.NET Developments

Feb 2 2009   1:08PM GMT

Windows 7’s UAC has a security flaw

Yuval Shavit Profile: YuvalShavit

A couple blog entries ago, I mentioned that among Windows 7’s improvements is a fix to the user account control (UAC) functionality introduced in Vista. UAC was always a good — and overdue — idea, but Vista’s implementation was annoyingly chatty. Windows 7 would fix that, I wrote.

A security hole in Windows 7’s UAC has been found that uses a script to disable future UAC warnings, according to blogger Long Zheng. I haven’t tested it yet (our work machines still run XP), but Zheng’s blog entry includes proof-of-concept code. According to the blog, the issue had previously been marked as a bug on Microsoft Connect, but Microsoft closed the issue as “by design.

The easy fix is to set your UAC warning level to always ask for confirmation, even if it’s just to set system settings. That means malicious code won’t be able to disable UAC behind your back, but it also  means UAC will be back to its annoying Vista persona.

Let this be a reminder to us all: convenience and security are often at odds.  The problem is that too many warnings are also a problem, as users are apt to just click “yes” without reading your warning message. Striking the right balance between giving users power, giving them options, giving them convenience and giving them security is always difficult.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: