Print 107 comment(s) - last by weskurtz0081.. on Nov 11 at 8:55 AM

Windows 7 may be more secure, but its UAC is less functional than Windows Vista's, according to a recent security study. The study suggests that only antivirus protection can properly protect Windows 7.  (Source: Switched)
Antivirus protection still necessary, says firm

One of the most unpopular features of Windows Vista among casual users was the User Account Control (UAC).  Ironically, while the UAC provoked irate comments from these users, like "why is my computer asking me to approve everything", the feature was one of the most appreciated features by power users as it gave them much more control over their security and ability to prevent inappropriate actions.

With Windows 7, Microsoft pledged to go the OS X route on this topic, tuning down the UAC's warnings to a lesser level.  Many security firms complained about this approach and Microsoft relented slightly, restoring some of the UAC's warnings, in particular a warning about the disabling the UAC altogether (experts showed that attackers could disable the UAC without prompting the user in early builds of Windows 7).

While these changes helped make Windows 7's release edition more secure than the test builds, the UAC's default setting is still neutered compare to Vista's robust solution, indicates Sophos Senior Security Adviser Chester Wisniewski.  He's just completed a study of attacking Windows 7 with malware and seeing how the new UAC responds.

Of the ten pieces of malware tested, Windows 7 wouldn't install two of them.  Of the remaining eight only one generated a UAC warning, allowing the user to disallow its installation.

Microsoft officials, though, minimized the test, saying the UAC just isn't that important a security feature anymore.  They point to Windows 7's improved memory protections and Microsoft free Security Essentials antivirus suite as two critical tools that can be used to fight infection, in addition to the UAC. 

States a Microsoft spokesperson, "Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)."

"Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released," the spokesperson added. "Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions."

While he understands that with other supplemental protections Windows 7 will likely be safe, Mr. Wisniewski seems mildly disapproving of defaulting the UAC to reduced functionality.  After all, users of Windows Vista may be lulled into a false sense of security expecting prompts to save them from malware.  Ultimately, though, there's little that can be done to convince Microsoft to change this, though, and he concludes, "Lesson learned? You still need to run antivirus [protection] on Windows 7."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Flawed Methodology
By StevoLincolnite on 11/5/2009 11:01:18 PM , Rating: 0
No it's not.

Yes it is, you would be surprised how many people simply turn it off, which defeats the purpose, just because they find it "Annoying".

RE: Flawed Methodology
By DominionSeraph on 11/6/09, Rating: 0
RE: Flawed Methodology
By damianrobertjones on 11/6/2009 6:27:05 AM , Rating: 2
As most people run as admin, which in itself is very silly, the point of UAC is to stop un-authorised installing/launching/access to the system and it's sections. Supposedly, when a web app tries to install, UAC should appear and warn you about this action.

Something trying to access the management section, UAC prompt. It's simply another level of protection that people turn off. Damned if they do, Damned if they don't

UAC does serve a purpose. At least try to add more than 'no it's not'.

RE: Flawed Methodology
By wallijonn on 11/9/2009 1:39:18 PM , Rating: 2
As most people run as admin, which in itself is very silly, the point of UAC is to stop un-authorised installing/launching/access to the system and it's sections.

And seeing how XPHome defaults to admin rights for all accounts created, the problem still lies with MS. Many people don't know what to do with Restricted or Limited accounts. So they just create another account, which has Admin rights by default, and get back onto the Internet. Installing Firewalls don't help either since they'll just get the same type of Vista UAC prompts. Eventually they disable all Internet access and end up calling me...

RE: Flawed Methodology
By StevoLincolnite on 11/6/2009 9:33:27 AM , Rating: 2
nd that purpose would be...? Please say, "Security." I do so much like laughing at fools.

Well it's obviously not to assist in rendering Direct 3D based games is it now? What else would it be for?

In essence the greatest cause of computer issues was because of the person using it, which has been true for decades, the UAC was supposed to be a "Cure" for the ailment, which unfortunately ticked allot of people off with it's annoying prompts.

The idea of UAC was to stop:

* Malicious Programs from executing without a users consent.
* To verify your actions, so you can reverse what may be a potentially catastrophic mistake.
* So you aware on what is going on in the back ground of your system.

I think that pretty much falls under "Security" which UAC achieves, like it or not.

RE: Flawed Methodology
By DominionSeraph on 11/6/2009 9:01:33 PM , Rating: 2
Ahhh... typical American consumer egotism, thinking that everything is engineered to directly cater to you.

The purpose of UAC is to socially engineer towards the use of limited user accounts.

Prior to Vista, everyone ran as Admin. They had to, because their programs didn't work under limited user access, and programmers kept programming for system area access because everyone ran as admin.
Cute little self-supporting structure there.

With Microsoft's use of limited access tokens with UAC elevation in Vista's administrator account, programmers could no longer presume admin access. To make a program that would work without constant UAC nags, they had to design programs that would behave under a limited user account, just like Microsoft had been telling them to do for the last decade.
They now do this, which makes actually running as a limited user a valid option.

The security is in the limited user account. UAC just nags it into viability.

So you see, UAC was never meant to secure the inherenly unsecure admin account. Microsoft isn't weighing usability against administrator account protection, they're weighing usability against programmer coercion. Windows 7 increases usability while maintaining the same degree of pressure on programmers to program in alignment with the security model of limited access users.

The decrease to security in user-initiated actions in the administrator account is a meaningless aside, as the administrator account is not meant to protect the user from himself.
Limited accounts are there to protect the system from idiots running, "format.bat." The administrator account, however, is the place you're supposed to be able to run it.

"We don't know how to make a $500 computer that's not a piece of junk." -- Apple CEO Steve Jobs

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Update: Samsung Exchange Program Now in Progress
September 20, 2016, 5:30 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki