Microsoft insists UAC vulnerability is not a flaw

Yesterday we reported on a major UAC security flaw where malicious hackers could potentially execute a script on a users machine by tricking into them into opening a disguised exe. This script would disable UAC without user interaction and without the users knowledge.

A Microsoft spokesperson has provided Neowin with a response to the issue:

  • This is not a vulnerability. The intent of the default configuration of UAC is that users don't get prompted when making changes to Windows settings. This includes changing the UAC prompting level.
  • Microsoft has received a great deal of usability feedback on UAC prompting behavior in UAC, and has made changes in accordance with user feedback.
  • UAC is a feature designed to enable users to run software at user (non-admin) rights, something we refer to as Standard User. Running software as standard user improves security reduces TCO.
  • The only way this could be changed without the user's knowledge is by malicious code already running on the box.
  • In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)
So at the expense of users and because "malicious code" could have gotten onto the box by other means, Microsoft will not put an obvious and simple fix into Windows 7 to prevent users having Windows settings disabled by malware without their knowledge by default. UAC is now officially rendered useless, why not turn it off before someone turns it off for you?

Report a problem with article
Previous Story

Q&A with HP Personal Systems Group CTO, Phil McKinney

Next Story

Review: Microsoft Wireless Entertainment Desktop 8000

93 Comments - Add comment