Microsoft: UAC security setting not changing (for now)

Microsoft: UAC security setting not changing (for now)

Summary: Via a hefty (but uncharacteristically responsive and timely) post to the Engineering Windows 7 blog, Microsoft officials said that they believe the default User Account Control (UAC) security setting in Windows 7 is fine as it is.(At least I think that is what the author of the post, Senior Vice President of the Windows Core Operating System Division Jon DeVaan, said.

SHARE:

Via a hefty (but uncharacteristically responsive and timely) post to the Engineering Windows 7 blog, Microsoft officials said that they believe the default User Account Control (UAC) security setting in Windows 7 is fine as it is.

(At least I think that is what the author of the post, Senior Vice President of the Windows Core Operating System Division Jon DeVaan, said. I've read this three times now and am still not entirely sure. I'm even more confused given this story from Computerworld that says Microsoft is going to change the UAC setting in the upcoming Windows 7 Release Candidate build, expected by testers to be available around April 2009.)

There has been growing controversy around how Microsoft is planning to change the UAC prompting with Windows 7. In Vista, UAC prompts were so onerous that many users turned UAC off. With Windows 7, Microsoft is offering users more levels of granularity. However, the default setting for Windows 7, as it currently stands, is overly permissive in some testers' (and some Microsoft employees') view.

(Rather than revisit the entire UAC security-setting controversy, I'll just point to a few posts about it from Within Windows, Istartedsomething, and yours truly. )

In his February 5 posting, DeVaan said that Microsoft based its UAC default decision on tester feedback from its Milestone 3 (M3) pre-beta build. Microsoft has declined to say how many people had access to the Milestone builds of Windows 7, but it was not a large number. The company has made the current Windows 7 Beta release available to millions of people.

The comments on DeVaan's post are worth a read. The bulk of them are critical of Microsoft's stance and are suggesting that a fix to the auto-elevate risk with the UAC setting would be relatively trivial. From poster d_e:

"Jon, you're missing the point. The people only want to see an UAC notification when the UAC level is changed. That's all. You don't have to change anything else."

Within Windows' Rafael Rivera -- one of the individuals who first brought the UAC security issue to MIcrosoft's attention -- said he was concerned that Microsoft is relying too heavily on external security mechanisms in Windows 7. He said:

"With UAC weaker in Windows 7, I feel as if we've regressed back to having only a single layer of security. Once a border application becomes comprised, by Windows-7-targeted malware, it's game over."

I've asked Microsoft officials if they have any further clarification around the company's UAC intentions. If I get any, I'll update this post with it.

Update: Even though the DeVaan post does not say this, Microsoft officials are now confirming that the company has fixed the elevation-escalation issue in Windows 7.  Here is what is still murky:

1. Microsoft is saying the elevation issue has been addressed in post-Beta-1 "internal Windows 7 builds." When will external testers see this fix? No one seems to be allowed to say. Microsoft is still not saying whether the Release Candidate -- the next official "milestone" build -- will go to only a smaller set of private testers or a larger group of public testers.  That means, unless Microsoft decides to offer further clarification, folks should not expect to see the UAC elevation prompt fix until Windows 7 is made generally available.

2. There may be more UAC modifications/fixes in the works. DeVaan's rather cryptic comment that Microsoft is still "listening to user feedback" seems to mean that Microsoft might make other tweaks to how UAC works before the product is released.

Update 2: Microsoft went back to the drawing board and posted a new blog entry on February 5 that explains exactly what will be changing with UAC. There will be two UAC changes in the Win 7 Release Candidate -- which seems as though it will be public, based on the new posting -- that reflect user feedback.

Topics: Operating Systems, Microsoft, Security, Software, Windows

About

Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Why is this so confusing?

    I'm not understanding Microsoft's position here. Didn't they get lambasted for the default everyone NT security model? Now their efforst come down to a "well, it's mostly secure now" default method? Seriously. They must be idiots.

    How about a simple, elegant solution...ask the user during the installation. Make it a separate security screen with the highest level as the default and then let the user decide.

    I suspect that 95% will end up being preloaded on machines or locked down by a GPO, so this will really end up being an OEM or administration issue. However, for the 5% of people who buy the product and upgrade manually...we're pretty smart. We can handle moving a slider during install to choose what level we want. We can also handle editing the registry and other tasks to eliminate this problem ourselves.

