security community, even if they feel it was more to avoid negative PR than to strengthen security.  Says Andrew Storms, director of security operations at nCircle Network Security Inc. in an interview with ComputerWorld, "This goes back to what beta programs are supposed to provide: feedback from a real audience.  This was an obvious design flaw, and for them to say they simply weren't going to fix it, that was the real problem.  I think they realized that they needed to do something, more over the concern about their reaction than to the vulnerability itself."

And Mr. Long, who discovered the flaw, reveals pleasant surprise at the response, stating, "This is definitely the result we've been looking for.  [But] I'm a little bit shocked at just how quickly Microsoft has turned around, considering they made a post not 12 hours earlier stating that they would not change their position."

"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference
Related Articles
Windows 7 UAC Leaves Door Open for Attacks
February 2, 2009, 8:37 AM
Quick Thoughts on the Windows 7 Beta
January 12, 2009, 1:12 AM

Latest Blog Posts
Amazon Fire HD 8
Nenfort Golit - Jun 19, 2017, 6:00 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki