Search icon A magnifying glass. It indicates, "Click to perform a search".
US Markets Loading... h m s
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.
Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE
Tech

Windows 7 Security Savaged (MSFT)

Eric Krangel
Updated
2009-02-04T15:49:00Z
Read in app

windows_7_ballmer_ces.jpgSome days it seems like Microsoft (MSFT) just can't win. Windows XP was generally well-liked for its user interface, but was criticized for being highly vulnerable to malware, viruses, and other cyberattacks. Microsoft responded by making Vista the most secure -- and most annoying -- Windows ever, with the problems that plagued XP solved with constant security pop-ups.

Now it looks like the pendulum may have swung the other way with Windows 7. While 7 has been praised for being less intrusive than Vista in managing system security, it also might be far less effective at keeping malware out.

Advertisement

Via ZDnet's Mary Jo Foley:

Two Windows enthusiast bloggers, Long Zheng and Rafael Rivera, have now discovered not one, but two, seemingly severe exploit channels in the UAC setting that is currently set as the default for Windows 7. The first exploit they publicized (after talking to Microsoft privately about it) allows malware to turn off UAC; the other allows malware to auto-elevate without notifying the user. To date, Microsoft’s response is that the new UAC default is set the way it is “by design” and isn’t problematic.

Related stories

I asked Microsoft again on February 3 if it was still standing by its statement that the UAC default setting for Windows 7 is fine as is. Microsoft declined to let me speak to anyone directly and instead provided this statement (in the form of these bullet points):

  • “This is not a vulnerability. The intent of the default configuration of UAC is that users don’t get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user’s knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)”
Advertisement

We're not Windows security experts, but when respected leaders in the field say there's a problem, and Microsoft responds "this is not a vulnerability," we get nervous.

Microsoft needs to do a much better job of reassuring people Windows 7 is secure, and quick. Because it's bad news if Microsoft has to crank the annoying "allow / deny" UAC prompts back up, it's bad news if Windows 7 is perceived as less secure than Vista, and it's bad news if Microsoft has to go back to the drawing board on security and delays Windows 7 until 2010.

See Also:
Windows 7 In 2009 A Good Bet?
Microsoft Releasing SIX Versions Of Windows 7
Windows 7 Review Consensus: It's A Faster Vista

 

Read next

Microsoft Big Tech
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account