User Account Control
UAC was one of the most reviled aspects of Windows Vista, and Microsoft tweaked UAC in Windows 7 to reduce the frequency of alerts. Microsoft is to be commended for making UAC less annoying, but customers that move to Windows 7 from XP could still encounter UAC-related headaches. What's more, Microsoft has steadfastly refused to acknowledge possible security glitches in UAC that have arisen during Windows 7 testing, even when they've been reported by some of the company's most loyal followers.
In February, Windows 7 beta testers uncovered a pair of security flaws in User Account Control, and Microsoft, after some hemming and hawing, agreed to fix them. But in June, respected Microsoft blogger Long Zheng claimed that UAC in Windows 7 still contains a vulnerability that makes the default setting of Windows 7 UAC less secure than Vista UAC.
Zheng pointed out that that when the default security configuration of Windows 7 UAC is not to notify users of changes, applications without UAC alerts can run code or other applications with administrative privileges. Microsoft denied that this is vulnerability and said it's simply the way Windows 7 was designed, which is exactly the stance it took with the first two UAC vulnerability reports.
To date, the software giant hasn't issued a fix for the UAC flaw, despite growing evidence that it's something that needs to be dealt with.
In June, Windows 7 tester Leo Davidson created proof-of-concept code that demonstrates the potential impact of the UAC flaw, and in August, the beta for Microsoft's Security Essentials product flagged the proof-of-concept code as malware.
UAC is Microsoft's baby, so it makes sense that company officials would be quick to defend it. However, when criticisms are being levelled at UAC from some of Microsoft's loyal disciples, perhaps it's time for Microsoft to consider the possibility that they might have a valid point.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
