Windows 7 UAC "flaw" sacrifices security for usability

By on February 2, 2009, 10:14 AM
When Microsoft launched Windows Vista, it also introduced a new User Account Control (UAC) feature, one that was supposed to safeguard users against malware by prompting them for permission before allowing applications to proceed. However, many have found it intrusive and annoying. In Windows 7, UAC is still there but Microsoft has toned down the default security setting to make it more palatable, in the sense that it no longer bugs you when you perform routine tasks or even when users change Windows settings.

But in making these changes Microsoft may have inadvertently introduced a gaping security hole. Since the default UAC setting is now to alert users only when a third-part program tries to make changes to a PC and not when the actual user makes changes, then using only keystroke commands issued by a malware program, the technology can be deactivated without the user ever knowing that their system's been compromised. Then after eventually restarting the machine a malicious user could embed something at boot time and take control of the computer.

Of course an attack could also be averted using other security technologies, such as an antivirus suite, but it goes to show how easily UAC can be taken out of the picture. Developer Rafael Rivera wrote some simple proof of concept script to underline this concern and also notes that users can play it safe by merely changing the UAC policy to “Always Notify.” Microsoft, on the other hand, seems to be relaxed about the topic saying the flaw is “by design” and apparently has no fix planned for it.




User Comments: 6

Got something to say? Post a comment
yukka said:
Just make UAC prompt if you make changes to UAC. Why wouldn't you make that the default behaviour?
Darth Shiv said:
[b]Originally posted by yukka:[/b][quote]Just make UAC prompt if you make changes to UAC. Why wouldn't you make that the default behaviour?[/quote]Because that would make sense. We can't have that now, can we?Honestly, where do the people who make these decisions come from? Why are there so many?
DarkCobra said:
I agree. UAC for me at least was the WORST overly intrusive feature in VISTA (at least the way MS shoved it down our throats). I understand the desire to try and protect people from themselves but you can't force feed common sense on people. People have to learn how to properly use and maintain a computer. Some of us learned how to do that and sadly a great many still have not. UAC (as MS provided it) force fed something overly intrusive down everyone's throats which was a blunder. Provide it and recommend it for those who need it, but please make it defeatable for those of us who don't need it and as said above only have it prompt us again if we make changes.
MichaelLS said:
The trouble is that the UAC then drives the end users crazy.Truth is - without a real Kernel this OS by design can not be patched. FACT!As Jose quoted: "Microsoft, on the other hand, seems to be relaxed about the topic saying the flaw is “by design” and apparently has no fix planned for it." Well, duh, because they can't fix it. It is inherently open by design. 'Flawed by design' is the real object of truth here. Sad!User's have no choice in the matter - they must use a good firewall - Zone Alarm Suite / Kapersky or such.This design platform is not regularly attacked due to popularity - although that is certainly a very real factor - however, truth is, its very vulnerable by design. The original designers admit that! FACT! Who knew this would be the case at that time? Now - how to effectively change that while locked into all this patented tech and IP. That's the real issue on the table for Micro$oft.
DarkCobra said:
Which explains why MS really needs to engineer an entirely new modern platform for their OS.
MichaelLS said:
[b]Originally posted by DarkCobra:[/b][quote]Which explains why MS really needs to engineer an entirely new modern platform for their OS.[/quote]Amen! Please Micro$oft!! The time to react is long over due! It's time to start over! We need you people to stop this patch the patch that patched that patch application efforts. A new GUI makeover with a sprinkling of new icons just does not meet today's requirements. Just changing the products name is not satisfactory! Who did you think you were fooling? Hire new management! Put aside the greed and do some decent engineering work on your own for a change. Stop copying everybody else and lead the industry for a change!Please! Sheeeeish!
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.