Windows 7 UAC Vulnerability Checked

Bloggers 1, Microsoft 0?

The blog post was tongue-in-cheek, yet written with obvious frustration: “First, I was originally going to blackmail Microsoft for a large ransom for the details of this flaw, but in these uncertain economic times, their ransom fund has probably been cut back so I’m just going to share this for free.”

Perhaps it’s the power of righteousness that made the software giant sit up and listen to the voice in the blog. Or, perhaps it’s the potentially negative PR power of the blogosphere. What matters is that Microsoft made some changes to Windows 7’s User Account Control (UAC) feature in response to people’s concerns. Here’s a recap:

Long Zheng wrote in his blog, “A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenius override that renders UAC disabled without user interaction.” Fellow tech blogger Rafael Rivera explained it in further detail.

Microsoft countered that it was by design: “This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. ….”

Then Long Zheng upped the ante: “...a second UAC security flaw in the Windows 7 beta’s default security configuration allows a malicious application to autonomously elevate themselves to full administrative privileges without UAC prompts or turning UAC off. A result I’m sure cannot be classified as ‘by design.’”

Hours later, this post appeared on Microsoft’s Windows 7 Engineering blog: “…we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.”

Microsoft's post sounded vaguely hurt, or at least rueful: “When we started the “E7” blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we’ve managed to do both.”

What's not clear is whether the blog reveals regret for making a mistake or for being called out for making a mistake. At any rate, Windows 7 continues to evolve, in spite of human egos.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.