    Why is this so hard? I'm really not understanding what the frackus is all about. Just offer us the option - if you want to customize it then do so. If not, then there ya go. Microsoft is going to end up pleasing nobody if they continue to take this wishy-washy middle of the road path.

    lawryll@...
    • Agreed. They're being stupid.

      If I understand this right, UAC hassles are reduced by having the default security level not prompt you every time you want to change a configuration setting. Good. That's a big hassle. I don't want them to change that either.

      The problem is that they are considering changing the UAC level to NONE to be a configuration change. It's not - it's a security change. It should DEFINITELY require your confirmation that you really want to do this before doing it. It's not like changing the format of the date to show the century or not, or moving an "all users" program menu shortcut from one folder to another.

      How hard can it be to understand this, realize that without it the whole UAC thing is a TOTAL WASTE OF TIME, and FIX IT???
      Steve Summers
  • RE: Microsoft: UAC security setting not changing (for now)

    In Vista UAC might have been annoying, but at least it served some useful purpose. The default setting in Windows 7 is, frankly, retarded. The only programs that get the annoying dialog are well-behaved ones; malicious software can just turn it off. So now you have an annoying feature which doesn't provide any actual benefit.

    Good job Microsoft. I was looking forward to Windows 7, but now I have a bad taste in my mouth.
    jepzilla
    • To be fair you can change it to the same behavior as Vista.

      Unfortunately, if they leave it this way by default, the situation you described will be the reality for most people.
      ye
    • your PC first...

      It's not like malware, without being on the PC, can turn off UAC. It requires a particular type of script, one that can automate system commands. Which means you have to install the program and accept UAC when it prompts on the install. Once there the program can do as it pleases. Is it good? No. Does it render "UAC completely useless"? Not at all.
      LiquidLearner
      • What limits this to a particular type of script? (nt)

        .
        ye
      • you're not understanding the flaws

        It seems most people are confused what the flaws might be. There are two of them that make UAC at the default setting exploitable. However, these are not exploitable if the user increases the default UAC setting to Vista-like UAC setting (highest).

        1. The script you install does not need to prompt UAC to make it work. In fact, a simple vb script not running with admin privilege *can* simulate key presses to turn off UAC *without* getting a UAC prompt. This is scary because a program can be installed at the user's privilege (i.e. not with admin credential) can still turn off UAC without you knowing. It's really important to remember that this program DOES NOT have admin privilege, yet it can disable UAC without the user getting prompted. Essentially, it can disable UAC silently at night while you're away.

        2. The second flaw is even worst. A third-party program can use Microsoft signed applications to run itself (the malware) as a proxy with full ADMIN privilege *without* getting a UAC prompt. In this case, a non-admin program is able to run with full admin privileges without the user being prompted.

        Even so, the user should ALWAYS be prompted regardless of current setting and program when changing the UAC setting. These two scenarios essentially make the default UAC setting easily exploitable and a false sense of security. What good is it if a program without admin privilege can disable one of your most critical security setting?
        kxn84@...
  • Who needs the source code ...

    ... that question has been asked many times over.

    This is why you [b]NEED[/b] the source code. aka F/OSS


    ^o^
    n0neXn0ne
    • resist the urge...

      don't feed the troll... resist the urge....
      The one and only, Cylon Centurion
    • "Security" by obscurity

      But given that this is Windows the vulnerabilities will not stay obscure for long...
      T1Oracle
  • what about TweakUAC quiet mode?

    Vista could be flawed also. Without prompts how do I know what's going on? Something could sneak on your PC and turn it off.

    Why is no one complaining about that.

    Randalllind
  • The real problem

    Is that UAC is really just another layer on top of a byzantine house of cards, that never actually adrdesses system security. The system isn't actually secure, and UAC is merely window dressing to give the impression that the system is secure.All that's happening is the user is being asked to make a yes no decision to allow a process to continue, if they make the wrong decision, and allow the wrong process to continue the system is compromised just as effectively as if they were never prompted, and if, as it appears, the whole UAC prompt system can simply be turned off by a malicious peice of code, there seems little point to it.
    tracy anne
  • Just copy OS X

    and have done with it. Mac users are used to putting in a password from time to time. It is part of the user-friendly interface. MS could do worse than to just copy the Mac, as they have done on so many other things.
    jorjitop