Yesterday we reported on a major UAC security flaw where malicious hackers could potentially execute a script on a users machine by tricking into them into opening a disguised exe. This script would disable UAC without user interaction and without the users knowledge.
A Microsoft spokesperson has provided Neowin with a response to the issue:
- This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
- Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
- UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
- The only way this could be changed without the user's knowledge is by malicious code already running on the box.
- In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)