Windows 7 UAC A Security Risk, Microsoft Concedes

Microsoft has agreed to tweak the User Account Control (UAC) system in Windows 7 to avoid an inherent security risk.

During the production of Windows 7, Microsoft decided to change the default UAC so that it no longer asks for confirmation when a user adjusts his or her Windows settings. Security experts suggest that these settings include UAC itself, meaning rogue software could turn this protection off completely without the user knowing.

Microsoft argued that this was not a true vulnerability because one can only take advantage by getting the victim to run the rogue software; for example, through disguising it as a legitimate link on a website. They contend that this was much less likely to happen in Windows 7 because of other new and improved security measures.

However, bloggers and people commenting on Microsoft websites didn't accept this argument. There seemed to be a general feeling that, remembering the hostile response to UAC in Vista, the firm was taking an unnecessary security risk for the sake of cutting down user annoyance. (Source: istartedsomething.com)

Microsoft: We Don't Feel Good

The company has now responded and acknowledged the concerns, writing "We don't like where we are in terms of how folks are feeling and we don't feel good." The firm says it will now make a change to the system that has been suggested. This means that in the final version of Windows 7, any change to the UAC security level will require confirmation, even if the system isn't set to notify a user about changes to Windows. (Source: msdn.com)

That being said, Microsoft is insistent that its security priority will always be stopping rogue software from getting onto computers in the first place. The firm argues that if it is successful in doing this, any other security problems will either be minimized or made irrelevant.