Microsoft caves in, will change Windows 7 UAC
Admits mistake, bows to critics by adding prompt to ensure hackers can't silence warning
Computerworld - Reacting to intense criticism of an important security feature in Windows 7, Microsoft Corp. today said it will change the behavior of User Account Control (UAC) in Windows 7's release candidate.
"We are going to deliver two changes to the Release Candidate that we'll all see," said John DeVaan and Steven Sinofsky, two Microsoft executives responsible for Windows' development, in the second of two posts to the Engineering Windows 7 blog today.
"First, the UAC control panel will run in a high integrity process, which requires elevation," said DeVaan and Sinofsky. "Second, changing the level of the UAC will also prompt for confirmation."
The changes, they said, were prompted by feedback from users, including comments appended to an earlier post Thursday by DeVaan in which he defended the modifications Microsoft made to UAC in Windows 7.
"Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed," DeVaan and Sinofsky said in the later blog post. "That's not the dialog we set out to have and we're going to do our best to improve."
The UAC feature, which debuted in 2007 as part of Windows Vista but was altered to reduce the number of prompts in Windows 7, has been under fire since last week, when two Windows bloggers, Rafael Rivera and Long Zheng, first reported that it could easily be disabled by attackers.
Yesterday, they followed up with more information about how hackers could piggyback on UAC-approved applications to fool Windows 7 into giving a malicious payload full administrative rights.
"This is definitely the result we've been looking for," Long said in an e-mail late Thursday. "[But] I'm a little bit shocked at just how quickly Microsoft has turned around, considering they made a post not 12 hours earlier stating that they would not change their position."
Rivera, Long and others urged Microsoft to reconsider the default setting of UAC in Windows 7. That default, which DeVaan said Microsoft had selected because people running Windows balked at dealing with more than two security prompts per day, was to "Notify me only when programs try to make changes to my computer."
Microsoft, however, won't be taking that tack. Instead, the next public version of Windows 7 -- dubbed RC, for release candidate -- will prompt the user before allowing any changes to UAC settings. "The way we're going to think about this [is] that the UAC setting is something like a password, and to change your password you need to enter your old password," DeVaan and Sinofsky said today.
Windows 7: Vista Reloaded
- New post-beta Windows 7 build leaks to Web
- Report: Free Windows 7 upgrades to run until January 2010
- Microsoft dumps Ultimate Extras from Windows 7
- HP says its netbooks will likely run three versions of Windows 7
- Economy could slow enterprise adoption of Windows 7
- Microsoft caves, will change Windows 7 UAC
- Microsoft tweaks Windows 7 UAC after new exploit code surfaces
- Microsoft cites 'click fatigue' for Windows 7 security change
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Taking Windows Mobile on Any Device Taking Windows applications mobile has many advantages, but the process of identifying a solution is complex. Learn how to solve this complex problem...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Windows White Papers | Webcasts