Last week, Long Zheng posted details about a security issue in Windows 7’s implementation of User Account Control. The UAC feature in Vista received so much criticism that Microsoft decided to add different security levels in Windows 7; the default setting now only warns you when a program tries to change Windows settings.


The problem Long Zheng described is so obvious it almost made me laugh:

The Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.

This is just bad design; it really makes you wonder whether security really is a priority for Microsoft. To make matters worse, Microsoft’s initial response indicated that this is expected behaviour, and that they had no plans to change this:

Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines. We know that the feedback does not apply to the “Always Notify” setting of UAC; and we know that UAC is not 100% effective at stopping malware once it is running

Which is totally true, but any way to stop malware once it is running can be useful, so a lot of people have suggested that it might be a good idea to have the UAC and Firewall settings always pop up a warning. Fortunately Microsoft has changed its mind as well; according to Computerworld, there will be some changes to UAC in the version of Windows 7 that will ship later this year.

Late Wednesday, a spokesman said that the company had addressed the latest UAC concerns in post-beta builds of Windows 7. “No, Microsoft has not reverted Windows 7 UAC’s behavior to mimic Windows Vista,” the spokesman said in response to several follow-up questions.

There are no other details available at this moment, but I’m sure more information will be available soon.